A Behavior-based Approach to Secure and Resilient Industrial Control Systems
-
Upload
foerderverein-technische-fakultaet -
Category
Technology
-
view
218 -
download
1
Transcript of A Behavior-based Approach to Secure and Resilient Industrial Control Systems
A Behavior-based Approach to Secure and Resilient Industrial Control Systems
Dimitrios Serpanos
Industrial Systems Institute/RC ATHENA, DirectorUniversity of Patras, Professor
Patras, Greece
Alpen-Adria University Klagenfurt, March 9, 2017
ICS are Cyber-Physical Systems
•Inter-disciplinary emerging area
•Computation + Physics
•Algorithms + Logic + Control + …
IT vs. OTInformation Technology Operational Technology
Purpose Process transactions, provide information
Control or monitor physical processes and equipment
Architecture Enterprise wide infrastructure and applications (generic)
Event driven, real time, embedded hardware and software (custom)
Interfaces GUI, web browser, terminal and keyboard
Electromechanical, sensors, actuators, coded displays, hand-held devices
Ownership CIO and IT Engineers, technicians, operators and managers
Connectivity Corporate network, IP based
Control networks, hardwired twisted pair and IP based
Role Supports people Controls machines
ICS Control Loop
ICS Control Loop Attack
System View - Requirements
•Hierarchical structure
•Heterogeneous technologies
•Autonomy
•Continuous operation/fail-safe
•Dependability
•Dependence on large number of input devices
•Large installation base (legacy systems)
•Increasing connectivity
Attacks on ICS
•Resilience
•Continuous operation under attack
•Attack mitigation
•Fast recovery after attack
•System evolution without disruption
Attacks
There have been several incidents…
Strategy and approach
•Build it right and continuously monitor- US Federal Government Strategy
•Our approach
- Programmable (executable) specification with security propertieso Secure by design
- Middleware monitoring process (app) executiono ARMET compares app and specification execution
- Specification includes defense against identified process vulnerabilitieso Novel vulnerability analysis against false data injection attacks
Method
•Define executable process specification
•Augment with all necessary invariants
•Refine to a single behavioral spec (program)
•Include implementation and specification to middleware (ARMET)
•Compare predictions (spec) and observations (implementation)
•Identify inconsistencies – diagnose - recover
Build it right
Continuously monitor
Program derivation by stepwise refinement
Specification (set of acceptable behaviors)
Refinement step(resolves some implementation questions)
Singleprogram
Proof (⊇)Proof (⊇)
Proof (⊇)
Proof (⊇)
Proofs constructed & checked with Coq, a general-purpose logic platform
Example: Water tank control (spec)
Example: Water tank control (code)
ARMET: Organization
ARMET: middleware for secure and resilient ICS
•Self-aware system- Self-awareness through dependency-directed reasoning
•System is allowed to only behave legally- Continuous monitoring of prediction/observation consistency- IF inconsistency, THEN diagnosis- Recovery (safe state from alternate, reliable source)
•Detection of unknown attacks- Inconsistency between predictions and observations
•System adaptability to evolutionary constraints- ICS-CERT standards, security and privacy policies, etc.- Specify policies as legal behavior & monitor behavioral consistency
Example: Water-tank attack
False Data Injection Attack
• FDI attack- Feed fake measurement data to the system- Avoid being detected as bad data- Mislead the controllers- The attacks can be local (each control unit) or global (the whole
control network)
• FDI defense: develop a defense system using techniques for data estimation based on formalizing
- plant, sensors, channels, control software and actuators- attack, defense and detection
ICS Control Loop
FDI Vulnerability – SMT Problem
•Assumption- Process P(x)- There is a monitor mon(x,y) [x= process variables, y= measurements]
•Write satisfiability expression for process- FDI(y)= There_exists x : pass_monitor(x,y) AND NOT correct_reading(x,y)- Solve for satisfiability of FDI(y)
o IF FDI(y) is satisfiable with injected values, THEN there exists attack
•Available tool today: dReal
Example: FDI Attack for State Estimation
Analysis of benchmarks
Conclusions
•ICS security is extremely challenging
•We are developing a general framework for CPS security that generalizes both formal program analysis and fault detection methods
•We have a working prototype- We are developing increasingly advanced ICS models
•We have a promising vulnerability analysis technique- We have shown vulnerability in realistic nonlinear power grid models
•Behavior-based ICS protection and analysis is promising
Team
•Howard Shrobe (MIT)
•Armando Solar-Lezama (MIT)
•Adam Chlipala (MIT)
•Sicun Gao (MIT)
•Muhammad Taimoor Khan (Alpen-Adria University Klagenfurt)
•Sana Al Farsi (QCRI)
•Aref Al Tamimi (QCRI)
•Mohammed Al Obaidi (QCRI)
•Anastasios Fragopoulos (QCRI)
THANK YOU !