Advertisement

Side-Channel Based Intrusion Detection for Industrial Control Systems

  • Pol Van AubelEmail author
  • Kostas Papagiannopoulos
  • Łukasz Chmielewski
  • Christian Doerr
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10707)

Abstract

Industrial Control Systems are under increased scrutiny. Their security is historically sub-par, and although measures are being taken by the manufacturers to remedy this, the large installed base of legacy systems cannot easily be updated with state-of-the-art security measures. We propose a system that uses electromagnetic side-channel measurements to detect behavioural changes of the software running on industrial control systems. To demonstrate the feasibility of this method, we show it is possible to profile and distinguish between even small changes in programs on Siemens S7-317 PLCs, using methods from cryptographic side-channel analysis.

Keywords

EM Side-channel Intrusion detection ICS Industrial control system PLC Programmable logic controller 

References

  1. 1.
    Abbasi, A., Hashemi, M.: Ghost in the PLC: designing an undetectable programmable logic controller rootkit via pin control attack. In: Black Hat Europe, pp. 1–35, November 2016Google Scholar
  2. 2.
    Archambeau, C., Peeters, E., Standaert, F.-X., Quisquater, J.-J.: Template attacks in principal subspaces. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 1–14. Springer, Heidelberg (2006).  https://doi.org/10.1007/11894063_1CrossRefGoogle Scholar
  3. 3.
    Basnight, Z., Butts, J., Lopez, J., Dube, T.: Firmware modification attacks on programmable logic controllers. Int. J. Crit. Infrastruct. Prot. 6(2), 76–84 (2013).  https://doi.org/10.1016/j.ijcip.2013.04.004CrossRefGoogle Scholar
  4. 4.
    Beckers, A., Balasch, J., Gierlichs, B., Verbauwhede, I.: Design and implementation of a waveform-matching based triggering system. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 184–198. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-43283-0_11CrossRefGoogle Scholar
  5. 5.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36400-5_3CrossRefGoogle Scholar
  6. 6.
    Chaudhari, A., Abraham, J.: Stream cipher hash based execution monitoring (SCHEM) framework for intrusion detection on embedded processors. In: International On-Line Testing Symposium - IOLTS, pp. 162–167 (2012).  https://doi.org/10.1109/IOLTS.2012.6313864
  7. 7.
    Cherepanov, A.: Win32/industroyer - a new threat for industrial control systems. White paper. ESET, June 2017. https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
  8. 8.
    Choudary, O., Kuhn, M.G.: Efficient template attacks. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 253–270. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08302-5_17CrossRefGoogle Scholar
  9. 9.
    CRASHOVERRIDE - analysis of the threat to electric grid operations. White paper. Dragos Inc., June 2017. https://www.dragos.com/blog/crashoverride/
  10. 10.
    Cui, A., Costello, M., Stolfo, S.J.: When firmware modifications attack: a case study of embedded exploitation. In: NDSS (2013). https://www.ndss-symposium.org/ndss2013/ndss-2013-programme/when-firmware-modifications-attack-case-study-embedded-exploitation/
  11. 11.
    Cui, A., Stolfo, S.J.: Defending embedded systems with software symbiotes. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 358–377. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23644-0_19CrossRefGoogle Scholar
  12. 12.
    Dupuis, S., Natale, G.D., Flottes, M., Rouzeyre, B.: On the effectiveness of hardware trojan horse detection via side-channel analysis. Inf. Secur. J.: Glob. Perspect. 22(5–6), 226–236 (2013).  https://doi.org/10.1080/19393555.2014.891277CrossRefGoogle Scholar
  13. 13.
    Eisenbarth, T., Paar, C., Weghenkel, B.: Building a side channel based disassembler. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds.) Transactions on Computational Science X. LNCS, vol. 6340, pp. 78–99. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17499-5_4CrossRefGoogle Scholar
  14. 14.
    Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corporation, Security Response 5.6 (2011). https://www.symantec.com/connect/blogs/w32stuxnet-dossier
  15. 15.
    Goldack, M.: Side-channel based reverse engineering for microcontrollers. Master’s thesis, Ruhr-Universität Bochum, Germany (2008). https://www.emsec.rub.de/research/theses/
  16. 16.
    Heyszl, J., Mangard, S., Heinz, B., Stumpf, F., Sigl, G.: Localized electromagnetic analysis of cryptographic implementations. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 231–244. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-27954-6_15CrossRefGoogle Scholar
  17. 17.
    Lin, H., Slagell, A., Di Martino, C., Kalbarczyk, Z., Iyer, R.K.: Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol. In: Cyber Security and Information Intelligence Research Workshop - CSIIRW 2013, pp. 1–4 (2013).  https://doi.org/10.1145/2459976.2459982. Article no. 5
  18. 18.
    Liu, Y., Wei, L., Zhou, Z., Zhang, K., Xu, W., Xu, Q.: On code execution tracking via power side-channel. In: ACM SIGSAC Conference on Computer and Communications Security, pp. 1019–1031 (2016).  https://doi.org/10.1145/2976749.2978299
  19. 19.
    Longo, J., De Mulder, E., Page, D., Tunstall, M.: SoC It to EM: electromagnetic side-channel attacks on a complex system-on-chip. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 620–640. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48324-4_31CrossRefGoogle Scholar
  20. 20.
    Msgna, M., Markantonakis, K., Naccache, D., Mayes, K.: Verifying software integrity in embedded systems: a side channel approach. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 261–280. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-10175-0_18CrossRefGoogle Scholar
  21. 21.
    Open Source SECurity. https://ossec.github.io/
  22. 22.
  23. 23.
    Peck, D., Peterson, D.: Leveraging ethernet card vulnerabilities in field devices. In: SCADA Security Scientific Symposium, pp. 1–19 (2009)Google Scholar
  24. 24.
    Peeters, E., Standaert, F.-X., Quisquater, J.-J.: Power and electromagnetic analysis: improved model, consequences and comparisons. Integration 40(1), 52–60 (2007).  https://doi.org/10.1016/j.vlsi.2005.12.013CrossRefGoogle Scholar
  25. 25.
    Quisquater, J.-J., Samyde, D.: Automatic code recognition for smart cards using a Kohonen neural network. In: CARDIS 2002, vol. 5, pp. 51–58. USENIX Association, Berkeley (2002). https://dial.uclouvain.be/pr/boreal/object/boreal:68059
  26. 26.
    Renauld, M., Standaert, F.-X., Veyrat-Charvillon, N., Kamel, D., Flandre, D.: A formal study of power variability issues and side-channel attacks for nanoscale devices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 109–128. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-20465-4_8CrossRefGoogle Scholar
  27. 27.
  28. 28.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, LISA 1999, pp. 229–238. USENIX Association, Berkeley (1999)Google Scholar
  29. 29.
    Schindler, W., Lemke, K., Paar, C.: A stochastic model for differential side channel cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 30–46. Springer, Heidelberg (2005).  https://doi.org/10.1007/11545262_3CrossRefGoogle Scholar
  30. 30.
    Strobel, D., Bache, F., Oswald, D., Schellenberg, F., Paar, C.: SCANDALee: A side-ChANnel-based DisAssembLer using local electromagnetic emanations. In: Design, Automation and Test in Europe - DATE, pp. 139–144, March 2015.  https://doi.org/10.7873/DATE.2015.0639
  31. 31.
    Vermoen, D., Witteman, M., Gaydadjiev, G.N.: Reverse engineering Java Card applets using power analysis. In: Smart Cards, Mobile and Ubiquitous Computing Systems: First IFIP TC6/WG 8.8/WG 11.2 International Workshop - WISTP, pp. 138–149 (2007).  https://doi.org/10.1007/978-3-540-72354-7_12
  32. 32.
    Yoon, M.-K., Mohan, S., Choi, J., Sha, L.: Memory Heat Map: anomaly detection in real-time embedded systems using memory behavior. In: Design Automation Conference - DAC, vol. 35, no. 1–35, p. 6 (2015).  https://doi.org/10.1145/2744769.2744869
  33. 33.
    Zhang, T., Zhuang, X., Pande, S., Lee, W.: Anomalous path detection with hardware support. In: Compilers, architectures and synthesis for embedded systems - CASES, pp. 43–54 (2005).  https://doi.org/10.1145/1086297.1086305
  34. 34.
    Zhang, T., Zhuang, X., Pande, S., Lee, W.: Hardware supported anomaly detection: down to the control flow level. Technical report, March 2004. http://hdl.handle.net/1853/96

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Pol Van Aubel
    • 1
    Email author
  • Kostas Papagiannopoulos
    • 1
  • Łukasz Chmielewski
    • 2
  • Christian Doerr
    • 3
  1. 1.Digital Security GroupRadboud UniversityNijmegenThe Netherlands
  2. 2.Riscure BVDelftThe Netherlands
  3. 3.Department of Intelligent SystemsDelft University of TechnologyDelftThe Netherlands

Personalised recommendations