TY - GEN
T1 - Stealthy deception attacks against SCADA systems
AU - Kleinmann, Amit
AU - Amichay, Ori
AU - Wool, Avishai
AU - Tenenbaum, David
AU - Bar, Ofer
AU - Lev, Leonid
N1 - Publisher Copyright: © Springer International Publishing AG 2018.
PY - 2018
Y1 - 2018
N2 - SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta–data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator’s actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS’s state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system–wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage.
AB - SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta–data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator’s actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS’s state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system–wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage.
KW - ICS
KW - IDS
KW - NIDS
KW - SCADA
KW - Stealthy deception attacks
UR - http://www.scopus.com/inward/record.url?scp=85041529997&partnerID=8YFLogxK
U2 - https://doi.org/10.1007/978-3-319-72817-9_7
DO - https://doi.org/10.1007/978-3-319-72817-9_7
M3 - منشور من مؤتمر
SN - 9783319728162
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 93
EP - 109
BT - Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers
A2 - Mylopoulos, John
A2 - Lambrinoudakis, Costas
A2 - Kalloniatis, Christos
A2 - Cuppens, Frederic
A2 - Cuppens, Nora
A2 - Anton, Annie
A2 - Katsikas, Sokratis K.
A2 - Gritzalis, Stefanos
T2 - 3rd Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2017, 1st International Workshop on Security and Privacy Requirements Engineering, SECPRE 2017, Both workshops were co-located with 22nd European Symposium on R...
Y2 - 14 September 2017 through 15 September 2017
ER -