Detection Time
6. RESPONSE TO ATTACKS
A comprehensive security posture for any system should include mechanisms for prevention, detection, and response to attacks. Au-tomatic response to computer attacks is one of the fundamental problems in information assurance. While most of the research efforts found in the literature focus on prevention (authentication, access controls, cryptography etc.) or detection (intrusion detec-tion systems), in practice there are quite a few response mecha-nisms. For example, many web servers send CAPTCHAs to the client whenever they find that connections resemble bot connec-tions, firewalls drop connections that conform to their rules, the ex-ecution of anomalous processes can be slowed down by intrusion detection systems, etc.
Given that we already have an estimate for the state of the system (given by a linear model), a natural response strategy for control systems is to use this estimate when the anomaly detection statistic fires an alarm. Fig 12 shows our proposed architecture. Specifi-cally: for sensori, if Si(k) > τi, the ADM replaces the sensor measurementsy˜i(k) with measurements generated by the linear modelyˆi(k) (that is the controller will receive as input ˆyi(k)
Figure 12: An Anomaly Detection Module (ADM) can detect an attack and send an estimate of the state of the system to the controller.
Introducing automatic response mechanisms is, however, not an easy solution. Every time systems introduce an automatic response to an alarm, they have to consider the cost of dealing with false alarms. In our proposed detection and response architecture (Fig. 12), we have to make sure that if there is a false alarm, controlling the system by using the estimated values from the linear system will not cause any safety concerns.
6.1 Experiments
The automatic response mechanism works well when we are un-der attack. For example, Fig. (13) shows that when an attack is detected, the response algorithm manages to keep the system in a safe state. Similar results were obtained for all detectable attacks.
While our attack response mechanism is a good solution when the alarms are indeed an indication of attacks, Our main concern in this section is the cost of false alarms. To address these concerns we ran the simulation scenario without any attacks 1000 times; each
0 10 20 30 40
9(b) ADM detects and responds to the attack atT = 10.7 (hr)
Figure 13:y˜5= y5∗ 0.5 Alarms Avgy5 Std Dev Maxy5
0 2700.4 14.73 2757
Table 1: For Thresholdsτy4 = 50, τy5 = 10000, τy7 = 200 we obtain no false alarm. Therefore we only report the expected pressure, the standard deviation of the pressure, and the maxi-mum pressure reached under no false alarm.
time the experiment ran for 40 hours. As expected, with the pa-rameter setτy4 = 50, τy5 = 10000, τy7 = 200 our system did not detect any false alarm (see Table 1); therefore we decided to reduce the detection threshold toτy4 = 5, τy5 = 1000, τy7 = 20 and run the same experiments again. Table 2 shows the behavior of the pressure after the response to a false alarm. We can see that while a false response mechanism increases the pressure of the tank, it never reaches unsafe levels. The maximum pressure ob-tained while controlling the system based on the linear model was 2779kP a, which is in the same order of magnitude than the normal variation of the pressure without any false alarm (2757kP a).
In our case, even if the system is kept in a safe state by the au-tomated response, our response strategy is meant as a temporary solution before a human operator responds to the alarm. Based on our results we believe that the time for a human response can be very large (a couple of hours).
7. CONCLUSIONS
In this work we identified three new research challenges for se-curing control systems. We showed that by incorporating a physi-cal model of the system we were able to identify the most critiphysi-cal sensors and attacks. We also studied the use of physical models for anomaly detection and proposed three generic types of stealthy attacks. Finally, we proposed the use of automatic response mech-anisms based on estimates of the state of the system. Automatic responses may be problematic in some cases (especially if the re-sponse to a false alarm is costly); therefore, we would like to em-phasize that the automatic response mechanism should be consid-ered as a temporary solution before a human investigates the alarm.
A full deployment of any automatic response mechanism should take into consideration the amount of time in which it is reasonable for a human operator to respond, and the potential side effects of
Alarms Avgy5 Std Dev Maxy5
y4 61 2710 30.36 2779
y5 106 2705 18.72 2794
y7 53 2706 20.89 2776
Table 2: Behavior of the plant after response to a false alarm with thresholdsτy4= 5, τy5 = 1000, τy7= 20.
364
responding to a false alarm.
In our experiments with the TE-PCS process we found several interesting results. (1) Protecting against integrity attacks is more important than protecting against DoS attacks. In fact, we believe that DoS attacks have negligible impact to the TE-PCS process. (2) The chemical reactor process is a well-behaved system, in the sense that even under perturbations, the response of the system follows very closely our linear models. In addition, the slow dynamics of this process allows us to be able to detect attacks even with large delays with the benefit of not raising any false alarms. (3) Even when we configure the system to have false alarms, we saw that the automatic response mechanism was able to control the system in a safe mode.
One of our main conclusions regarding the TE-PCS plant, is that it is a very resiliently-designed process control system. Design of resilient process control systems takes control system design ex-perience and expertise. The design process is based on iteratively evaluating the performance on a set of bad situations that can arise during the operation of the plant and modifying control loop struc-tures to build in resilience. In particular, Ricker’s paper discusses the set of random faults that the four loop PI control is able to with-stand.
We like to make two points in this regard: (1). The PI control loop structure is distributed, in the sense that no PI control loop controls all actuators and no PI loop has access to all sensor mea-surements, and (2). The set of bad situations to which this control structure is able to withstand may itself result from the one or more cyber attacks. However, even though the resilience of TE-PCS plant is ensured by expert design, we find it interesting to directly test this resilience within the framework of assessment, detection and response that we present in this article.
However, as a word of caution, large scale control system de-signs are often not to resilient by design and may become prey to such stealth attacks if sufficient resilience is not built by design in the first place. Thus, our ideas become all the more relevant for op-erational security until there is a principled way of designing fully attack resilient control structures and algorithms (which by itself is a very challenging research endeavor and may not offer a cost effective design solution).
Even though we have focused on the analysis of a chemical re-actor system, our principles and techniques can be applied to many other physical processes. An automatic detection and response module may not be a practical solution for all control system pro-cesses; however, we believe that many processes with similar char-acteristics to the TE-PCS can benefit from this kind of response.
Acknowledgments
We would like to thank Gabor Karsai, Adrian Perrig, Bruno Sinop-oli, and Jon Wiley for helpful discussions on the security of control systems. This work was supported in part by by the iCAST-TRUST collaboration project, and by CHESS at UC Berkeley, which re-ceives support from the NSF awards #0720882 (CSR-EHS: PRET) and #0931843 (ActionWebs), ARO #W911NF-07-2-0019, MURI
#FA9550-06-0312, AFRL, and MuSyC.
8. REFERENCES
[1] Nicolas Falliere, Liam O Murchu, and Eric Chien.
W32.Stuxnet Dossier. Symantec, version 1.3 edition, November 2010.
[2] Ralph Langner. Langner communications.
http://www.langner.com/en/, October 2010.
[3] Steve Bellovin. Stuxnet: The first weaponized software?
http://www.cs.columbia.edu/~smb/blog/
/2010-09-27.html, October 2010.
[4] Dale Peterson. Digital bond: Weisscon and stuxnet.
http://www.digitalbond.com/index.php/
2010/09/22/weisscon-and-stuxnet/, October 2010.
[5] Brian Krebs. Cyber Incident Blamed for Nuclear Power Plant Shutdown. Washington Post, http:
//www.washingtonpost.com/wp-dyn/content/
article/2008/06/05/AR2008060501958.html, June 2008.
[6] Robert J. Turk. Cyber incidents involving control systems.
Technical Report INL/EXT-05-00671, Idao National Laboratory, October 2005.
[7] Richard Esposito. Hackers penetrate water system computers. http://blogs.abcnews.com/
theblotter/2006/10/hackers_penetra.html, October 2006.
[8] BBC News. Colombia Rebels Blast Power Pylons. BBC, http://news.bbc.co.uk/2/hi/americas/
607782.stm, January 2000.
[9] Jill Slay and Michael Miller. Lessons learned from the maroochy water breach. In Critical Infrastructure Protection, volume 253/2007, pages 73–82. Springer Boston, November 2007.
[10] Paul Quinn-Judge. Cracks in the system. TIME Magazine, 9th Jan 2002.
[11] Thomas Reed. At the Abyss: An Insider’s History of the Cold War. Presidio Press, March 2004.
[12] United States Attorney, Eastern District of California.
Willows man arrested for hacking into Tehama Colusa Canal Authority computer system.
http://www.usdoj.gov/usao/cae/press_
releases/docs/2007/11-28-07KeehnInd.pdf, November 2007.
[13] United States Attorney, Eastern District of California.
Sacramento man pleads guilty to attempting ot shut down california’s power grid. http:
//www.usdoj.gov/usao/cae/press_releases/
docs/2007/12-14-07DenisonPlea.pdf, November 2007.
[14] David Kravets. Feds: Hacker disabled offshore oil platform leak-detection system. http://www.wired.com/
threatlevel/2009/03/feds-hacker-dis/, March 2009.
[15] John Leyden. Polish teen derails tram after hacking train network. The Register, 11th Jan 2008.
[16] Andrew Greenberg. Hackers cut cities’ power. In Forbes, Jaunuary 2008.
[17] V.M. Igure, S.A. Laughter, and R.D. Williams. Security issues in SCADA networks. Computers & Security, 25(7):498–506, 2006.
[18] P. Oman, E. Schweitzer, and D. Frincke. Concerns about intrusions into remotely accessible substation controllers and SCADA systems. In Proceedings of the Twenty-Seventh Annual Western Protective Relay Conference, volume 160.
Citeseer, 2000.
[19] US-CERT. Control Systems Security Program. US Department of Homeland Security, http://www.
us-cert.gov/control_systems/index.html, 2008.
[20] GAO. Critical infrastructure protection. Multiple efforts to secure control systems are under way, but challenges remain.
Technical Report GAO-07-1036, Report to Congressional Requesters, September 2007.
[21] Jack Eisenhauer, Paget Donnelly, Mark Ellis, and Michael O’Brien. Roadmap to Secure Control Systems in the Energy Sector. Energetics Incorporated. Sponsored by the U.S.
Department of Energy and the U.S. Department of
365
Homeland Security, January 2006.
[22] Eric Byres and Justin Lowe. The myths and facts behind cyber security risks for industrial control systems. In Proceedings of the VDE Congress, VDE Association for Electrical Electronic & Information Technologies, October 2004.
[23] D. Geer. Security of critical control systems sparks concern.
Computer, 39(1):20–23, Jan. 2006.
[24] A.A. Cardenas, T. Roosta, and S. Sastry. Rethinking security properties, threat models, and the design space in sensor networks: A case study in SCADA systems. Ad Hoc Networks, 2009.
[25] NERC-CIP. Critical Infrastructure Protection. North American Electric Reliability Corporation,
http://www.nerc.com/cip.html, 2008.
[26] K. Stouffer, J. Falco, and K. Kent. Guide to supervisory control and data acquisition (SCADA) and industrial control systems security. Sp800-82, NIST, September 2006.
[27] Idaho National Laboratory. National SCADA Test Bed Program. http://www.inl.gov/scada.
[28] Hart. http://www.hartcomm2.org/frontpage/
wirelesshart.html. WirelessHart whitepaper, 2007.
[29] ISA. http://isa.org/isasp100. Wireless Systems for Automation, 2007.
[30] Eric Cosman. Patch management at Dow chemical. In ARC Tenth Annual Forum on Manufacturing, February 20-24 2006.
[31] Patch management strategies for the electric sector. Edison Electric Institute–IT Security Working Group, March 2004.
[32] Eric Byres, David Leversage, and Nate Kube. Security incidents and trends in SCADA and process industries. The Industrial Ethernet Book, 39(2):12–20, May 2007.
[33] Andrew K. Wright, John A. Kinast, and Joe McCarty.
Low-latency cryptographic protection for SCADA communications. In Applied Cryptography and Network Security (ACNS), pages 263–277, 2004.
[34] Patrick P. Tsang and Sean W. Smith. YASIR: A low-latency high-integrity security retrofit for lecacy SCADA systems. In 23rd International Information Security Conference (IFIC SEC), pages 445–459, September 2008.
[35] Steven Hurd, Rhett Smith, and Garrett Leischner. Tutorial:
Security in electric utility control systems. In 61st Annual Conference for Protective Relay Engineers, pages 304–309, April 2008.
[36] Steven Cheung, Bruno Dutertre, Martin Fong, Ulf Lindqvist, Keith Skinner, and Alfonso Valdes. Using model-based intrusion detection for SCADA networks. In Proceedings of the SCADA Security Scientific Symposium, Miami Beach, FL, USA, 2007 2007.
[37] PAS Ralston, JH Graham, and JL Hieb. Cyber security risk assessment for SCADA and DCS networks. ISA
transactions, 46(4):583–594, 2007.
[38] P.A. Craig, J. Mortensen, and J.E. Dagle. Metrics for the National SCADA Test Bed Program. Technical report, PNNL-18031, Pacific Northwest National Laboratory (PNNL), Richland, WA (US), 2008.
[39] G. Hamoud, R.L. Chen, and I. Bradley. Risk assessment of power systems SCADA. In IEEE Power Engineering Society General Meeting, 2003, volume 2, 2003.
[40] Yao Liu, Michael K. Reiter, and Peng Ning. False data injection attacks against state estimation in electric power grids. In CCS ’09: Proceedings of the 16th ACM conference on Computer and communications security, pages 21–32, New York, NY, USA, 2009. ACM.
[41] Rakesh Bobba, Katherine M. Rogers, Qiyan Wang, Himanshu Khurana, Klara Nahrstedt, and Thomas J.
Overbye. Detecting false data injection attacks on dc state estimation. In Preprints of the 1st Workshop on Secure Control Systems, 2010.
[42] Henrik Sandberg, Teixeira Andre, and Karl H. Johansson. On security indices for state estimators in power networks. In Preprints of the 1st Workshop on Secure Control Systems, 2010.
[43] Oliver Kosut, Liyan Jia, Robert J. Thomas, and Lang Tong.
Malicious data attacks on smart grid state estimation: Attack strategies and countermeasures. In First International Conference on Smart Grid Communications
(SmartGridComm), pages 220–225, 2010.
[44] Oliver Kosut, Liyan Jia, Robert J. Thomas, and Lang Tong.
On malicious data attacks on power system state estimation.
In UPEC, 2010.
[45] A Teixeira, S. Amin, H. Sandberg, K.H. Johansson, and S.S.
Sastry. Cyber-security analysis of state estimators in electric power systems. In IEEE Conference on Decision and Control (CDC), 2010.
[46] Le Xie, Yilin Mo, and Bruno Sinopoli. False data injection attacks in electricity markets. In First International Conference on Smart Grid Communications (SmartGridComm), pages 226–231, 2010.
[47] Yilin Mo and Bruno Sinopoli. False data injection attacks in control systems. In Preprints of the 1st Workshop on Secure Control Systems, 2010.
[48] Julian Rrushi. Composite Intrusion Detection in Process Control Networks. PhD thesis, Universita Degli Studi Di Milano, 2009.
[49] NL Ricker. Model predictive control of a continuous, nonlinear, two-phase reactor. JOURNAL OF PROCESS CONTROL, 3:109–109, 1993.
[50] Dorothy Denning. An intrusion-detection model. Software Engineering, IEEE Transactions on, SE-13(2):222–232, Feb.
1987.
[51] S. Joe Quin and Thomas A. Badgwell. A survey of industrial model predictive control technology. Control Engineering Practice, 11(7):733–764, July 2003.
[52] J.B. Rawlings. Tutorial overview of model predictive control.
Control Systems Magazine, IEEE, 20(3):38–52, Jun 2000.
[53] T. Kailath and H. V. Poor. Detection of stochastic processes.
IEEE Transactions on Information Theory, 44(6):2230–2258, October 1998.
[54] A. Wald. Sequential Analysis. J. Wiley & Sons, New York, 1947.
[55] Jaeyeon Jung, Vern Paxson, Arthur Berger, and Hari Balakrishan. Fast portscan detection using sequential hypothesis testing. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, pages 211–225, May 2004.
[56] Stuart Schechter and Jaeyeon Jung Arthur Berger. Fast detection of scanning worm infections. In Proc. of the Seventh International Symposium on Recent Advances in Intrusion Detection (RAID), September 2004.
[57] M. Xie, H. Yin, and H. Wang. An effective defense against email spam laundering. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 179–190, October 30–November 3 2006.
[58] Guofei Gu, Junjie Zhang, and Wenke Lee. Botsniffer:
Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), San Diego, CA, February 2008.
[59] B.E. Brodsky and B.S. Darkhovsky. Non-Parametric Methods in Change-Point Problems. Kluwer Academic Publishers, 1993.
366
表 Y04
行政院國家科學委員會補助國內專家學者出席國際學術會議報告
100 年 11 月 30 日 報告人姓名
沈宣佐 服務機構
及職稱 國立交通大學資訊科學與工程研 究所
時間 會議
地點
Nov 23 – 26, 2011 Beijing, China
本會核定 補助文號 會議
名稱
(中文) 第 13 屆資訊與通訊安全國際研討會
(英文) The 13thInternational Conference on Information and Communications Security
發 表 論 文 題目
Delegable Provable Data Possession for Remote Data in the Clouds
表 Y04
報告內容應包括下列各項:
一、參加會議經過
本次大會總共接受 33 篇論文,分為 11 個 Sessions 發表,包括 Digital Signatures, Network Security, Wireless Network Security, Security Applications, Cryptanalysis, Multimedia Security, Public Key Encryption, Cryptographic Protocols, Applied Cryptography, System
Security, 以及 Algorithms and Evaluation。大會安排兩場 Keynote 演講,由 Jianying Zhou 教 授主講的 ``Beyond Basic Password Authentication in Web Applications”,演講內容包含目前密 碼身分驗證機制的優缺點分析,並且提供一個同時利用密碼,智慧卡,以及生物特徵進行身分驗證的方 法,提供更安全保證的網路應用;以及由 K. P. Chow 教授主講的 ``Computer Security and Forensics:
Defense vs. Post-mortem”,演講內容提到不少關於數位鑑識的相關特性,包括數位證據 可複製性,容易修改,以及保存不易,並且以生活上的事例說明介紹數位鑑識的收集分 析呈現的流程。
二、 與會心得
此行最主要目的為發表論文 ``Delegable Provable Data Possession for Remote Data in the Clouds”,在私人的遠端資完整性驗證以及公開的遠端資料完整性驗證之間,我們提出 了一個平衡點,可授權的遠端資料完整性驗證提供使用者選擇授權哪些人可以進行資料 完整性驗證,更適合機密資料的應用環境。
另節錄大會中的幾篇重要論文:
1. Lightweight RFID Mutual Authentication Protocol against Feasible Problems
這篇論文利用 Shamir 所提出的 SQUASH 方法,減少計算平方和模所需要的運算量,
使得 Rabin 的加密方法能夠被 RFID 卡片有效率地處理進行,進而達到輕量化的 RFID 雙向驗證方法,利用 Rabin 加密的安全性,能夠抵禦 RFID 系統中的安全問題:
輕量化,非同步攻擊,卡片追蹤,Forward Security 等。
2. Ideal Secret Sharing Schemes with Share Selectability
此篇論文從 Shamir Secret Sharing 為基礎,從 Secret 更新時 Share 需要重新發布的問 題著手,引進了 Share Selectability 的概念,share 與 secret 無關,可以是任意的值,
此篇論文從 Shamir Secret Sharing 為基礎,從 Secret 更新時 Share 需要重新發布的問 題著手,引進了 Share Selectability 的概念,share 與 secret 無關,可以是任意的值,