research-article

Scanning the Cycle: Timing-based Authentication on PLCs

Authors:

Chuadhry Mujeeb Ahmed,

Aditya MathurAuthors Info & Claims

ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Pages 886 - 900

https://doi.org/10.1145/3433210.3453102

Published: 04 June 2021 Publication History

Abstract

Programmable Logic Controllers (PLCs) are a core component of an Industrial Control System (ICS). However, if a PLC is compromised or the commands sent across a network from the PLCs are spoofed, consequences could be catastrophic. In this work, a novel technique to authenticate PLCs is proposed that aims at raising the bar against powerful attackers while being compatible with real-time systems. The proposed technique captures timing information for each controller in a non-invasive manner. It is argued that Scan Cycle is a unique feature of a PLC that can be approximated passively by observing network traffic. An attacker that spoofs commands issued by the PLCs would deviate from such fingerprints. To detect replay attacks a PLC Watermarking technique is proposed. PLC Watermarking models the relation between the scan cycle and the control logic by modeling the input/output as a function of request/response messages of a PLC. The proposed technique is validated on an operational water treatment plant (SWaT) and smart grid (EPIC) testbeds. Results from experiments indicate that PLCs can be distinguished based on their scan cycle timing characteristics.

References

[1]

Carlos Aguayo Gonzalez and Alan Hinton. 2014. Detecting Malicious Software Execution in Programmable Logic Controllers Using Power Fingerprinting. In Critical Infrastructure Protection VIII. Springer Berlin Heidelberg.

[2]

Chuadhry Mujeeb Ahmed and Nandha Kumar Kandasamy. 2020. A Comprehensive Dataset from a Smart Grid Testbed for Machine Learning based CPS Security Research. In CPS4CIP Workshop 2020, in conjunction with ESORICS 2020 .

[3]

Chuadhry Mujeeb Ahmed, Aditya P. Mathur, and Mart'in Ochoa. 2020 a. NoiSense Print: Detecting Data Integrity Attacks on Sensor Measurements Using Hardware-Based Fingerprints. ACM Trans. Priv. Secur., Vol. 24, 1, Article 2 (Sept. 2020), 35 pages. https://doi.org/10.1145/3410447

[4]

Chuadhry Mujeeb Ahmed, Martin Ochoa, Jianying Zhou, Aditya P. Mathur, Rizwan Qadeer, Carlos Murguia, and Justin Ruths. 2018. NoisePrint: Attack Detection Using Sensor and Process Noise Fingerprint in Cyber Physical Systems. In AsiaCCS. ACM, NY, USA, 483--497. https://doi.org/10.1145/3196494.3196532

[5]

Chuadhry Mujeeb Ahmed, Jay Prakash, Rizwan Qadeer, Anand Agrawal, and Jianying Zhou. 2020 b. Process Skew: Fingerprinting the Process for Anomaly Detection in Industrial Control Systems .ACM WiSec 2020, New York, NY, USA, 219--230. https://doi.org/10.1145/3395351.3399364

[6]

C. M. Ahmed and J. Zhou. 2020. Challenges and Opportunities in Cyberphysical Systems Security: A Physics-Based Perspective. IEEE Security Privacy, Vol. 18, 6 (2020), 14--22. https://doi.org/10.1109/MSEC.2020.3002851

[7]

Karl J. Aström and Björn Wittenmark. 1997. Computer-controlled Systems (3rd Ed.) .Prentice-Hall, Inc., Upper Saddle River, NJ, USA.

[8]

Allen Bradley. 2018a. Logix 5000 Controllers Messages. https://literature.rockwellautomation.com/idc/groups/literature/ documents/pm/1756-pm005_-en-p.pdf.

[9]

Allen Bradley. 2018b. Logix 5000 Controllers Tasks, Programs, and Routines. https://literature.rockwellautomation.com/idc/groups/literature/ documents/pm/1756-pm012_-en-p.pdf.

[10]

Alvaro Cardenas, Saurabh Amin, Bruno Sinopoli, Annarita Giani, Adrian Perrig, and Shankar Sastry. 2009. Challenges for Securing Cyber Physical Systems. In Workshop on Future Directions in Cyber-physical Systems Security. DHS. http://chess.eecs.berkeley.edu/pubs/601.html

[11]

Marco Caselli, Dina Hadvz iosmanović, Emmanuele Zambon, and Frank Kargl. 2013. On the Feasibility of Device Fingerprinting in Industrial Control Systems. In Critical Information Infrastructures Security. Springer.

[12]

John Henry Castellanos, Daniele Antonioli, Nils Ole Tippenhauer, and Martín Ochoa. 2017. Legacy-Compliant Data Authentication for Industrial Control System Traffic. In Applied Cryptography and Network Security. Springer.

[13]

ICS CERT. 2014. ICS-MM201408: May-August 2014. Technical Report. U.S. Department of Homeland Security-Industrial Control Systems-Cyber Emergency Response Team, Washington, D.C. Available online at https://ics-cert.us-cert.gov.

[14]

Kyong-Tak Cho and Kang G. Shin. 2016. Fingerprinting Electronic Control Units for Vehicle Intrusion Detection. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 911--927.

Digital Library

[15]

S. Dey, N. Roy, W. Xu, R. R. Choudhury, and S. Nelakuditi. 2014. Accelprint: Imperfections of accelerometers make smartphones trackable. In Network and Distributed System Security Symposium (NDSS). Internet Society.

[16]

D. Formby and R. Beyah. 2020. Temporal Execution Behavior for Host Anomaly Detection in Programmable Logic Controllers. IEEE Transactions on Information Forensics and Security, Vol. 15 (2020), 1455--1469.

Digital Library

[17]

David Formby, Preethi Srinivasan, Andrew Leonard, Jonathan Rogers, and Raheem A Beyah. 2016. Who's in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems. In NDSS .

[18]

Igor Nai Fovino, Andrea Carcano, Marcelo Masera, and Alberto Trombetta. 2009. An experimental investigation of malware attacks on SCADA systems. IJCIP, Vol. 2, 4 (2009), 139 -- 145.

[19]

P. Gaj, J. Jasperneite, and M. Felser. 2013. Computer Communication Within Industrial Distributed Environment-a Survey. IEEE Transactions on Industrial Informatics, Vol. 9, 1 (Feb 2013), 182--189. https://doi.org/10.1109/TII.2012.2209668

[20]

Béla Genge, Dorin Adrian Rusu, and Piroska Haller. 2014. A Connection Pattern-based Approach to Detect Network Traffic Anomalies in Critical Infrastructures. In EuroSec (Amsterdam, The Netherlands) ('14). ACM.

[21]

Naman Govil, Anand Agrawal, and Nils Ole Tippenhauer. 2017. On Ladder Logic Bombs in Industrial Control Systems. CoRR, Vol. abs/1702.05241 (2017). http://arxiv.org/abs/1702.05241

[22]

D. Huang, K. Yang, C. Ni, W. Teng, T. Hsiang, and Y. Lee. 2012. Clock Skew Based Client Device Identification in Cloud Environments. In 2012 IEEE 26th International Conference on Advanced Information Networking and Applications. 526--533. https://doi.org/10.1109/AINA.2012.51

[23]

Abdulmalik Humayed, Jingqiang Lin, Fengjun Li, and Bo Luo. 2017. Cyber-Physical Systems Security - A Survey. CoRR, Vol. abs/1701.04525 (2017). arxiv: 1701.04525 http://arxiv.org/abs/1701.04525

[24]

Sungho Jeon, Jeong-Han Yun, Seungoh Choi, and Woonyon Kim. 2016. Passive Fingerprinting of SCADA in Critical Infrastructure Network without Deep Packet Inspection. CoRR, Vol. abs/1608.07679 (2016). arxiv: 1608.07679

[25]

T. Kohno, A. Broido, and K. C. Claffy. 2005. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing, Vol. 2, 2 (April 2005), 93--108. https://doi.org/10.1109/TDSC.2005.26

Digital Library

[26]

R. Langner. 2011. Stuxnet: Dissecting a Cyberwarfare Weapon. IEEE Security Privacy, Vol. 9, 3 (May 2011), 49--51. https://doi.org/10.1109/MSP.2011.67

Digital Library

[27]

Eireann Leverett and Reid Wightman. 2013. Vulnerability inheritance in programmable logic controllers. GreyHat 2013 (2013). https://ics-cert.us-cert.gov/content/cyber-threat-source-descriptions

[28]

Ralph E Mackiewicz. 2006. Overview of IEC 61850 and Benefits. In 2006 IEEE Power Engineering Society General Meeting. IEEE, 8--pp.

[29]

A. P. Mathur and N. O. Tippenhauer. 2016. SWaT: a water treatment testbed for research and training on ICS security. In 2016 International Workshop (CySWater) .

[30]

Robert Mitchell and Ing-Ray Chen. 2014. A Survey of Intrusion Detection Techniques for Cyber-physical Systems. ACM Comput. Surv., Vol. 46, 4, Article 55 (March 2014), 29 pages. https://doi.org/10.1145/2542049

Digital Library

[31]

S. B. Moon, P. Skelly, and D. Towsley. 1999. Estimation and removal of clock skew from network delay measurements. In IEEE INFOCOM '99., Vol. 1. 227--234 vol.1.

[32]

X. Morten Gjendemsjø. 2013. Creating a Weapon of Mass Disruption: Attacking Programmable Logic Controllers. Ph.D. Dissertation. Norwegian University of Science and Technology.

[33]

Yong Peng, Chong Xiang, Haihui Gao, Dongqing Chen, and Wang Ren. 2015. Industrial Control System Fingerprinting and Anomaly Detection. In Critical Infrastructure Protection IX. Springer.

[34]

John Platt, Bernhard Schaklkopf, John Shawe-Taylor, Alex J. Smola, and Robert C. Williamson. 1999. Estimating the Support of a High-Dimensional Distribution. Technical Report MSR-TR-99--87. 30 pages. https://www.microsoft.com/en-us/research/publication/estimating-the-support-of-a-high-dimensional-distribution/

[35]

S. V. Radhakrishnan, A. S. Uluagac, and R. Beyah. 2015. GTID: A Technique for Physical DeviceandDevice Type Fingerprinting. IEEE TDSC, Vol. 12, 5 (Sep. 2015).

[36]

Ruben Santamarta. 2012. Here be backdoors: A journey into the secrets of industrial firmware. CoRR (2012). https://media.blackhat.com/bh- us- 12/Briefings/ Santamarta/BH US 12 Santamarta Backdoors WP.pdf

[37]

Swati Sharma, Alefiya Hussain, and Huzur Saran. 2012. Experience with Heterogenous Clock-skew Based Device Fingerprinting. In LASER '12 (Arlington, Virginia, USA). ACM, NY, USA, 9--18. https://doi.org/10.1145/2379616.2379618

[38]

Yasser Shoukry, Paul Martin, Yair Yona, Suhas Diggavi, and Mani Srivastava. 2015. PyCRA: Physical Challenge-Response Authentication For Active Sensors Under Spoofing Attacks. In Proceedings of the 22Nd ACM CCS (Denver, Colorado, USA) (CCS '15).

Digital Library

[39]

Robin Sommer and Vern Paxson. 2010. Outside the closed world: On using machine learning for network intrusion detection. In 2010 IEEE symposium on security and privacy. IEEE, 305--316.

Digital Library

[40]

Samuel J. Stone, Michael A. Temple, and Rusty O. Baldwin. 2015. Detecting Anomalous Programmable Logic Controller Behavior Using RF-based Hilbert Transform Features and a Correlation-based Verification Process. Int. J. Crit. Infrastruct. Prot., Vol. 9, C (June 2015), 41--51. https://doi.org/10.1016/j.ijcip.2015.02.001

[41]

Robert J. Turk. 2005. Cyber incidents involving control systems. https://pdfs.semanticscholar.org/1f8f/a134eca5fe92143bd154ec9f6446b38b63ae.pdf

[42]

David I. Urbina, Jairo A. Giraldo, Alvaro A. Cardenas, Nils Ole Tippenhauer, Junia Valente, Mustafa Faisal, Justin Ruths, Richard Candell, and Henrik Sandberg. 2016. Limiting the Impact of Stealthy Attacks on Industrial Control Systems. In Proceedings of the 2016 ACM CCS (Vienna, Austria) (CCS '16).

Digital Library

[43]

Xiukun Wei, Michel Verhaegen, and Tim van Engelen. 2010. Sensor fault detection and isolation for wind turbines based on subspace identification and Kalman filter techniques. International Journal of Adaptive Control and Signal Processing, Vol. 24, 8 (2010), 687--707. https://doi.org/10.1002/acs.1162

[44]

Peter Welch. 1967. The use of fast Fourier transform for the estimation of power spectra: a method based on time averaging over short, modified periodograms. IEEE Transactions on audio and electroacoustics, Vol. 15, 2 (1967), 70--73.

[45]

Theodore J. Williams. 1993. The Purdue Enterprise Reference Architecture. In Proceedings of the JSPE/IFIP TC5/WG5.3 DIISM. North-Holland Publishing Co., Amsterdam, 43--64. http://dl.acm.org/citation.cfm?id=647134.716786

[46]

Bradley C. Wright. 2014. PLC Hardware Discrimination using RF-DNA fingerprinting. Ph.D. Dissertation. AIR FORCE INSTITUTE OF TECHNOLOGY. https://apps.dtic.mil/dtic/tr/fulltext/u2/a602984.pdf

[47]

Yu-jun Xiao, Wen-yuan Xu, Zhen-hua Jia, Zhuo-ran Ma, and Dong-lian Qi. 2017. NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers. Frontiers of Information Technology & Electronic Engineering, Vol. 18, 4 (01 Apr 2017), 519--534. https://doi.org/10.1631/FITEE.1601540

[48]

K. Yang, Q. Li, X. Lin, X. Chen, and L. Sun. 2020. iFinger: Intrusion Detection in Industrial Control Systems via Register-based Fingerprinting. IEEE Journal on Selected Areas in Communications (2020), 1--1.

[49]

Sebastian Zander and Steven J. Murdoch. 2008. An Improved Clock-skew Measurement Technique for Revealing Hidden Services. In Proceedings of the 17th Conference on Security Symposium (San Jose, CA) (SS'08). USENIX Association, Berkeley, CA, USA, 211--225. http://dl.acm.org/citation.cfm?id=1496711.1496726

Cited By

Sun JChen DWang QLei CWang MLi ZXiao YZhang WLiu J(2024)Key Issues on Integrating 5G into Industrial SystemsElectronics10.3390/electronics1311204813:11(2048)Online publication date: 24-May-2024
https://doi.org/10.3390/electronics13112048
Pospisil OFujdiak R(2024)Identification of industrial devices based on payloadProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670462(1-9)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670462
Cook MMarnerides APezaros D(2023)PLCPrint: Fingerprinting Memory Attacks in Programmable Logic ControllersIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.327768818(3376-3387)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1109/TIFS.2023.3277688
Show More Cited By

Index Terms

Scanning the Cycle: Timing-based Authentication on PLCs
1. Security and privacy

Recommendations

Code integrity attestation for PLCs using black box neural network predictions
ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Cyber-physical systems (CPSs) are widespread in critical domains, and significant damage can be caused if an attacker is able to modify the code of their programmable logic controllers (PLCs). Unfortunately, traditional techniques for attesting code ...
Vulnerability analysis of S7 PLCs: Manipulating the security mechanism
Abstract
Programmable Logic Controllers (PLCs) are the point of interaction between the cyber and physical world, and thus have been the target of previous cyber-attacks that caused physical disruption. To understand the effectiveness of state-...
Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process

Industrial control systems are used to operate critical infrastructure assets in the civilian and military sectors. Current industrial control system architectures are predominantly based on networked digital computers that enable reliable monitoring ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

May 2021

975 pages

ISBN:9781450382878

DOI:10.1145/3433210

General Chairs:
Jiannong Cao
The Hong Kong Polytechnic University, Hong Kong
,
Man Ho Au
The University of Hong Kong, Hong Kong
,
Program Chairs:
Zhiqiang Lin
The Ohio State University, USA
,
Moti Yung
Google and Columbia University, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 June 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Research Foundation Singapore

Conference

ASIA CCS '21

Sponsor:

SIGSAC

ASIA CCS '21: ACM Asia Conference on Computer and Communications Security

June 7 - 11, 2021

Virtual Event, Hong Kong

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
288
Total Downloads

Downloads (Last 12 months)76
Downloads (Last 6 weeks)6

Reflects downloads up to 14 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sun JChen DWang QLei CWang MLi ZXiao YZhang WLiu J(2024)Key Issues on Integrating 5G into Industrial SystemsElectronics10.3390/electronics1311204813:11(2048)Online publication date: 24-May-2024
https://doi.org/10.3390/electronics13112048
Pospisil OFujdiak R(2024)Identification of industrial devices based on payloadProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670462(1-9)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670462
Cook MMarnerides APezaros D(2023)PLCPrint: Fingerprinting Memory Attacks in Programmable Logic ControllersIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.327768818(3376-3387)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1109/TIFS.2023.3277688
Wagner EBauer JHenze MJadliwala MKim YDmitrienko A(2022)Take a Bite of the Reality SandwichProceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3507657.3528539(207-221)Online publication date: 16-May-2022
https://dl.acm.org/doi/10.1145/3507657.3528539
M. R. GAhmed CMathur A(2021)Machine learning for intrusion detection in industrial control systems: challenges and lessons from experimental evaluationCybersecurity10.1186/s42400-021-00095-54:1Online publication date: 2-Aug-2021
https://doi.org/10.1186/s42400-021-00095-5

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents