7 January 2021
Critical infrastructure becomes a strategic target in the midst of a cyber-war. Challenges in securing critical infrastructure are different as compared with conventional IT systems, especially in terms of consequences in case of a security lapse. Those attacks might result in damage to the physical property or severely affecting people’s living as in the incident of nationwide blackout in Ukraine. Governments are investing significantly in response to the risks and challenges while researchers and vendors are aggressively developing and marketing new technologies aimed at protecting critical infrastructure.
Prof. Jianying Zhou is co-center director for iTrust which is a Cyber Security Research Center in SUTD with the mission to advance the state of the art and practice in the design of secure complex interconnected critical infrastructure and to improve the understanding of cyber threats to Cyber-Physical Systems (CPS). iTrust also hosts the National Satellite of Excellence program in Design Science and Technology for Secure Critical Infrastructure (DeST-SCI). The security technologies developed in iTrust are being evaluated against and demonstrated in the fully operational CPS testbeds including SWaT (Secure Water Treatment), WADI (Water Distribution), and EPIC (Electric Power and Intelligent Control). The current focus of research in iTrust is mainly in the domains of water, energy and transportation. The new initiative also includes maritime cybersecurity to provide a guideline for maritime authorities and shipping lines regarding the cyber risk management of shipboard OT (Operational Technology) systems.
Prof. Zhou has been leading a couple of research projects for securing critical infrastructure. The team has developed several novel technologies for preventing and detecting attacks to CPS, by taking the OT-centric approach, in order to improve the robustness and resilience of CPS.
Authentication for CPS
The advances in communication technologies help to better monitor and operate CPS, but this connectivity also exposes physical processes to malicious entities on the cyber and physical domains. In a CPS all major entities need to authenticate each other as most systems work autonomously, it is not enough to authenticate a human operator as was the case in a typical IT system. On the other hand, there are hard computational constraints on most of the processes and devices in a CPS.
A couple of authentication technologies have been developed to address unique challenges in CPS, which can be used to authenticate sensors [2,3], PLC control logics [6,10], physical processes [2,3,8], as well as messages being transmitted in CPS [9] and external requests to access devices in CPS [1].
NoisePrint [2] is a technology which can be used to authenticate sensors and physical processes in CPS with high accuracy in a non-intrusive fashion. It extracts noise fingerprint from two sources: 1) sensor noise from the device manufacturing imperfections, and 2) process noise from the physical process of a CPS. When the sensor or process is under attack (e.g. data spoofing), their noise patterns will deviate from the fingerprinted patterns thus leading to authentication failure.
PAtt [6] is a technology which can authenticate PLC code remotely by leveraging operation permutations that do not affect the physical process but yield unique traces of sensor readings during execution. By encoding integrity measurements of the PLC’s memory state (software and data) into its control operation, PAtt can remotely verify the integrity of the control logic based on the resulting sensor traces without trusted hardware. It is resilient against replay attacks which provide the sensor reading from a sensor record table.
HD2FA [1] is a technology which uses historical data as a new 2nd authentication factor to enhance authentication of requests for accessing essential devices (e.g. PLCs) in CPS. HD2FA is lightweight and supports M2M communication. The historical data generated by a CPS device will be sent to the historian server. The CPS device does not need to store those historical data for verification of the 2nd authentication factor. Without holding the whole historical dataset, it is hard for attackers to break the 2nd authentication factor.
Security Testing for CPS
Cyber attacks to CPS might cause irreparable harm to the people and society. However, running security tests on mission-critical systems brings unacceptable risks, and maintaining testing environments in CPS is highly expensive. Model-based approaches will help to address such challenges by keeping the risk associated with testing low.
A couple of model-based security testing technologies have been developed to address unique challenges in CPS. Those security testing tools can be used to understand 1) how attacker’s actions will propagate from cyber domain till it reaches the physical domain [4], 2) what are the most critical components in a CPS [4], and 3) how to measure the impact that an attack might cause to a CPS [5].
White-box Testing [4] provides a white-box modelling tool to automatically generate a data flow graph extracted from the PLC code which will highlight interactions among internal entities in a CPS. The reachability analysis using the data flow graph can identify what are the most critical components (e.g. sensors) being the source of attacks and what are the most critical components (e.g. actuators) being the target of attacks. It can further identify the hidden paths that can be exploited by an attacker.
Black-box Testing [5] provides a black-box modelling tool to predict future behaviors of a CPS and detect behaviors that diverge from expected. It has two components: HybModeller and HybMonitor. HybModeller uses historical data (from plant historian) and creates a hybrid model of the normal behavior of the system. HybMonitor uses the system’s models and predicts ‘normal’ behavior of the system under test. It reads the actual state of the system, identifies the operational mode and predicts transitions of control strategy based on prior knowledge. It can further evaluate attack impacts to CPS and resilience of the system using the metrics of time-to-critical-state. The advantage of black-box security testing is that it can model CPS without the controllers’ source code and requires minimal initial configuration to build model automatically.
Impact of Research
The research being conducted is aimed for addressing the real-world cyber security issues in order to protect critical infrastructure. Most of the technologies being developed by the team have been filed for patent. The research received recognition in the academic community, and Prof. Zhou won the European Symposium on Research in Computer Security (ESORICS) Outstanding Contribution Award in 2020.
The team also seeks collaboration with government agencies and industry to explore the opportunities for technology translation. For more details about the research on securing critical infrastructure and for research collaboration, please contact Prof. Jianying Zhou at jianying_zhou@sutd.edu.sg.
References:
- HD2FA: Scalable Two-factor Authentication using Historical Data [ESORICS’16] [US Patent 10230532]
- NoisePrint: Attack Detection using Sensor and Process Noise Fingerprint in Cyber Physical Systems [ACM AsiaCCS’18]
- Noise Matters: Using Sensor and Process Noise Fingerprint to Detect Stealthy Cyber Attacks and Authenticate Sensors in CPS [ACSAC’18]
- White-box Testing: Finding Dependencies between Cyber-Physical Domains for Security Testing of Industrial Control Systems [ACSAC’18]
- Black-box Testing: A Modular Hybrid Learning Approach for Black-Box Security Testing of CPS [ACNS’19] [PCT/SG2020/050271]
- PAtt: Physics-based Attestation of Control Systems [RAID’19]
- PoA: Proof of Aliveness [ACSAC’19] [PCT/SG2020/050619]
- Process Skew: Fingerprinting the Process for Anomaly Detection in Industrial Control Systems [WiSec’20] [SG/10202005543S]
- LiS: Lightweight Signature Schemes for Continuous Message Authentication in Cyber-Physical Systems [ACM AsiaCCS’20] [SG/10202009762T]
- Scanning the Cycle: Timing-based Authentication on PLCs [SG/10202006737U]