A Behavior-based Approach to Secure and Resilient Industrial Control Systems

Dimitrios Serpanos

Industrial Systems Institute/RC ATHENA, DirectorUniversity of Patras, Professor

Patras, Greece

Alpen-Adria University Klagenfurt, March 9, 2017

ICS are Cyber-Physical Systems

•Inter-disciplinary emerging area

•Computation + Physics

•Algorithms + Logic + Control + …

IT vs. OTInformation Technology Operational Technology

Purpose Process transactions, provide information

Control or monitor physical processes and equipment

Architecture Enterprise wide infrastructure and applications (generic)

Event driven, real time, embedded hardware and software (custom)

Interfaces GUI, web browser, terminal and keyboard

Electromechanical, sensors, actuators, coded displays, hand-held devices

Ownership CIO and IT Engineers, technicians, operators and managers

Connectivity Corporate network, IP based

Control networks, hardwired twisted pair and IP based

Role Supports people Controls machines

ICS Control Loop

ICS Control Loop Attack

System View - Requirements

•Hierarchical structure

•Heterogeneous technologies

•Autonomy

•Continuous operation/fail-safe

•Dependability

•Dependence on large number of input devices

•Large installation base (legacy systems)

•Increasing connectivity

Attacks on ICS

•Resilience

•Continuous operation under attack

•Attack mitigation

•Fast recovery after attack

•System evolution without disruption

Attacks

There have been several incidents…

Strategy and approach

•Build it right and continuously monitor- US Federal Government Strategy

•Our approach

- Programmable (executable) specification with security propertieso Secure by design

- Middleware monitoring process (app) executiono ARMET compares app and specification execution

- Specification includes defense against identified process vulnerabilitieso Novel vulnerability analysis against false data injection attacks

Method

•Define executable process specification

•Augment with all necessary invariants

•Refine to a single behavioral spec (program)

•Include implementation and specification to middleware (ARMET)

•Compare predictions (spec) and observations (implementation)

•Identify inconsistencies – diagnose - recover

Build it right

Continuously monitor

Program derivation by stepwise refinement

Specification (set of acceptable behaviors)

Refinement step(resolves some implementation questions)

Singleprogram

Proof (⊇)Proof (⊇)

Proof (⊇)

Proof (⊇)

Proofs constructed & checked with Coq, a general-purpose logic platform

Example: Water tank control (spec)

Example: Water tank control (code)

ARMET: Organization

ARMET: middleware for secure and resilient ICS

•Self-aware system- Self-awareness through dependency-directed reasoning

•System is allowed to only behave legally- Continuous monitoring of prediction/observation consistency- IF inconsistency, THEN diagnosis- Recovery (safe state from alternate, reliable source)

•Detection of unknown attacks- Inconsistency between predictions and observations

•System adaptability to evolutionary constraints- ICS-CERT standards, security and privacy policies, etc.- Specify policies as legal behavior & monitor behavioral consistency

Example: Water-tank attack

False Data Injection Attack

• FDI attack- Feed fake measurement data to the system- Avoid being detected as bad data- Mislead the controllers- The attacks can be local (each control unit) or global (the whole

control network)

• FDI defense: develop a defense system using techniques for data estimation based on formalizing

- plant, sensors, channels, control software and actuators- attack, defense and detection

ICS Control Loop

FDI Vulnerability – SMT Problem

•Assumption- Process P(x)- There is a monitor mon(x,y) [x= process variables, y= measurements]

•Write satisfiability expression for process- FDI(y)= There_exists x : pass_monitor(x,y) AND NOT correct_reading(x,y)- Solve for satisfiability of FDI(y)

o IF FDI(y) is satisfiable with injected values, THEN there exists attack

•Available tool today: dReal

Example: FDI Attack for State Estimation

Analysis of benchmarks

Conclusions

•ICS security is extremely challenging

•We are developing a general framework for CPS security that generalizes both formal program analysis and fault detection methods

•We have a working prototype- We are developing increasingly advanced ICS models

•We have a promising vulnerability analysis technique- We have shown vulnerability in realistic nonlinear power grid models

•Behavior-based ICS protection and analysis is promising

Team

•Howard Shrobe (MIT)

•Armando Solar-Lezama (MIT)

•Adam Chlipala (MIT)

•Sicun Gao (MIT)

•Muhammad Taimoor Khan (Alpen-Adria University Klagenfurt)

•Sana Al Farsi (QCRI)

•Aref Al Tamimi (QCRI)

•Mohammed Al Obaidi (QCRI)

•Anastasios Fragopoulos (QCRI)

THANK YOU !