Abstract
Industrial Control Systems (ICSs) rely on insecure protocols and devices to monitor and operate critical infrastructure. Prior work has demonstrated that powerful attackers with detailed system knowledge can manipulate exchanged sensor data to deteriorate performance of the process, even leading to full shutdowns of plants. Identifying those attacks requires iterating over all possible sensor values, and running detailed system simulation or analysis to identify optimal attacks. That setup allows adversaries to identify attacks that are most impactful when applied on the system for the first time, before the system operators become aware of the manipulations.
In this work, we investigate if constrained attackers without detailed system knowledge and simulators can identify comparable attacks. In particular, the attacker only requires abstract knowledge on general information flow in the plant, instead of precise algorithms, operating parameters, process models, or simulators. We propose an approach that allows single-shot attacks, i.e., near-optimal attacks that are reliably shutting down a system on the first try. The approach is applied and validated on two use cases, and demonstrated to achieve comparable results to prior work, which relied on detailed system information and simulations.
The full version of this paper can be found at https://arxiv.org/abs/2204.09106.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Simulation and results available at https://gitlab.com/eastman_tennessee/larsson.
- 2.
Simulation and results available at https://gitlab.com/eastman_tennessee/luyben.
References
Abbasi, A., Hashemi, M.: Ghost in the PLC designing an undetectable programmable logic controller rootkit via pin control attack. Black Hat Europe 2016, 1–35 (2016)
Adepu, S., Mathur, A.: Distributed detection of single-stage multipoint cyber attacks in a water treatment plant. In: AsiaCCS (2016)
Ahmed, C.M., Zhou, J., Mathur, A.P.: Noise matters: using sensor and process noise fingerprint to detect stealthy cyber attacks and authenticate sensors in CPS. In: ACSAC (2018)
ANSI/ASHRAE STANDARD 135–2016: A data communication protocol for building automation and control networks (2016)
Arroyo, E., Fay, A., Hoernicke, M.: A method of digitalizing engineering documents (2016)
Assante, M.J., Lee, R.M.: The industrial control system cyber kill chain, vol. 1. SANS Institute InfoSec Reading Room (2015)
Cárdenas, A.A., Amin, S., Lin, Z.S., Huang, Y.L., Huang, C.Y., Sastry, S.: Attacks against process control systems: risk assessment, detection, and response. In: AsiaCCS, pp. 355–366. ACM (2011)
Chen, Y., Poskitt, C.M., Sun, J., Adepu, S., Zhang, F.: Learning-guided network fuzzing for testing cyber-physical system defences. In: ASE (2019)
Chen, Y., Xuan, B., Poskitt, C.M., Sun, J., Zhang, F.: Active fuzzing for testing and securing cyber-physical systems. In: ISSTA (2020)
Downs, J.J., Vogel, E.F.: A plant-wide industrial process control problem. Comput. Chem. Eng. 17(3), 245–255 (1993)
Esquivel-Vargas, H., Caselli, M., Peter, A.: BACgraph: automatic extraction of object relationships in the BACnet protocol. In: DSN (Industry Track). IEEE (2021)
Green, B., Krotofil, M., Abbasi, A.: On the significance of process comprehension for conducting targeted ICS attacks. In: CPS-SPC. ACM (2017)
Huang, Y., Cárdenas, A.A., Amin, S., Lin, Z., Tsai, H., Sastry, S.: Understanding the physical and economic consequences of attacks on control systems. Int. J. Crit. Infrastruct. Prot. 2(3), 73–83 (2009). https://doi.org/10.1016/j.ijcip.2009.06.001
Konstantinou, C., Sazos, M., Maniatakos, M.: Attacking the smart grid using public information. In: LATS, pp. 105–110. IEEE (2016). https://doi.org/10.1109/LATW.2016.7483348
Krotofil, M., Cárdenas, A.A.: Resilience of process control systems to cyber-physical attacks. In: Riis Nielson, H., Gollmann, D. (eds.) NordSec 2013. LNCS, vol. 8208, pp. 166–182. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41488-6_12
Krotofil, M., Cárdenas, A.A., Manning, B., Larsen, J.: CPS: driving cyber-physical systems to unsafe operating conditions by timing DoS attacks on sensor signals. In: ACSAC, pp. 146–155. ACM (2014). https://doi.org/10.1145/2664243.2664290
Larsson, T., Hestetun, K., Hovland, E., Skogestad, S.: Self-optimizing control of a large-scale plant: the Tennessee Eastman process. Ind. Eng. Chem. Res. 40(22), 4889–4901 (2001)
Lee, R.M., Assante, M.J., Conway, T.: Analysis of the cyber attack on the ukrainian power grid table of contents (2016). https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/05/20081514/E-ISAC_SANS_Ukraine_DUC_5.pdf
Lin, Q., Adepu, S., Verwer, S., Mathur, A.: TABOR: a graphical model-based approach for anomaly detection in industrial control systems. In: AsiaCCS (2018)
Luyben, W.L., Tyréus, B.D., Luyben, M.L.: Plantwide Process Control. McGraw-Hill, New York (1999)
Lyman, P.R.: Plant-wide control structures for the Tennessee Eastman process. Master’s thesis, Lehigh University (1992)
Mitre: Common Weakness Enumeration: A Community-Developed List of Software & Hardware Weakness Types (2020). https://cwe.mitre.org/. Accessed 08 Sept 2020
Mitre: ATT&CK® for Industrial Control Systems (2021). https://collaborate.mitre.org/attackics/. Accessed 04 Jan 2021
Neo4j: Neo4j Graph Platform - The Leader in Graph Databases (2021). https://neo4j.com/. Accessed 09 Jan 2021
Ricker, N.L.: Model predictive control of a continuous, nonlinear, two-phase reactor. J. Process Control 3(2), 109–123 (1993)
Ricker, N.L.: Decentralized control of the Tennessee Eastman challenge process. J. Process Control 6(4), 205–221 (1996)
Ricker, N.L.: Tennessee Eastman Challenge archive (2020). https://depts.washington.edu/control/LARRY/TE/download.html. Accessed 25 July 2020
Sarkar, E., Benkraouda, H., Maniatakos, M.: I came, I saw, I hacked: automated generation of process-independent attacks for industrial control systems. In: AsiaCCS. ACM (2020)
Sharma, K.: Overview of Industrial Process Automation. Elsevier, Amsterdam (2016)
Tu, Y., Rampazzi, S., Hao, B., Rodriguez, A., Fu, K., Hei, X.: Trick or heat?: manipulating critical temperature-based control systems using rectification attacks. In: CCS, pp. 2301–2315. ACM (2019). https://doi.org/10.1145/3319535.3354195
Urbina, D.I., Giraldo, J.A., Tippenhauer, N.O., Cárdenas, A.A.: Attacking fieldbus communications in ICS: applications to the swat testbed. In: SG-CRC. IOS Press (2016)
Wade, H.L.: Basic and Advanced Regulatory Control - System Design and Application, 3rd edn. ISA (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Esquivel-Vargas, H., Castellanos, J.H., Caselli, M., Tippenhauer, N.O., Peter, A. (2022). Identifying Near-Optimal Single-Shot Attacks on ICSs with Limited Process Knowledge. In: Ateniese, G., Venturi, D. (eds) Applied Cryptography and Network Security. ACNS 2022. Lecture Notes in Computer Science, vol 13269. Springer, Cham. https://doi.org/10.1007/978-3-031-09234-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-09234-3_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-09233-6
Online ISBN: 978-3-031-09234-3
eBook Packages: Computer ScienceComputer Science (R0)