The Process Matters: Cyber Security in Industrial Control Systems

Dina Hadziosmanovic

Promotor: prof.dr. P.H. Hartel (UT)
Copromotor: dr. D. Bolzoni (UT)
Universiteit Twente
Date: 9 January, 2014, 16:45
Thesis: PDF


An industrial control system (ICS) is a computer system that controls industrial processes such as power plants, water and gas distribution, food production, etc. Since cyber-attacks on an ICS may have devastating consequences on human lives and safety in general, the security of ICS is important. In this context, the most valuable asset is the process that is under the control of the ICS. As a result of attacks on the process, the behaviour of the process (i.e., the program output in a computer program) changes due to modifications in: the automation logic (i.e., program instruction set) or the process input parameters (i.e., the program input). The detection of process manipulations through attacks is challenging as it requires the understanding of complex process dependencies in sensitive and often proprietary environments. Because of this, the problem of process manipulations has not been thoroughly studied by security researchers.

This thesis tackles this challenge by performing pioneering work in exploring suitable
techniques for detecting process attacks in ICS. The main focus of the thesis is the problem of malicious manipulations in process input. To decompose the problem, we distinguish three attack vectors used for accomplishing an input manipulation: (i) user application (e.g., issue legitimate but malicious user commands to the plant automation), (ii) network (e.g., issue network messages to divert the process by exploiting access vulnerabilities of the network infrastructure) or (iii) field devices (e.g., trigger inappropriate automation reaction by sending false data from the field).

In this thesis we analyse the first two types on input manipulations (i.e., threats carried through user application and network infrastructure) as they describe common cyber attacks (i.e., an exploitation of vulnerabilities in software through remote access). The third attack vector remains out of our scope as it typically includes hardware device tampering (e.g., on a measurement sensor). For the selected attack vectors we (i) investigate the problem and (ii) present and validate an approach for addressing the problem. Based on this, the core contributions of the thesis are structured into four chapters.

First, to investigate the problem of manipulations via the user application, we adapt a
common methodology for hazard analysis to systematically identify and characterise potential threats on a real world plant.

Second, based on the obtained knowledge during the problem investigation, we present an approach for addressing process manipulations though the user application. The approach includes mining of event logs to detect undesirable user activities. A real world validation shows that the approach effectively decreases the workload of operators and highlights relevant events for the inspection.

Third, to investigate the problem of network manipulations, we perform an assessment of the state-of-the art detection techniques for network content analysis. The performed analysis presents insights into capabilities and shortcoming of the detectors and discusses promising approaches for addressing process manipulations.

Fourth, we present an approach for detecting process manipulations via network traffic analysis. During the problem investigation, we identified a common weakness of all analysed detectors: the lack of capabilities for the analysis and interpretation of the current process condition. To tackle this, our approach captures low-level process indicators (such as process updates to the memory of a control device) from network traces to derive patterns of normal behaviour and detect deviations. The obtained results show that the approach manages to extract and consistently monitor 98% of process features in a real world plant.

Summarizing, this thesis presents a thorough analysis of input process manipulations in an ICS and presents approaches for addressing two common attack vectors of the analysed threats. Our work shows that relevant information describing process operation can be extracted and analysed from common system traces (i.e., network traffic and system logs) to improve the awareness of the detector about the process that is under the control of the ICS. By doing this, we lay the ground for detecting critical process attacks that cannot be addressed by the existing solutions.