Advertisement

Exploitation of HART Wired Signal Distinct Native Attribute (WS-DNA) Features to Verify Field Device Identity and Infer Operating State

  • Juan LopezJr.Email author
  • Michael A. Temple
  • Barry E. Mullins
Conference paper
  • 1.1k Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8985)

Abstract

Infusion of Information Technology (IT) into Industrial Control System (ICS) applications has increased Critical Infrastructure Protection (CIP) challenges. A layered security strategy is addressed that exploits Physical (PHY) features to verify field device identity and infer normal-anomalous operating state using Distinct Native Attribute (DNA) features. The goal is inferential confirmation that Human Machine Interface (HMI) indicated conditions match the system’s true physical state. Feasibility is shown using Wired Signal DNA (WS-DNA) from Highway Addressable Remote Transducer (HART) enabled field devices. Results are based on experiments using an instrumented Process Control System (PCS) with smart field devices communicating via wired HART. Results are presented for two field devices operating at two different set-points and suggest that the WS-DNA technical approach is promising for inferring device physical state.

Keywords

CIP ICS HART DNA Anomaly detection Process control 

1 Introduction

CIP has become increasingly difficult as ICS architectures have migrated from simple point-to-point networks [8, 9] to IT-based architectures interconnecting ICS and business enterprise networks. Although increasing both efficiency and reducing cost [10, 11, 12, 13], this migration comes at the expense of increased vulnerability [14, 15, 16, 17, 18, 19, 20, 22, 24] and higher potential for catastrophic events that are inherent in IT systems [21]. The migration cost is high from a security perspective, and ICS Internet connectivity presents what some consider an “unresolved security issue” that must be addressed [23].

Some security solutions work well in traditional IT systems but are less effective for CIP intrusion and anomaly detection [23, 25, 26, 29, 31]. Most ICS intrusion detection schemes do not detect bit-level protocol vulnerability attacks given they do not understand “application level” protocols [32]. Some single packet detection capability for Supervisory Control And Data Acquisition (SCADA) traffic do exist [28, 29, 30, 32, 33], but these methods are unreliable for detecting sequential “allowed” commands that can progressively drive a SCADA system to become unstable (Stuxnet-like events). ICS/SCADA protection strategies that exploit device level PHY state information can complement upstream bit-level protection approaches. The envisioned multi-layer security strategy integrates both levels with a goal of countering Stuxnet-like attacks, e.g., detect cases where the HMI indicates coolant is flowing normally while in reality the control valve being monitored is physically closed, no coolant flowing, and physical damage is imminent. Current bit-level detection strategies have proven to be ineffective against these types of attacks. Sensing PHY state information from downstream field devices provides potential for confirming that desired physical device changes (open, close, etc.) have occurred and that HMI reporting is reliable.

This work supports a PHY-based Security (PhySEC) approach for verifying that the indicated HMI status is consistent with field device operating state. A WS-DNA fingerprinting process is formalized using signals from a wired HART field device in a closed-loop PCS–more than 35 million Hart devices have been deployed [27]. As used to achieve human-like discrimination of device hardware [18] and operations [1], the Radio Frequency DNA (RF-DNA) fingerprinting methodology was adopted for recent HART device level field bus work [2] which motivated WS-DNA formalization for SCADA PhySEC application. The HART WS-DNA fingerprints are used here to discriminate selected device-state combinations using a Multiple Discriminant Analysis, Maximum Likelihood (MDA/ML) process. The initial approach is promising for device hardware and state discrimination, so the investigation continues.

2 Discrimination Methodology

Exploitable DNA features have been extracted from both intentional and unintentional waveform responses that generally differ with device type [3, 5, 17, 21]. Wireless techniques were adopted here for WS-DNA demonstration with a goal of identifying discriminating PHY features in FSK signals of a \(4-20\) mA control loop. Of interest is unintentional electromechanically induced signal variation that is expected to possess unique characteristics dictated by component manufacturing process, component tolerances, device aging, environmental conditions, etc. [4]. The WS-DNA fingerprinting methodology here is consistent with work in [6, 7] and includes: (1) Burst Detection, (2) Down-Conversion and Baseband Filtering, (3) Analysis Signal Generation, (4) Fingerprint Generation, and (5) Class Discrimination.

Wired HART signal collections were made on a Lab-volt 3531 PCS running an automated fluid level control process [2] using a collection receiver (Agilent Oscilloscope) and a desktop workstation for post-collection processing. The HART field devices were Endress+Hauser PMD75 differential pressure transmitters. High-level (\(0-400\) psi) and low-level (\(0-10\) psi) pressure transmitters were used to measure column fluid level at two set points (SP): including (1) SP-10 for 2.0 inches of fluid, and (2) SP-50 for 20.0 inches of fluid. HART FSK signals were collected directly from pressure transmitter maintenance ports. A \(2 \times 2\) experimental design was conducted using each of the two field devices sensing the two fluid levels. The various factor level combinations followed the Device:State (D:S) notation in Table 1. The assessments used WS-DNA fingerprints from a total of \(N_B\) \(= 456\) independent HART bursts for all four D:S cases considered.
Table 1.

Hardware Device (D) and State (S) Notation.

Description

Notation

Low Pressure DPT-SP10

D1:S1

Low Pressure DPT-SP50

D1:S2

High Pressure DPT-SP10

D2:S1

High Pressure DPT-SP15

D2:S2

Figure 1 shows a representative mean response for 456 experimentally collected bursts; the response was similar for all four D:S cases. Of note is the constructive response of the Preamble during \(0 < t < 0.055\) s and the Device ID Region (DevIDRgn) during \(0.055 < t < 0.165\) s; note that the DevIDRgn designation is used here for presentation and does not represent a formal HART protocol designation.
Fig. 1.

Mean of 456 experimentally-collected HART FSK bursts.

As in prior DNA-based fingerprinting work, the invariant cross-burst responses such as the Preamble and SigIDRgn responses in Fig. 1 are generally most favorable for discrimination. Thus, the SigIDRgn region was first considered for WS-DNA extraction and MDA/ML classification. This choice was supported by Fig. 2 which shows SigIDRgn responses relative to a D1:S1 reference, i.e., the D1:S1 response was subtracted from responses for the other D:S cases to highlight differences. These responses reflect (1) discriminating Device (D) information in the \(0.080 < t < 0.120\) s interval and (2) discrimination State (S) information in the \(t > 0.140\) s interval. Similar behavior and conclusions were drawn using D2:S1 as the reference.
Fig. 2.

Difference between SigIDRgn responses using D1:S1 as the reference. The \(0.080 < t < 0.120\) s region reflects device similarity and the \(t > 0.140\) s region reflects state similarity.

Fig. 3.

Average DNA fingerprint features at SNR\(_C\) \(\approx 22.0\) dB based on 200 independent SigIDRgn fingerprints for each D:S cased considered.

2.1 Discrimination Results

Initial assessments considered 456 FSK bursts for all four D:S cases using WS-DNA features extracted from SigIDRgn responses. The entire SigIDRgn response was used with statistical features of variance, skewness, and kurtosis calculated across \(N_R+1=20+1=21\) sub-regions of the SigIDRgn instantaneous amplitude, phase and frequency responses. Thus, the resultant fingerprints included a total of \(21 \times 3 \times 3=189\) WS-DNA features (DNA markers). The characteristic fingerprint differences for the D:S cases considered are illustrated in Fig. 3 which shows clear visual discrimination. The discriminability was confirmed using the MDA/ML classifier using the SigIDRgn WS-DNA fingerprints to discriminate both device and state. The discriminability is quantitatively reflected in Table 2 MDA/ML confusion matrix results which are presented for both \({Collected SNR}_C\) \(\approx 22.0\) dB and degraded \(Analysis SNR_A\) \(\approx 2.0\) dB conditions. Diagonal entries reflect 100 % and 92.7 % correct classification (discrimination) for the two SNRs and suggest the process is relatively robust for varying channel conditions. Off-diagonal elements for \(SNR_A\) \(\approx 2.0\) dB indicate that state discrimination is generally more challenging than device discrimination with decreasing SNR.
Table 2.

MDA/ML classification confusion matrix results. Presented for SNR\(_C\) \(\approx 22.0\) dB / SNR\(_A\) \(\approx 2.0\) dB.

Called (%)

D1:S1

D1:S2

D2:S1

D2:S2

Input

D1:S1

100/97.19

0.0/2.45

0.0/0.18

0.0/0.18

D1:S2

0.0/4.30

100/95.61

0.0/0.09

0.0/0.0

D2:S1

0.0/0.27

0.0/0.0

100/90.61

0.0/9.12

D2:S2

0.0/0.44

0.0/0.0

0.0/11.93

100/87.63

3 Conclusions

A PHY-based Security (PhySEC) approach to SCADA security is addressed using WS-DNA features from wired HART signals, with a goal of verifying that the observed HMI state matches the actual field device physical state to counter Stuxnet-like attacks. The paper was motivated by related HART fieldbus work [2], the results of which motivated formalization of WS-DNA fingerprinting for SCADA PhySEC application. WS-DNA field device hardware discrimination is consistent with prior RF-DNA works yielding reliable device discrimination. Of greater importance to near-term SCADA security improvement is the introduction of an inferential device state estimation process using the same WS-DNA features. While results here are indeed limited (two devices operating in each of two states), they are sufficiently promising to warrant additional research. Thus, additional equipment has been procured and experimentation is underway to extend the findings and further develop the envisioned SCADA PhySEC approach.

References

  1. 1.
    Cobb, W.E., et al.: Physical layer identification of embedded devices using RF-DNA fingerprinting. In: Military Communications Conference, pp. 2168–2173 (2010)Google Scholar
  2. 2.
    Lopez Jr., J., Temple, M.A.: Inferring field device identity and operating state using physical features of highway addressable remote transducer (HART) signals. In: 9th International Conference on Critical Information Infrastructures Security, Limassol, October 2014Google Scholar
  3. 3.
    Reising, D.R. et al.: Gabor-based RF-DNA fingerprinting for classifying 802.16e WiMAX mobile subscribers. In: International Conference on Computing, Networking and Communications, January 2012Google Scholar
  4. 4.
    Suski II, W.M., et al.: Using spectral fingerprints to improve wireless network security. In: IEEE Global Communications Conference, New Orleans (2008)Google Scholar
  5. 5.
    Williams, M.D., et al.: Augmenting bit-level network security using physical layer RF-DNA fingerprinting. In: IEEE Global Communications Conference, December 2010Google Scholar
  6. 6.
    Cobb, W., et al.: Intrinsic physical layer authentication of ICs. IEEE Trans. Inf. Forensics Secur. 2(4), 793–808 (2011)MathSciNetGoogle Scholar
  7. 7.
    Stone, S., Temple, M.: RF-based anomaly detection for programmable logic controllers in the critical infrastructure. Int. J. Crit. Infrastruct. Prot. 5(2), 66–73 (2012)CrossRefGoogle Scholar
  8. 8.
    Igure, V., Laughter, S., Williams, R.: Security issues in SCADA networks. Comput. Secur. 25, 498–506 (2006)CrossRefGoogle Scholar
  9. 9.
    Rameback, C.: Process automation systems history and future. In: IEEE Conference on Emerging Technologies and Factory Automation (ETFA 2003), Lisbon (2003)Google Scholar
  10. 10.
    Stouffer, K., et al.: Guide to Industrial Control System (ICS) Security (Special Publication 800–82). Nat’l Inst of Stands and Tech, Gaithersburg (2013)Google Scholar
  11. 11.
    Parthasarathy, S., Kundur, D.: Bloom filter intrusion detection for smart grid SCADA. In: 25th IEEE Canadian Conference on Electrical and Computer Engineering, Montreal (2012)Google Scholar
  12. 12.
    Langner, R.: Robust Control System Networks: How to Achieve Reliable Control After Stuxnet. Momemtum Press, New York (2012)Google Scholar
  13. 13.
    Lewis, T.: Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation. Wiley, Hoboken (2006)CrossRefGoogle Scholar
  14. 14.
    Baker, S., Waterman, S., Ivanov, G.: In the Crossfire: Critical Infrastructure in the Age of Cyber War. McAfee Inc., Santa Clara (2010)Google Scholar
  15. 15.
    Powner, D., Rhodes, K.A.: Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain [GAO-07-1036]. Government Accounting Office, Washington, DC (2007)Google Scholar
  16. 16.
    Baker, S., et al.: In the Dark: Crucial Industries Confront Cyberattacks. McAfee, Santa Clara (2011)Google Scholar
  17. 17.
    Government Accountability Office, Cybersecurity national strategy, roles, and responsibilities need to be better defined and more effectively implemented (GAO-13-187). Government Printing Office, Washington, DC (2013)Google Scholar
  18. 18.
    Government Accountability Office, Critical infrastructure protection: Challenges in addressing cybersecurity (GAO-05-827T). GAO, Washington, DC (2005)Google Scholar
  19. 19.
    Chertoff, M.: National infrastructure protection plan: Partnering to enhance protection and resiliency (2009). www.dhs.gov/files/programs/editorial_0827.shtm
  20. 20.
    Northcote-Green, J., Wilson, R.: Control and Automation of Electrical Power Distribution Systems. Taylor and Francis, Boca Raton (2007)Google Scholar
  21. 21.
    Markey, E., Waxman, H.: Electric Grid Vulnerability: Industry Responses Reveal Security Gaps. US House of Representatives, Washington, DC (2013)Google Scholar
  22. 22.
    Leverett, E., Stajano, F., Crowcroft, J.: Quantitatively Assessing and Visualising Industrial System Attack Surfaces. University of Cambridge, Cambridge (2011)Google Scholar
  23. 23.
    Phillippe, J., Axelrod, J.: Industrial control system security,: Protecting your operational technology network from cyber attacks. Ernst and Young LLP (2012)Google Scholar
  24. 24.
    Government Accountability Office, Defense Critical Infrastructure: Actions needed to improve the identification and management of electrical power risks and vulnerabilities to DOD critical assets (GAO-10-147). Government Printing Office, Washington, DC (2009)Google Scholar
  25. 25.
    Abshier, J., Weiss, J.: Securing your control system, 22 November 2004. www.controlglobal.com/articles/2004/238.html?page=1
  26. 26.
    Liu, A.: Critical U.S. infrastructure at risk of cyber attack, experts warn, 22 March 2011. www.foxnews.com/scitech/201103/22/major-industries-vulnerable-cyber-attack/
  27. 27.
    Control Global, The Once & Future Protocol: HART is the Most Widely Used Communication Protocol in the Process Industries and the Best Choice for the Future, 11 September 2012. www.controlglobal.com/articles/2012/hart-future-protocol/?show=all
  28. 28.
    Akella, R., et al.: Analysis of information flow security in cyber physical systems. Int. J. Crit. Infrastruct. 3(3–4), 157–173 (2010)CrossRefGoogle Scholar
  29. 29.
    Campbell, R., Rrushi, J.: Detecting cyber attacks on nuclear power plants. In: IFIP Advances in Information and Communication Technology (AICT), vol. 290, pp. 1–54 (2011)Google Scholar
  30. 30.
    Solomakhin, R., Tsang, P., Smith, S.: High security with low latency in legacy SCADA systems. In: Moore, T., Shenoi, S. (eds.) Critical Infrastructure Protection IV, pp. 63–79. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  31. 31.
    Verba, J., Milvich, M.: Idaho national laboratory supervisory control and data acquisition intrusion detection system (IDS). In: IEEE Conference on Technologies for Homeland Security, pp. 469–473 (2008)Google Scholar
  32. 32.
    Parthasarathy, S., Kundur, D.: Bloom filter based intrusion detection for smart grid SCADA. In: IEEE Canadian Conference on Electrical and Computer Engineering, pp. 1–6 (2012)Google Scholar
  33. 33.
    Yang, Y., et al.: Rule-based intrusion detection system for SCADA networks. In: 2nd IET Renewable Power Generation Conference, pp. 1–4 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Juan LopezJr.
    • 1
    Email author
  • Michael A. Temple
    • 1
  • Barry E. Mullins
    • 1
  1. 1.Department of Electrical and Computer EngineeringUS Air Force Institute of TechnologyDaytonUSA

Personalised recommendations