Using timing-based side channels for anomaly detection in industrial control systems

Stephen Dunlap, Jonathan Butts, Juan Lopez, Mason Rice, Barry Mullins

Research output: Contribution to journalArticlepeer-review

26 Scopus citations

Abstract

The critical infrastructure, which includes the electric power grid, railroads and water treatment facilities, is dependent on the proper operation of industrial control systems. However, malware such as Stuxnet has demonstrated the ability to alter industrial control system parameters to create physical effects. Of particular concern is malware that targets embedded devices that monitor and control system functionality, while masking the actions from plant operators and security analysts. Indeed, system security relies on guarantees that the assurance of these devices can be maintained throughout their lifetimes. This paper presents a novel approach that uses timing-based side channel analysis to establish a unique device fingerprint that helps detect unauthorized modifications of the device. The approach is applied to an Allen Bradley ControlLogix programmable logic controller where execution time measurements are collected and analyzed by a custom anomaly detection system to detect abnormal behavior. The anomaly detection system achieves true positive rates of 0.978–1.000 with false positive rates of 0.033–0.044. The test results demonstrate the feasibility of using timing-based side channel analysis to detect anomalous behavior in programmable logic controllers.

Original languageEnglish
Pages (from-to)12-26
Number of pages15
JournalInternational Journal of Critical Infrastructure Protection
Volume15
DOIs
StatePublished - Dec 1 2016
Externally publishedYes

Keywords

  • Anomaly detection
  • Modification attacks
  • Programmable logic controllers
  • Side channels
  • industrial control systems

Fingerprint

Dive into the research topics of 'Using timing-based side channels for anomaly detection in industrial control systems'. Together they form a unique fingerprint.

Cite this