TY - JOUR
T1 - Using timing-based side channels for anomaly detection in industrial control systems
AU - Dunlap, Stephen
AU - Butts, Jonathan
AU - Lopez, Juan
AU - Rice, Mason
AU - Mullins, Barry
N1 - Publisher Copyright:
© 2016
PY - 2016/12/1
Y1 - 2016/12/1
N2 - The critical infrastructure, which includes the electric power grid, railroads and water treatment facilities, is dependent on the proper operation of industrial control systems. However, malware such as Stuxnet has demonstrated the ability to alter industrial control system parameters to create physical effects. Of particular concern is malware that targets embedded devices that monitor and control system functionality, while masking the actions from plant operators and security analysts. Indeed, system security relies on guarantees that the assurance of these devices can be maintained throughout their lifetimes. This paper presents a novel approach that uses timing-based side channel analysis to establish a unique device fingerprint that helps detect unauthorized modifications of the device. The approach is applied to an Allen Bradley ControlLogix programmable logic controller where execution time measurements are collected and analyzed by a custom anomaly detection system to detect abnormal behavior. The anomaly detection system achieves true positive rates of 0.978–1.000 with false positive rates of 0.033–0.044. The test results demonstrate the feasibility of using timing-based side channel analysis to detect anomalous behavior in programmable logic controllers.
AB - The critical infrastructure, which includes the electric power grid, railroads and water treatment facilities, is dependent on the proper operation of industrial control systems. However, malware such as Stuxnet has demonstrated the ability to alter industrial control system parameters to create physical effects. Of particular concern is malware that targets embedded devices that monitor and control system functionality, while masking the actions from plant operators and security analysts. Indeed, system security relies on guarantees that the assurance of these devices can be maintained throughout their lifetimes. This paper presents a novel approach that uses timing-based side channel analysis to establish a unique device fingerprint that helps detect unauthorized modifications of the device. The approach is applied to an Allen Bradley ControlLogix programmable logic controller where execution time measurements are collected and analyzed by a custom anomaly detection system to detect abnormal behavior. The anomaly detection system achieves true positive rates of 0.978–1.000 with false positive rates of 0.033–0.044. The test results demonstrate the feasibility of using timing-based side channel analysis to detect anomalous behavior in programmable logic controllers.
KW - Anomaly detection
KW - Modification attacks
KW - Programmable logic controllers
KW - Side channels
KW - industrial control systems
UR - http://www.scopus.com/inward/record.url?scp=84995600689&partnerID=8YFLogxK
U2 - 10.1016/j.ijcip.2016.07.003
DO - 10.1016/j.ijcip.2016.07.003
M3 - Article
AN - SCOPUS:84995600689
SN - 1874-5482
VL - 15
SP - 12
EP - 26
JO - International Journal of Critical Infrastructure Protection
JF - International Journal of Critical Infrastructure Protection
ER -