Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata...
Transcript of Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata...
![Page 1: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/1.jpg)
Security and Protection of SCADA: A Bigdata Algorithmic
Approach RKShyamasundar
TataInstituteofFundamentalResearchMumbai,India
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 2: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/2.jpg)
Agenda • Scada-Overview– Attacks,Characteristics
• LearningfromSTUXNET• ChallengesofSCADASecurity• ExistingApproaches• BigDataApproach– AlgorithmicMethodology– Scalability
• Conclusions
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 3: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/3.jpg)
Scada(SupervisoryControlAndDataAcquisition):Risks
• ControlSystems – Nowatahigherriskstocomputerattacksbecausetheirvulnerabilitiesareincreasinglybecomingexposedandavailabletoanever-growingsetofmotivatedandhighly-skilledattacker
• Miscreantstailortheirattackswiththeaimofdamagingthephysicalsystemsundercontrol
• EssentiallyaCyberwar
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 4: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/4.jpg)
SomeSCADAAttacks
• March1997:WorcesterAirTrafficCommunicationsAttack
• January2000:MaroochyShireSewageSpill• 2000and1982:GasPipelinesinRussia(andtheformerSovietUnion)
LeadingtoCyberWarsACMSIN2013,Aksaray,Turkey,Plenary
InvitedTalk
![Page 5: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/5.jpg)
CyberWar• CyberwarfarehasbeendefinedbygovernmentsecurityexpertRichardA.
Clarke,inhisbookCyberWar(May2010),as"actionsbyanation-statetopenetrateanothernation'scomputersornetworksforthepurposesofcausingdamageordisruption
• All“big”nationsarecurrentlypreparingforCyberWar– CyberDefenseCentersestablishedinallthesenationswithintheirmilitary
structure&NATO– CyberDefenseCentreofExcellenceinEstonia– CyberDefensepartofnewNATOStrategy(Article5excluded)– Militaryandgovernmentnetworksarecurrentlybeinghardenedagainst
attacks– Allnationsand,toandunbelievablelargescale,Chinaaretrainingoffensive
cyberwarpersonnelandarepreparingforoffensiveandefensivecyberwar• InformationSuperiority:thecapabilitytocollect,process,and
disseminateanuninterruptedflowofinformationwhileexploitingordenyinganadversary'sabilitytodothesame(USArmyVision2010)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 6: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/6.jpg)
SomeCyberWars• TitanRainwastheU.S.government'sdesignationgiventoaseriesof
coordinatedattacksonAmericancomputersystemssince2003• Estonia2007CyberattacksonEstoniareferstoaseriesofcyberattacks
thatbeganApril27,2007andswampedwebsitesofEstonianorganizations,includingEstonianparliament,banks,ministries,newspapersandbroadcasters
• IsraelattackonSyriaDuringthenight,anIsraelitransporthelicopterenteredSyrianairspaceanddroppedateamofShaldagUnitcommandosintothearea.Thecommandostookuppositionsclosetothenuclearsite.IsraeliAirForceF-15IRa'amfighterjetsarmedwithlaser-guidedbombs,escortedbyF-16ISufafighterjetsandanELINTaircraft,tookofffromHatzerimAirbase.TheELINTaircraftsuccessfullyobscuredtheattackingaircraftfromdetectionbySyrianradars.
CyberTerrorismvsCyberCrimevsCyberwar
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 7: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/7.jpg)
STUXNET• StuxnetisaWindowscomputerwormdiscoveredinJuly2010thattargetsindustrialsoftwareandequipment
• itisthefirstdiscoveredmalwarethatspiesonandsubvertsindustrialsystems
• KasperskyLabsconcludedthatthesophisticatedattackcouldonlyhavebeenconducted"withnation-statesupport”
• StuxnetattackedWindowssystemsusinganunprecedentedfourzero-dayattacks(plustheCPLINKvulnerabilityandavulnerabilityusedbytheConfickerworm)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 8: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/8.jpg)
Stuxnet• Astonishedbythecomplexityof
theprogramandthequantityofzerodayexploitsusedinthisworm.– Zerodayexploitsarethose
thathavenoworkaroundorpatch.
• AnotheruniqueaspectofStuxnetisthatitcontainedcomponentsthatweredigitallysignedwithstolencertificates.
• arootkitwasfoundfortheprogrammablelogiccontroller(PLC)whichallowsthemanipulationofsensitiveequipment.
• Expectedtohavebeencreatedbyateamofasmanyas30individuals.–STATESUPPORT
• indicatesaleveloforganizationandfundingthatprobablyhasnotbeenseenbefore
• WhatwasStuxnetdesignedtodo?– Whilethereisnodirectevidence,
thecodesuggeststhatStuxnetlooksforasetupthatisusedinprocessingfacilitiesthathandleuraniumusedinnucleardevices
– Thustheultimategoalistosabotagethatfacilitybyreprogrammingtocontrollerstooperate
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 9: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/9.jpg)
Whatshouldbethestrategytodealwiththesekindsofattacks?
• ShoulditgoalongthelinesofITsecurity?• HowaboutDefense-in-depthmechanismsanalogoustoanomalydetection?
• Whataboutfalse-alarmsinanomalydetection?
• ShouldthefocusbeonPhysicalsystemsratherthansoftware/networkmodels?
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 10: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/10.jpg)
ControlSystemsSecurity
• Controlsystemsarenotsuitableforpatchingandfrequentupdates
• WhilecurrenttoolsfromInformationsecuritycangivenecessarymechanismsforsecuringcontrolsystems,thesealonearenotsufficientfordefense-in-depthofcontrolsystems
• Whenattackersbypassevenbasicdefensestheymaysucceedindamagingthephysicalworld
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 11: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/11.jpg)
SecurityFeature ITSystems SCADA
Antivirus and Mobile Code
Very common; deployed and updated easily
By Design not open for software updates.
Patch Management Automated remote patch management possible. However, one needs care from malware perspective
Not designed for it. May impact Performance and also security
Cyber Security Testing & Audit Methods
Standard methods like Metasploit framework can be used
Testing has to be tuned for an online system. May impact plant operation.
Change Management (CM)
Classicalapproachfeasible Strategic scheduling; non trivial process, Impact Analysis is important
Security Issues(1) IT Systems Vs Control Systems (SCADA)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 12: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/12.jpg)
SecurityFeature ITSystems SCADA
IncidenceResponse&Forensics
Wellestablishedprocedure
Difficulttocaptureaseventlogsposeproblemsduetoconstraintslikememoryetc.
PhysicalSecurity Normallypoor Normallyexcellent
Secure System Development
Normal Practice for security sensitive IT applications
Need of the hour for in-house and outsourced development
Security Compliance
Lifetime 2-3 years Lifetime5-20years
Security Issues(2) IT Systems Vs Control Systems (SCADA)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 13: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/13.jpg)
ConsequencesofanAttack
RiskAssessment– WhilestudiesexistoncybersecurityofSCADAthereareveryfewstudiestoidentifyattackstrategyofanadversaryonceitgainsaccess(existingstudiespertaintodatainjectionforpowergrids,electricitymarketsetc.)
– Needtounderstandthreatmodeltodesignappropriatedefensesandtakemeasurestosecurethemostcriticalsensorsandactuators
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 14: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/14.jpg)
NewAttackdetectionPatterns
• DynamicsystemmodelsforspecifyingIntrusiondetectionSystems– Currentstudiespertainfalsedatainjectionattacksincontrolsystems
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 15: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/15.jpg)
NewAttackdetectionPatterns
• DynamicsystemmodelsforspecifyingIntrusiondetectionSystems– Currentstudiespertainfalsedatainjectionattacksincontrolsystems
• ReplayandStealthAttacks
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 16: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/16.jpg)
AttackResilientAlgorithmsandArchitectures
• Designtowithstandcyberassault
• Reconfigureandadaptcontrolsystemswhenunderattack
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 17: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/17.jpg)
ControlSystemsSecurity:Summary
• Understandtheconsequencesofattacks– Doathoroughriskanalysis
• FindAttackpatterns– Designdetections
• Designnewattack-resilientalgorithmsandarchitectures
• AutomaticresponsemeasuresMultiDisciplinary:ControlEngineers+CS+DomainofApplication…
ACMSIN2013,Aksaray,Turkey,Plenary
InvitedTalk
![Page 18: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/18.jpg)
RiskManagement
• Processofshiftingtheoddsinyourfavorbyfindingamongallpossiblealternatives,theonethatminimizestheimpactofuncertainevents
• ProcessControlSystemsusuallywillhaveanetworkofsensors– Examplesofimpactofattackonsensornetworkontheprocesscontrolsystem
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 19: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/19.jpg)
Vulnerabilities Due to Embedded IT Systems
• NeedtokeepinmindtheeconomicconstraintsonthecostofSCADA(forinstance,insmartgridsitisimportantkeepthecostofthemetersviableforthesociety).
• Theknowledgeoftheunderlyingsystemsisalmostfreelyavailable.
• AsanalyzingBigdatahasbecomemanageableprivacyintrusionshavebecomecommonwhichinturnhasledtoseveralsecurityproblems.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 20: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/20.jpg)
SCADA Domain Vulnerabilities • SCADADesign:– stability,safetyofplant&env.,+performance– Notdesignedforintruders/attackers– InthecontextofInternetintruderscaninduceattacksthatwouldnothavebeenconsideredbythedesigner
– Thus,themajorchallengeforSCADAsecurityliesinarrivingatmethodsofcontroloftheplantthatshallovercomesuchplausibleattacksandmaintainthestabilityandthetrustworthinessofthesystem–thus,makingthesystemrobust.
ACMSIN2013,Aksaray,Turkey,Plenary
InvitedTalk
![Page 21: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/21.jpg)
Approaches for securing SCADA
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 22: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/22.jpg)
IntrusionDetection
• Misusedetection– Basedonsignaturesofknownattacks
• Anomalydetection– Basedonlearningprofilesofnormalbehaviour
• Coulddetectunknownattacksbutsuffersfromhighfalsealarmrates
• Specification-basedDetection– Manuallydevelopingspecificationoflegitimatebehaviourandhencehaslessfalsealarmrates
– Butabilitytodetectnewattacksisalsoless.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 23: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/23.jpg)
ProcessAwareIntrusion
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 24: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/24.jpg)
MirageTheoryforDeception-BasedDetection
• MilitaryDeception(MILDEC):thoseactionsexecutedtodeliberatelymisleadadversarydecisionmakersastofriendlymilitarycapabilities,intentions,andoperations,therebycausingtheadversarytotakespecificactionsorinactionsthatwillcontributetotheaccomplishmentofthefriendlymission.
• ReliesonDISPLAYs:simulation,disguising,and/orportrayaloffriendlyobjects,units,orcapabilitiesthatmaynotexistbutaremadetoappearso.
• Eg.(physicalmeans):dummyanddecoyequipmentanddevices,tacticalactions,movementofmilitaryforces,etc.
• Eg(technicalmeans)includeemissionofchemicalorbiologicalodors,emissionofradiation,reflectionofenergy,computers,etc.,
• Eg(administrativemeans)techniquestoconveyordenyphysicalevidence.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 25: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/25.jpg)
MirageTheoryApplications:Ideas• Basis:leverageoftheboundarybetweencontinuousanddiscretespaces,
leverageofhowthepresenceofacontinuousspaceisredirectedonacorrespondingdiscretespace,andsimulationoremulationofphysicalprocessesandphysicalequipment.
• Acomputernetworkattackprovidesanadversarywithaccessthatmayextendtoawholediscretespace.
• Nevertheless,duetophysicallimitstherearenofeasiblewaysforanadversarytogainvisibilityoveracontinuousspacethroughacomputernetworkattack.
• Inotherwords,acomputernetworkattackwon'tenableanadversarytovirtuallymovebeyondtheanalog-to-digitalanddigital-to-analogconversionintegratedcircuits.
• Consequentlyanadversarycannotverifywhetherinputelectricalsignalsareindeedappliedbyexistingsensingdevices,norcanhe/sheverifywhetheroutputelectricalsignalsindeedreachanexistingactuatingdevice.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 26: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/26.jpg)
Securing SCADA
• MakethesystemsecurewithrespecttoIT.ThiscouldbedonethroughtheclassicalhardeningapproachesdevelopedforITsecurityalongwithappropriateauthenticationandencryptionasrequired.
• Ensurethatthesystemalsoworksinthesafezoneasprojectedbythecontrolsystem/plantdesigners.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 27: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/27.jpg)
Monitoring Control Systems • Mostoftheapproachesmaybeclassifiedunder:– Developingmodelsfromfirstprinciplesusingthelawsofphysics,
– Empiricalbehaviorusingsimulationtools,and– Ahybridoftheabove
• Whilesafetycriticalsystemsdemandaccuratemodels,itisnotalwaysfeasibleduetotheunderlyingcomplexityandeconomics.
• Usually,thebehaviouralmodelisconstructedintheindustryusingseveraltoolslikeidentificationpackagesthatenablethedevelopmentofphysicalsystemsusingtrainingdata.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 28: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/28.jpg)
Fault Detection and Diagnosis
Problems• Generationofresidualsthat
areclosetozerounderno-faultcondition,minimallysensitivetonoisesanddisturbances,andmaximallysensitivetofaults
• Evaluationofresidualscorrespondstodecisionruleswithrespecttothehandlingofresiduals.
DerivingStatisticsinData• Assesslevelofsignificance
ofdiscrepancieswithrespecttouncertainties&reflectastowhethertheparameterperturbationissignificantornot.
• Parameterestimationprovidesuswithrelativesizesofestimationerrorswithrespecttonoisesonthesystemmeasurements.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 29: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/29.jpg)
Solving Detection Problems • Modelvalidation:Givenareferencepointoftheparameter
andanewdatasample,theproblemistodecidewhetherthenewdataarestillwelldescribedbythisparametervalueornotandcouldbedonebyaslidingwindowoffixedsize.
• On-lineChangedetection:Givenadatasampleandaninstantt,theproblemistodecidewhethertheparameterhasdeviatedfromthegivenreferencepointandifsoclassifyintotherequiredcategories.
• Off-lineChangedetection:GivenadatasampleconsistingofNsamples,theproblemistodecidewhetheratsomeinstant,t,thegivenparameterhasdriftedtosomeothervaluethatneedsattention.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 30: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/30.jpg)
SomeToolsused• InstanceControlCharts:Controlchartsessentiallypresentagraphicdisplayofprocessstabilityorinstabilityovertime.
• Acontrolchartisastatisticaltool:todistinguishbetweenvariationinaprocessresultingfromcommoncauses&variationduetospecialcauses.
• Thecontrolchartdifferentiatesbetweentwotypesofvariation:– SpecialCauseVariation:variationsduetocauseswhicharenotnormallypresent
– CommonCauseVariation:aretheresultofnumerousever-presentdifferencesintheprocess.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 31: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/31.jpg)
Monitoring and Protecting SCADA
a. Malwareattacksofthecomputingelements– tobehandledprimarily
fromtheITdefenseperspective.
b. Newpossibleattacksontheplantarisingfromthemalwareattackonitscontrolsystem.– IsitpossibletohandlesothatSCADAwillalwaysbeintheSAFETYZoneandalsobeindicativeofapossibleattack
Plant
Networkof
sensors
DistControl
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 32: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/32.jpg)
Challenge: New Scenario of Attacks
• SensorMeasurement:Y(k)={y1(k),...,yp(k)},– yi(k)denotesmeasuresby
sensoriattimek.– ∀k,yi(k)∈[ymin,ymax]in
theDOM(Y)• Eachsensorhasaunique
Cryptoidentitykey• Zi(k)ssignalsrecd.by
processcontroller(Valindomain–elsegetsdet.).– Zi(k)=aikifinattackslot
=yikotherwise
• IntegrityCheck:Ifattackershavecompromisedasensortheycaninjectanyvalueaik–anarbitraryvalueinthedomain• ReplayandStealthAttacks• DOSAttack
– Noticeslackofmeasurements– Asolutionistousethelast
value
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 33: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/33.jpg)
SCADA Design : Change Detection Basis for Safety
• Hypothesis:– Wehavethestatisticsofitsgoodperformancerecordedovertimetoclassifyasnormaloperationandpossibleabnormalbehavior.
– Notethatitmustbekeptinmindthatthecontrolsystemisacontinuoussystemratherthanadiscreteone.
• Underabnormaloperations,assume– plantwillbeoperatedundersafeparameters– declaringitasanalarmingzoneforfurtheraction.
• Inotherwords,inthedataofthed-dimensionalspace,withrespecttoareferencepointofoperation,– wehaveasetofvectorsthatreflectspossiblevariationsthatwouldstillkeepthesysteminastable/safestate;fallingoutsidewouldmeanpossibleunsafeoperation
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 34: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/34.jpg)
Question
• Assumingwehavecapturedthebehaviourofthesystem,isitpossibletodesignacontrolsystemsuchthat:
• Itfollowsthecontrollawdesignand• DetectBlackSwanevents–largeimpact,hardtopredict,rareevents–difficulttopredictlyingbeyondtherealmofnormalexpectations,and
• Guaranteesthatitwillalwaysoperateinasafedomain,soundingalarmwheneveritfindsthebehaviourisnotasexpectedaroundthereferenceanchorpoints
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 35: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/35.jpg)
Challenge and Solution
• Liesinprovidingascalablesolution
• SolutionBasis:– Reducingtheproblemtoproblemofmonitoringadistributedsetofstreamsthroughqueries
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 36: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/36.jpg)
What is the intuition?
Series1
Series2Series3
Category1Category2
Category3Category4
0
1
2
3
4
5
Series1
Series2
Series3
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 37: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/37.jpg)
AnomalyDetectingController
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 38: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/38.jpg)
Safety of the System • U(t):plantinputatt&X’(t):outputofplant&X(t):denotethe
samemeasuredthroughthesensorsattimet.• Now,theinputU(t+1)attimet+1,isdeterminedbythe
controllerwhichfindswhetherthereisanomalyatthispointusingthepossibleperturbationsassumingastableoperationattimet,withinputU(t)throughtheChange-Detect-Estimator(CDE).
• if{Y1,…,Ym}isthesetofvectorstakingintoaccountthepossibleperturbationscorrespondingtoinputU(t),outputX’(t)asdetectedbythesensors.– NotethatY1,…,Ymessentiallydenotepossibleperturbationswith
respecttoinputandoutputoftheplantasreflectedinits’behaviour.• ThenX(t)willbesaidtobesafeifX(t)isintheconvexhullof
{Y1,…,Yn}.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 39: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/39.jpg)
Question
• Canwecomputeconvexhullinascalablemanner?
• Yes• IzchakSharmanandAssafSchuster,AGeometricApproachtoMonitoringThresholdFunctionsoverDistributedStreams,ACMTODS,Vol32,Nov.2007,pp.23:1-23:29.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 40: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/40.jpg)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 41: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/41.jpg)
Geometric Method
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 42: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/42.jpg)
Cover of Convex Hull
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 43: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/43.jpg)
Monochromatic Region
• Monochromatic Region: For all x in region, f(x)is on the same side of the threshold (f(x) >τ or f(x) ≤τ )
• Each site independently checks its sphere is monochromatic – Find max and min for f()in
local sphere region (may be costly)
• Send updated value of vi if not monochrome
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 44: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/44.jpg)
Restoring monotonicity
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 45: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/45.jpg)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 46: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/46.jpg)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 47: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/47.jpg)
Overcoming Replay Attack • Replayattack:– Attackerrecordsasequenceofsensormeasurementsandreplaysthesameatalaterpointoftimewhichcouldcausehavoctothesystemlateron.
– AlsooneoftheattacksusedbyStuxnet.
• SupposetheattackisatTcorrespondingtovaluesreadatt,T>t
• ItwillbeallowedonlyifthereferencevectoratTiswithintheknownlimitsofthatatt.
• Hencesafe
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 48: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/48.jpg)
Overcoming Stealth Attacks Safe• Surgeattack:here,theattackerwantstomaximizethedamageassoonaspossible.
• Biasattack:Inthiscase,theattackerwantstoattackoveraperiodoftimethroughincrementalperturbations.
• Geometricattack:heretheadversarywantstodriftslowlyinthebeginningandfinallymaximizethedamage.
• Falsepositives--Couldbeminimizedbasedonsampling
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 49: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/49.jpg)
Conclusions
• ExtremelyusefulinDetectingBlackSwanEvents• Scalableandovercomesfalsepositives• InductiveLearning/MachineLearning
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 50: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/50.jpg)
Conclusions
• Tunableforgeneralizationslike– Sameanalysisofcorrectnessholdswhenspheresareallowedtobeellipsoids– Differentreferencevectorsàtoincreaseradiuswhenclosetothresholdvalues– Combiningtheseobservationsallowsadditionalcostsavings– Moregeneraltheoryof“SafeZones”--Convexsubsetsoftheadmissibleregion
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 51: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/51.jpg)
Conclusions • ApproachinconjunctionwithITsecurityprovidesasafeoperation.
• AsmostSCADAvendorsdonotdivulgedetailstheapproachispromising.
• ApplicableforvarietiesofSCADAdeploymentsincludingpowergrids,smartgridsetc.(notethatthedataisquitequiteoftenverysensitive)
• Experimentalworkinprogress.
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 52: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/52.jpg)
The Distinguished Speakers Program is made possible by
For additional information, please visit http://dsp.acm.org/ ACMSIN2013,Aksaray,Turkey,Plenary
InvitedTalk
![Page 53: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/53.jpg)
AboutACM
ACM, the Association for Computing Machinery is the world’s largest educational and scientific computing society, uniting educators, researchers and
professionals to inspire dialogue, share resources and address the field’s challenges.
ACM strengthens the computing profession’s collective voice through strong leadership, promotion of the highest standards, and recognition of technical
excellence.
ACM supports the professional growth of its members by providing opportunities for life-long learning, career development, and professional
networking. ��
With over 100,000 members from over 100 countries, ACM works to advance computing as a science and a profession. www.acm.org
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk
![Page 54: Security and Protection of SCADA: A Bigdata …...Security and Protection of SCADA: A Bigdata Algorithmic Approach RK Shyamasundar Tata Institute of Fundamental Research Mumbai, India](https://reader030.fdocuments.in/reader030/viewer/2022040511/5e5a4b3a232efb3b8e5462a1/html5/thumbnails/54.jpg)
ACMSIN2013,Aksaray,Turkey,PlenaryInvitedTalk