A Behavior-based Approach to Secure and Resilient Industrial Control Systems
Download as PPTX, PDF0 likes1,394 views
The document discusses a behavior-based approach to securing industrial control systems (ICS) through the development of a programmable specification with built-in security properties. It emphasizes the importance of continuous monitoring and resilience against cyber-attacks, particularly focusing on issues like false data injection attacks. The approach is supported by a working prototype and aims to provide frameworks for vulnerability analysis and overall ICS security.
![FDI Vulnerability – SMT Problem
• Assumption
- Process P(x)
- There is a monitor mon(x,y) [x= process variables, y= measurements]
• Write satisfiability expression for process
- FDI(y)= There_exists x : pass_monitor(x,y) AND NOT correct_reading(x,y)
- Solve for satisfiability of FDI(y)
o IF FDI(y) is satisfiable with injected values, THEN there exists attack
• Available tool today: dReal](https://image.slidesharecdn.com/ukserpanos-secureicsnovideo-170316142118/85/A-Behavior-based-Approach-to-Secure-and-Resilient-Industrial-Control-Systems-19-320.jpg)
A Behavior-based Approach to Secure and Resilient Industrial Control Systems
- 1. A Behavior-based Approach to Secure and Resilient Industrial Control Systems Dimitrios Serpanos Industrial Systems Institute/RC ATHENA, Director University of Patras, Professor Patras, Greece Alpen-Adria University Klagenfurt, March 9, 2017
- 2. ICS are Cyber-Physical Systems • Inter-disciplinary emerging area • Computation + Physics • Algorithms + Logic + Control + …
- 3. IT vs. OT Information Technology Operational Technology Purpose Process transactions, provide information Control or monitor physical processes and equipment Architecture Enterprise wide infrastructure and applications (generic) Event driven, real time, embedded hardware and software (custom) Interfaces GUI, web browser, terminal and keyboard Electromechanical, sensors, actuators, coded displays, hand-held devices Ownership CIO and IT Engineers, technicians, operators and managers Connectivity Corporate network, IP based Control networks, hardwired twisted pair and IP based Role Supports people Controls machines
- 5. ICS Control Loop Attack
- 6. System View - Requirements • Hierarchical structure • Heterogeneous technologies • Autonomy • Continuous operation/fail-safe • Dependability • Dependence on large number of input devices • Large installation base (legacy systems) • Increasing connectivity
- 7. Attacks on ICS • Resilience • Continuous operation under attack • Attack mitigation • Fast recovery after attack • System evolution without disruption Attacks
- 8. There have been several incidents…
- 9. Strategy and approach • Build it right and continuously monitor - US Federal Government Strategy • Our approach - Programmable (executable) specification with security properties o Secure by design - Middleware monitoring process (app) execution o ARMET compares app and specification execution - Specification includes defense against identified process vulnerabilities o Novel vulnerability analysis against false data injection attacks
- 10. Method • Define executable process specification • Augment with all necessary invariants • Refine to a single behavioral spec (program) • Include implementation and specification to middleware (ARMET) • Compare predictions (spec) and observations (implementation) • Identify inconsistencies – diagnose - recover Build it right Continuously monitor
- 11. Program derivation by stepwise refinement Specification (set of acceptable behaviors) Refinement step (resolves some implementation questions) Single program Proof (⊇) Proof (⊇) Proof (⊇) Proof (⊇) Proofs constructed & checked with Coq, a general-purpose logic platform
- 12. Example: Water tank control (spec)
- 13. Example: Water tank control (code)
- 15. ARMET: middleware for secure and resilient ICS • Self-aware system - Self-awareness through dependency-directed reasoning • System is allowed to only behave legally - Continuous monitoring of prediction/observation consistency - IF inconsistency, THEN diagnosis - Recovery (safe state from alternate, reliable source) • Detection of unknown attacks - Inconsistency between predictions and observations • System adaptability to evolutionary constraints - ICS-CERT standards, security and privacy policies, etc. - Specify policies as legal behavior & monitor behavioral consistency
- 17. False Data Injection Attack • FDI attack - Feed fake measurement data to the system - Avoid being detected as bad data - Mislead the controllers - The attacks can be local (each control unit) or global (the whole control network) • FDI defense: develop a defense system using techniques for data estimation based on formalizing - plant, sensors, channels, control software and actuators - attack, defense and detection
- 18. ICS Control Loop
- 19. FDI Vulnerability – SMT Problem • Assumption - Process P(x) - There is a monitor mon(x,y) [x= process variables, y= measurements] • Write satisfiability expression for process - FDI(y)= There_exists x : pass_monitor(x,y) AND NOT correct_reading(x,y) - Solve for satisfiability of FDI(y) o IF FDI(y) is satisfiable with injected values, THEN there exists attack • Available tool today: dReal
- 20. Example: FDI Attack for State Estimation
- 22. Conclusions • ICS security is extremely challenging • We are developing a general framework for CPS security that generalizes both formal program analysis and fault detection methods • We have a working prototype - We are developing increasingly advanced ICS models • We have a promising vulnerability analysis technique - We have shown vulnerability in realistic nonlinear power grid models • Behavior-based ICS protection and analysis is promising
- 23. Team • Howard Shrobe (MIT) • Armando Solar-Lezama (MIT) • Adam Chlipala (MIT) • Sicun Gao (MIT) • Muhammad Taimoor Khan (Alpen-Adria University Klagenfurt) • Sana Al Farsi (QCRI) • Aref Al Tamimi (QCRI) • Mohammed Al Obaidi (QCRI) • Anastasios Fragopoulos (QCRI)
- 24. THANK YOU !