Skip to main content
SpringerLink
Log in

Stealthy Deception Attacks Against SCADA Systems

  • Conference paper
  • First Online:
Computer Security (SECPRE 2017, CyberICPS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10683))

Abstract

SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta–data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator’s actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS’s state all remain legitimate.

We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system–wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Final report on the August 14, 2003 blackout in the United States and Canada: Causes and recommendations. U.S.-Canada Power System Outage Task Force, U.S. Secretary of Energy and Minister of Natural Resources Canada, April 2004

    Google Scholar 

  2. Abad, C.L., Bonilla, R.I.: An analysis on the schemes for detecting and preventing ARP cache poisoning attacks. In: 27th International Conference on Distributed Computing Systems Workshops, ICDCSW 2007, pp. 60–60. IEEE (2007)

    Google Scholar 

  3. Alcaraz, C., Cazorla, L., Fernandez, G.: Context-awareness using anomaly-based detectors for smart grid domains. In: Lopez, J., Ray, I., Crispo, B. (eds.) CRiSIS 2014. LNCS, vol. 8924, pp. 17–34. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17127-2_2

    Google Scholar 

  4. Atassi, A., Elhajj, I.H., Chehab, A., Kayssi, A.: The state of the art in intrusion prevention and detection. In: Intrusion Detection for SCADA Systems, Chap. 9, pp. 211–230. Auerbach Publications, January 2014

    Google Scholar 

  5. Barbosa, R., Sadre, R., Pras, A.: A first look into SCADA network traffic. In: IEEE Network Operations and Management Symposium (NOMS), pp. 518–521, April 2012

    Google Scholar 

  6. Barbosa, R., Sadre, R., Pras, A.: Towards periodicity based anomaly detection in SCADA networks. In: 17th IEEE Emerging Technologies Factory Automation (ETFA), pp. 1–4, September 2012

    Google Scholar 

  7. Byres, E.J., Franz, M., Miller, D.: The use of attack trees in assessing vulnerabilities in SCADA systems. In: International Infrastructure Survivability Workshop (2004)

    Google Scholar 

  8. Cárdenas, A.A., Amin, S., Lin, Z.S., Huang, Y.L., Huang, C.Y., Sastry, S.: Attacks against process control systems: risk assessment, detection, and response. In: 6th ACM Symposium on Information, Computer and Communications Security, pp. 355–366. ACM (2011)

    Google Scholar 

  9. Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: 1st ACM Workshop on Cyber-Physical System Security, New York, NY, USA, pp. 13–24 (2015). http://doi.acm.org/10.1145/2732198.2732200

  10. Chen, C.M., Hsiao, H.W., Yang, P.Y., Ou, Y.H.: Defending malicious attacks in cyber physical systems. In: 2013 IEEE 1st International Conference on Cyber-Physical Systems, Networks, and Applications (CPSNA), pp. 13–18, August 2013

    Google Scholar 

  11. Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using model-based intrusion detection for SCADA networks. In: SCADA Security Scientific Symposium, pp. 127–134 (2007)

    Google Scholar 

  12. De Maizière, T.: Die Lage der IT-Sicherheit in Deutschland 2014. The German Federal Office for Information Security (2014). https://www.google.co.il/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwigs8_B1enXAhVSFuwKHQm3Ba8QFggmMAA&url=https%3A%2F%2Fwww.bmi.bund.de%2FSharedDocs%2Fdownloads%2FDE%2Fpublikationen%2F2014%2Fbsi-lagebericht-it-sicherheit.pdf%3F__blob%3DpublicationFile&usg=AOvVaw2deYBrgkWuS45W4MbRUldL

  13. Dolev, D., Yao, A.C.: On the security of public key protocols. Technical report, Stanford, CA, USA (1981)

    Google Scholar 

  14. Erez, N., Wool, A.: Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems. Int. J. Crit. Infrastruct. Prot. 10, 59–70 (2015)

    Article  Google Scholar 

  15. Falliere, N., Murchu, L., Chien, E.: W32.Stuxnet dossier. White paper, Symantec Corporation, Security Response (2011)

    Google Scholar 

  16. Fovino, I.N., Carcano, A., Masera, M., Trombetta, A.: An experimental investigation of malware attacks on SCADA systems. Int. J. Crit. Infrastruct. Prot. 2(4), 139–145 (2009). http://www.sciencedirect.com/science/article/pii/S1874548209000419

    Article  Google Scholar 

  17. Fovino, I., Carcano, A., De Lacheze Murel, T., Trombetta, A., Masera, M.: Modbus/DNP3 state-based intrusion detection system. In: 24th IEEE International Conference on Advanced Information Networking and Applications (AINA), pp. 729–736. IEEE (2010)

    Google Scholar 

  18. Goldenberg, N., Wool, A.: Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. Int. J. Crit. Infrastruct. Prot. 6(2), 63–75 (2013). http://www.sciencedirect.com/science/article/pii/S1874548213000243

    Article  Google Scholar 

  19. Gorman, S.: Electricity grid in U.S. penetrated by spies. Wall Street J. A1 (2009). http://www.wsj.com/articles/SB123914805204099085

  20. Hadziosmanovic, D., Bolzoni, D., Hartel, P.H., Etalle, S.: MELISSA: towards automated detection of undesirable user actions in critical infrastructures. In: European Conference on Computer Network Defense, EC2ND, Gothenburg, Sweden, USA, pp. 41–48, September 2011

    Google Scholar 

  21. Kleinmann, A., Amichay, O., Wool, A., Tenenbaum, D., Bar, O., Lev, L.: Stealthy deception attacks against SCADA systems. arXiv:1706.09303 [cs.CR], June 2017

  22. Kleinmann, A., Wool, A.: Accurate modeling of the siemens S7 SCADA protocol for intrusion detection and digital forensic. JDFSL 9(2), 37–50 (2014). http://ojs.jdfsl.org/index.php/jdfsl/article/view/262

    Google Scholar 

  23. Kleinmann, A., Wool, A.: A statechart-based anomaly detection model for multi-threaded SCADA systems. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds.) CRITIS 2015. LNCS, vol. 9578, pp. 132–144. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33331-1_11

    Google Scholar 

  24. Kleinmann, A., Wool, A.: Automatic construction of statechart-based anomaly detection models for multi-threaded SCADA via spectral analysis. In: 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy, CPS-SPC 2016, pp. 1–12. ACM, New York (2016). http://doi.acm.org/10.1145/2994487.2994490

  25. Kleinmann, A., Wool, A.: Automatic construction of statechart-based anomaly detection models for multi-threaded industrial control systems. ACM Trans. Intell. Syst. Technol. (TIST) 8(4), 55 (2017)

    Google Scholar 

  26. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)

    Article  Google Scholar 

  27. Lee, R.M., Assante, M.J., Conway, T.: Analysis of the cyber attack on the Ukrainian power grid. Technical report, SANS E-ISAC, 18 March 2016. https://ics.sans.org/media/E-SAC_SANS_Ukraine_DUC_5.pdf

  28. Liang, G., Weller, S.R., Zhao, J., Luo, F., Dong, Z.Y.: The 2015 Ukraine blackout: implications for false data injection attacks. IEEE Trans. Power Syst. 32(4), 3317–3318 (2017)

    Article  Google Scholar 

  29. Lin, H., Slagell, A., Kalbarczyk, Z., Sauer, P.W., Iyer, R.K.: Semantic security analysis of SCADA networks to detect malicious control commands in power grids. In: First ACM Workshop on Smart Energy Grid Security, pp. 29–34. ACM (2013)

    Google Scholar 

  30. Liu, Y., Ning, P., Reiter, M.K.: False data injection attacks against state estimation in electric power grids. ACM Trans. Inf. Syst. Secur. (TISSEC) 14(1), 13 (2011)

    Article  Google Scholar 

  31. Marsh, R.T.: Critical foundations: protecting America’s infrastructures - the report of the president’s commission on critical infrastructure protection. Technical report, President’s Commission on Critical Infrastructure Protection, October 1997

    Google Scholar 

  32. Mo, Y., Kim, T.H.J., Brancik, K., Dickinson, D., Lee, H., Perrig, A., Sinopoli, B.: Cyber-physical security of a smart grid infrastructure. Proc. IEEE 100(1), 195–209 (2012)

    Article  Google Scholar 

  33. Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network intrusion detection. IEEE Netw. 8(3), 26–41 (1994)

    Article  Google Scholar 

  34. Pasqualetti, F., Dörfler, F., Bullo, F.: Attack detection and identification in cyber-physical systems. IEEE Trans. Autom. Control 58(11), 2715–2729 (2013)

    Article  MathSciNet  MATH  Google Scholar 

  35. Roesch, M.: Snort - lightweight intrusion detection for networks. In: 13th USENIX Conference on System Administration, LISA 1999, pp. 229–238. USENIX Association, Berkeley (1999). http://dl.acm.org/citation.cfm?id=1039834.1039864

  36. Urbina, D.I., Giraldo, J.A., Cardenas, A.A., Tippenhauer, N.O., Valente, J., Faisal, M., Ruths, J., Candell, R., Sandberg, H.: Limiting the impact of stealthy attacks on industrial control systems. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1092–1105. ACM (2016)

    Google Scholar 

  37. Valdes, A., Cheung, S.: Communication pattern anomaly detection in process control systems. In: IEEE Conference on Technologies for Homeland Security (HST), pp. 22–29 (2009)

    Google Scholar 

  38. Yang, D., Usynin, A., Hines, J.: Anomaly-based intrusion detection for SCADA systems. In: 5th International Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies, pp. 12–16 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Cryptography and Network Security Lab, School of Electrical Engineering, Tel-Aviv University, 6997801, Ramat Aviv, Israel

    Amit Kleinmann, Ori Amichay & Avishai Wool

  2. Israel Electric Corporation, 1 Netiv Ha’Or, 3100001, Haifa, Israel

    David Tenenbaum, Ofer Bar & Leonid Lev

Authors
  1. Amit Kleinmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ori Amichay
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Avishai Wool
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. David Tenenbaum
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ofer Bar
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Leonid Lev
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amit Kleinmann .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis K. Katsikas

  2. IMT Atlantique, Brest, France

    Frédéric Cuppens

  3. IMT Atlantique, Brest, France

    Nora Cuppens

  4. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  5. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  6. University of Toronto, Toronto, Ontario, Canada

    John Mylopoulos

  7. Georgia Institute of Technology, Atlanta, Georgia, USA

    Annie Antón

  8. University of the Aegean, Karlovassi, Greece

    Stefanos Gritzalis

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kleinmann, A., Amichay, O., Wool, A., Tenenbaum, D., Bar, O., Lev, L. (2018). Stealthy Deception Attacks Against SCADA Systems. In: Katsikas, S., et al. Computer Security. SECPRE CyberICPS 2017 2017. Lecture Notes in Computer Science(), vol 10683. Springer, Cham. https://doi.org/10.1007/978-3-319-72817-9_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-72817-9_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-72816-2

  • Online ISBN: 978-3-319-72817-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation