Detection of cyber-physical attacks
All
cyber-physical attacks exposed earlier in this technical note can be detected
using a combination of technologies in network intrusion detection as deep protocol
behavior inspection (DPBI) and operational correlation.
- Aurora Attack type: After creating the DPBI pattern of normal behavior for the control network, a script that would monitor the sequence of write commands received by the RTUs in an arbitrary period of time (seconds or milliseconds) would be deployed. In the event that an order of writing CLOSE was sent to a given RTU with a previous OPEN value received, at a lower time than the allowed time interval (0.2s), we would fire an alert.
- Water hammer / discharges Attack Type: Assuming a scenario of progressive control as in Figure 2, would only be possible to reach the completely closed (or open) state for the valve from a previous state with V = 30.
Any
value sent in a write command to the PLC control valves would be compared to
the last write value sent. If the difference between the value of writing
command and the immediately preceding received exceeded the maximum increase in
programmed control (∆V = 10), an alert would skyrocket.
Additionally,
all values in a command not included in the behavioral blueprint would trigger
an alert. (Eg V> 40)
Remarkably, the importance of the anomaly differs depending on the
detected transition and a criticality hierarchy may be established. In the
example of Figure 2, the abnormal transition E3 -> E5 trigger an alert warning,
while the transition anomaly E1 -> E5 trigger a critical alert.
·
Alteration of the amount of production
(vinyl acetate monomer): Any value received in the write message on the PLC
that controls the temperature of the reactor outside the distribution of values
of the behavior blueprint would trigger an alert.
·
Attack by temperature to chemical reactors: As in the case of water hammer, any write command sent to the PLC
progressive temperature control would be compared with the immediately
preceding. If the difference between the value of writing and the immediately
preceding received exceed the maximum temperature defined threshold, an alert
would be sent
·
Fake maintenance: Send commands to the
control elements in order to conceal attacks on process never would have formed
part of the original behavior pattern built for the network, so any
transmission of those would trigger an immediate alert.
We can summarize this in the following
table:
It is important
to note that the semantics needed to detect these attacks through additional
programming logic comes from the deep knowledge of the processes controls and
possible weaknesses of them. Based solely on deep protocol inspection (DPI)
systems could not detect such attacks and it is necessary to use both DPBI and
Operational correlation to detect them all.
There is another
very powerful implementation of the operational correlation in detecting how
allowed control operations (nodes,
protocols and distribution of values) are executed on specific time frames. (A firmware update of a PLC or RTU can be
normal within one business day and exceptional if done on weekends or at
night).
Conclusions
The new attacks
on the cyber-physical systems of industrial processes running on critical
infrastructure, require the adoption of new strategies capable of detecting
without interfering with normal operation.
The change in
the functional structures (common Managers and multidisciplinary teams) and the
procedures at critical infrastructure operators (Risk Analysis and procurement
requirements), it is imperative to address this kind of physical attacks.
The only
technology capable of detecting attacks from within the control network using
protocols, messages and values allowed within the same, but in order or
frequency other than normal is the use of intrusion detection systems that
support the deep protocol behavior inspection (DPBI) with the ability to
implement correlation of operational events.
The
implementation of these technologies in critical infrastructures control
networks should be considered seriously by those responsible for the cyber
security of these facilities and the authorities responsible for monitoring
compliance with the PIC 8 / 2011 Act.
In the future, Sequence-aware
NIDS (S-NIDS), or similar technologies, may help simplify the implementation of
these systems in control networks significantly improving the behavior pattern
generation and subsequent maintenance, protecting processes and cyber-physical
systems on critical infrastructures.
