cyber-physical systems security · 100 200 300 400 500 600 700 water level (m) 0 0.5 1 real water...
TRANSCRIPT
![Page 1: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/1.jpg)
Cyber-Physical Systems Security
Alvaro A. CárdenasDepartment of Computer Science
University of Texas at Dallas
![Page 2: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/2.jpg)
Modernization of our Physical Infrastructures
Intelligent Transportation Systems
Smart Buildings
SCADA
Smart Grid
HVAC
Operations Center.
Standards: Wireless HART (IEC), ISA SP 100.11a, IETF 6LoWPAN, ROLL, CoRE, Eman, LWIP, IRTF IoT, W3C EIX, IEEE 802.15.4 (g), 802.15.5, etc.
Smart Infrastructures
Physical Systems are Being Modernized with New Technologies
2
![Page 3: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/3.jpg)
Typical Example: Smart Grid
Bulk Generation
Renewable
Non Renewable
Transmission Distribution
Renewable Energy Integration
Large Capacity Batteries
Customers
Smart Meter
Smart Meter
Renewable Energy
Energy Management
Systems
Plug-in Vehicles
Smart Appliances
Batteries
![Page 4: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/4.jpg)
First Success Story of Sensor Networks
• SCADA systems:– Improve
monitoring – Situational
awareness• Cost-effective
solution
4
![Page 5: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/5.jpg)
Devices are becoming smarter,
![Page 6: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/6.jpg)
Cyber-Physical Systems• By embedding instrumentation in buildings, vehicles, factories, power grid,
we are creating Cyber-Physical Systems (CPS):– Smart sensing + actuation– CPS systems are IT systems that interact with the physical world
Physical System
Sensors
Data ProcessingState EstimationControl
ActuatorsRTUs
6
![Page 7: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/7.jpg)
Cyber-physical systems
• Control• Computation• Communication
• Interdisciplinary Research!
7
![Page 8: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/8.jpg)
Why is Security Important Now? New Vulnerabilities & Threats
• Controllers are computers (from Relays to MCUs)– Can be programmed to do anything!
• Networked – Sensors and actuators can be accessed remotely
• Commodity IT solutions –Well known generic vulnerabilities are widely available– Some technologies are even insecure by design!
• New functionalities – New vulnerabilities (e.g. privacy problems with fine-grained monitoring)
• More devices (IoT)– Easier to find a vulnerable device
• Highly skilled IT global workforce– Creating exploits (and using them) is now easier than ever! 8
![Page 9: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/9.jpg)
Vulnerabilities can be Exploited
2011 HVAC
2000 Maroochy Shire sewage control system.
2012 Smart Meters
9
![Page 10: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/10.jpg)
10
A German steel factory suffered massive damage after hackers managed to access production networks, allowing them to tamper with the controls of a blast furnace, the government said in its annual IT security report.
Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant,” the BSI said, describing the technical skills of the attacker as “very advanced.”
![Page 11: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/11.jpg)
Stuxnet• First PLC trojan• Stolen certificates• False commands to centrifuges• False commands to supervisory network• Uranium enrichment in Natanz plant in Iran
11Infection Mechanism
![Page 12: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/12.jpg)
![Page 13: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/13.jpg)
100 200 300 400 500 600 700
Wat
er le
vel (
m)
0
0.5
1
Real water levelSensor measure
Time (sec)100 200 300 400 500 600 700
Res
idua
ls
0
0.1
0.2
0.3
0.4
Attack
Alarm Alarm
Intrusion Detection for IoT
13
Example 2: IDS for SCADA systems
My Research: Intrusion Detection Systems (IDS) in IoT by monitoring the “physics” of cyber-physical systems
Example 1: Visual Challenges verify that video feed hasn’t been modified
pzVnU6GVJoJ7YVXQtt8QXYNvmSvIUEqs!
Verifier!
visual !challenge!
1!4!
video feed!3!
2!
If image captured by camera does not show our challenge we detect an attack
Sponsors:
Remote IO
secondary primary
PLCPLC
L0 Network
Sensor
42.42
Sensors
RIO
Actuators
Attacker
Second Place: ACM student research competition GHC 2015
Example 3: IDS for AMI
Deployment in two water treatment facilities
Best Paper Award IEEE Smart Grid Communications Conference 2014
Substation
MetersCollector
![Page 14: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/14.jpg)
Network Intrusion Detection
![Page 15: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/15.jpg)
Deep-Packet Inspection for Industrial Control Protocols
15
Scapy parser for Modbus
![Page 16: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/16.jpg)
Large Variety of Industrial Control Protocols-Few Parsers, Semantic Info, Closed
• Modbus/TCP • EtherNet/IP • Profinet
16
• DNP3 • EtherCAT • S7
• BACnet • WirelessHART • ISA 100
L1 Network
HMI
Switch
HMI
SCADA Historian
PLC1a PLC1b
PLCPLC
Process 1PLCPLC
Process 2
Remote IO
PLCPLC
L0 Network
RIO
Process n...
Sensor
42.42
SensorsActuators...
PLC2a PLC2b PLCna PLCnb
HMI
Remote IO
L0 Network
RIOSensor
42.42
SensorsActuators
Remote IO
L0 Network
RIOSensor
42.42
SensorsActuators
![Page 17: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/17.jpg)
We Need to Monitor Field Networks
17
HMI
Switch
HMI
SCADA
PLC1
Raw Water
HMI
Sensor
42.42
Sensor
42.42
Sensor
42.42
Sensor
42.42inFlow
PLC2
Pre-treatment
PLC3
Ultra Filtration
ValveLevel Sensor
Pump pH SensorHCl pump
Level Sensor
PLC PLC PLC PLC PLC PLC
Pump
Supe
rvisory
Control
Network
Field
Comms.
Network
Historian
It is easier to deploy monitors in the Supervisory Network: -highly structured info (easier to understand) -mirror ports BUT Compromised PLC can send malicious data to the field and report that everything is normal to supervisory network
![Page 18: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/18.jpg)
Developing Monitors at the Field Level (SWaT Testbed in SUTD)
18
L1 Network
HMI
Switch
HMI
SCADA Historian
PLC1a PLC1b
PLCPLC
Process 1PLCPLC
Process 2
Remote IO
PLCPLC
L0 Network
RIO
Process n...
Sensor
42.42
SensorsActuators...
PLC2a PLC2b PLCna PLCnb
HMI
Remote IO
L0 Network
RIOSensor
42.42
SensorsActuators
Remote IO
L0 Network
RIOSensor
42.42
SensorsActuators
D. Urbina, J. Giraldo, N. Tippenhauer, and A. Cardenas. Attacking Fieldbus Communications in ICS: Applications to the SWaT Testbed. Proceedings of Singapore Cyber Security Conference (SG-CRC), 2016.
![Page 19: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/19.jpg)
We Need to Monitor the Physics of The System
• Protocol specification/patterns correct but false info
• Physical systems follow immutable laws of nature • Fluid dynamics (water systems)
or Electrodynamics (power grid) used to create time-series models
• These models can be used to check • If control commands were
executed correctly • Sensor values are consistent with
expected behavior
19
![Page 20: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/20.jpg)
LDS Model for Raw Water Tank
20
dVi
dt= A
i
dhi
dt= Q
i,in
�Qi,out
hk+1 = h
k
+Q
i,k
�Qo,k
A
![Page 21: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/21.jpg)
Implementing the Attack and the Defense
21
Remote IO
secondary primary
PLCPLC
L0 Network
Sensor
42.42
Sensors
RIO
Actuators
Attacker
Detection
PLC
Attacker
RIO
Sensors Actuators
unom
i
(k)
ua
i
(k)
ha
i
(k)
hi
(k)
![Page 22: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/22.jpg)
Problem: We Can Always Create Attacks That Are Detected
22
![Page 23: Cyber-Physical Systems Security · 100 200 300 400 500 600 700 Water level (m) 0 0.5 1 Real water level Sensor measure Time (sec) 100 200 300 400 500 600 700 Residuals 0 0.1 0.2 0.3](https://reader033.vdocument.in/reader033/viewer/2022042216/5ebf63fa652e58783f1d3291/html5/thumbnails/23.jpg)
Undetected Attacks to Water Testbed
23