Abstract
In this work, a control/command analysis-based intrusion prevention system (IPS) is proposed. This IPS will examine incoming command packets and programs that are destined for a PLC interacting with a physical process. The IPS consists of a module that examines the packets that would alter settings or actuators and incorporates a model of the physical process to aid in predicting the effect of processing the command and specifically whether a safety violation would occur for critical variables in the physical system. Essentially, a simulation of both the model of the physical system and a process running a copy of the ladder logic of the real PLC is performed in the module. Also, uploaded programs will be evaluated to determine whether the programs would cause a safety violation. Previous research has studied making predictions based on the payloads of packets where cumbersome specifications must be developed by a human expert for the model of the physical system and safety conditions. This work seeks to eliminate or minimize the amount of specifications to be developed by a human through system identification and machine learning to allow the IPS to be more generic and deployable. Another contribution of this work is a broader and more generic understanding of the threat model that causes unsafe or inefficient consequences. The accuracy in prediction and latency in analysis are metrics used when evaluating the results in this work.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chromik, J.J., Remke, A., Haverkort, B.R.: What’s under the hood?
Improving SCADA security with process awareness. In: JointWorkshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG), pp. 1–6. IEEE (2016)
Chromik, J.J., Remke, A., Haverkort, B.R.: Improving SCADA security of a local process with a power grid model. In: ICS-CSR (2016)
Lin, H., Slagell, A., Kalbarczyk, Z., Sauer, P.W., Iyer, R.K.: Semantic security analysis of SCADA networks to detect malicious control commands in power grids. In: Proceedings of the First ACM Workshop on Smart Energy Grid Security, pp. 29–34. ACM, (2013)
Lin, H., Slagell, A., Kalbarczyk, Z., Sauer, P., Iyer, R.: Runtime semantic security analysis to detect and mitigate control-related attacks in power grids. IEEE Trans. Smart Grid 9, 163–178 (2016)
Etigowni, S., Tian, D.J., Hernandez, G., Zonouz, S., Butler, K.: CPAC: securing critical infrastructure with cyber-physical access control. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 139–152. ACM (2016)
Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 126–135. ACM (2014)
McLaughlin, S.: On dynamic malware payloads aimed at programmable logic controllers. In: Proceedings of the 6th USENIX Conference on Hot Topics in Security, HotSec 2011, Berkeley, CA, USA, p. 10. USENIX Association (2011)
McLaughlin, S.: Cps: stateful policy enforcement for control system device usage. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 109–118. ACM (2013)
McLaughlin, S., McDaniel, P.: SABOT: specification-based payload generation for programmable logic controllers. In: ACM Conference on Computer and Communications Security, pp. 439–449. ACM (2012)
Ljung, L.: System Identification: Theory for the User. Prentice-Hall, Upper Saddle River (1987)
Carcano, A., Fovino, I.N., Masera, M., Trombetta, A.: State-based network intrusion detection systems for SCADA protocols: a proof of concept. In: International Workshop on Critical Information Infrastructures Security, pp. 138–150. Springer, Heidelberg (2009)
Cárdenas, A.A., Amin, S., Lin, Z.-S., Huang, Y.-L., Huang, C.-Y., Sastry, S.: Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 355–366. ACM (2011)
Zhu, B., Sastry, S.: SCADA-specific intrusion detection/prevention systems: a survey and taxonomy. In: Proceedings of the 1st Workshop on Secure Control Systems (SCS), vol. 11, p. 7 (2010)
Mitchell, R., Chen, I.-R.: A survey of intrusion detection techniques for cyber-physical systems. ACM Comput. Surv. (CSUR) 46(4), 55 (2014)
Ding, D., Han, Q.-L., Xiang, Y., Ge, X., Zhang, X.-M.: A survey on security control and attack detection for industrial cyber-physical systems. Neurocomputing 275, 1674–1683 (2018)
Gao, W., Morris, T.H.: On cyber attacks and signature based intrusion detection for modbus based industrial control systems. J. Digit. Forensics Secur. Law 9(1), 3 (2014)
Alves, T., Das, R., Werth, A., Morris, T.: Virtualization of SCADA testbeds for cybersecurity research: a modular approach. Comput. Secur. 77, 531–546 (2018)
Abrams, M., Weiss, J.: Malicious Control System Cyber Security Attack Case Study–Maroochy Water Services, Australia. The MITRE Corporation, McLean (2008)
Taipale, K., Cybenko, G., Yen, J., Rosenzweig, P., Sweeney, L., Popp, R.: Homeland security. IEEE Intell. Syst. 20(5), 76–86 (2005)
Govil, N., Agrawal, A., Tippenhauer, N.O.: On ladder logic bombs in industrial control systems. In: Computer Security, pp. 110–126. Springer, Cham (2017)
Dempsey, K.L., Witte, G.A., Rike, D.: Summary of NIST SP 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. No. Computer Security Resource Center (2014)
Giraldo, J., Sarkar, E., Cardenas, A.A., Maniatakos, M., Kantarcioglu, M.: Security and privacy in cyber-physical systems: a survey of surveys. IEEE Design Test 34(4), 7–17 (2017)
Huang, Y.-L., Cárdenas, A.A., Amin, S., Lin, Z.-S., Tsai, H.-Y., Sastry, S.: Understanding the physical and economic consequences of attacks on control systems. Int. J. Crit. Infrastruct. Prot. 2(3), 73–83 (2009)
Giraldo, J., Urbina, D., Cardenas, A., Valente, J., Faisal, M., Ruths, J., Tippenhauer, N.O., Sandberg, H., Candell, R.: A survey of physics-based attack detection in cyber-physical systems. ACM Comput. Surv. (CSUR) 51(4), 76 (2018)
The industrial control system cyber kill chain. SAN Institute
Lee, E.A.: Cyber-physical systems-are computing foundations adequate. In: Position Paper for NSF Workshop on Cyber-Physical Systems: Research Motivation, Techniques and Roadmap, vol. 2, pp. 1–9. Citeseer (2006)
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)
Alert (IR-ALERT-H-16-056-01). ICS. https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01. Accessed 29 May 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Werth, A., Morris, T.H. (2020). A Specification-Based Intrusion Prevention System for Malicious Payloads. In: Choo, KK., Morris, T., Peterson, G. (eds) National Cyber Summit (NCS) Research Track. NCS 2019. Advances in Intelligent Systems and Computing, vol 1055. Springer, Cham. https://doi.org/10.1007/978-3-030-31239-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-31239-8_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31238-1
Online ISBN: 978-3-030-31239-8
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)