National security experts long have sounded the alarm that industrial control systems (ICS) used in chemical plants and other major parts of the U.S. infrastructure are vulnerable to cyber attacks.
Now, researchers from the Georgia Institute of Technology are exploring ways to use unique electronic “fingerprints” produced by devices on networked industrial control systems to determine which signals are legitimate and which signals might be from attackers.
To develop the device fingerprints, the researchers built computer models to understand how the devices operate. Information came from “black box” techniques, i.e., watching the information that goes into and out of the system, and “white box” techniques that utilize schematics or physical access to the systems.
After evaluating the fingerprinting methods using real world datasets and controlled lab experiments, they reported fingerprint classification of up to 99% accuracy. The techniques exhibited resistance to simple forgery attacks and could feasibly be implemented alongside more traditional solutions to augment the security of critical networks, the researchers said.
While device fingerprinting isn’t a complete solution in itself, it could help address the security challenges of cyber-physical systems, according to the researchers. The approach has been successfully tested in two electrical substations and the researchers plan to examine its application in other protocols.
Network systems tend to be difficult to secure physically, often employ aging equipment that cannot run modern encryption and authentication systems and, if attacked, catastrophic physical damage can result at chemical plants, electrical grids, manufacturing facilities, wastewater treatment plants, refineries and other industrial systems.
“For many industrial control systems, it’s not a matter of if an intrusion will take place, but when,” the Department of Homeland Security (DHS) warned in a report on the issue, adding that cyber intrusions into U.S. critical infrastructure systems are happening with increased frequency
In fiscal year 2015, there were 295 such incidents reported to the DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which noted that “many more” went unreported or undetected.
“The capabilities of our adversaries have been demonstrated,” the DHS report continued. “Simply building a network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense teams a chance to quickly and effectively detect, counter, and expel an adversary.”
Unlike many other critical infrastructure sectors, the federal government regulates cybersecurity for the chemical sector, according to the American Chemistry Council, which participates in select efforts with the Chemical Sector Coordinating Council and DHS.
Under the Chemical Facility Anti-Terrorism Standards (CFATS), chemical facilities must meet comprehensive requirements that address the protection of business networks and process control systems. CFATS identifies and regulates high-risk chemical facilities to ensure they have security measures in place to reduce the risks associated with their chemicals.
DHS released an interim final rule that imposes comprehensive federal security regulations for high-risk chemical facilities in possession of specific quantities of specific chemicals of interest.
This rule establishes risk-based performance standards and requires covered chemical facilities to prepare Security Vulnerability Assessments (SVAs), which identify facility security vulnerabilities, and to develop and implement Site Security Plans, which include measures that satisfy the identified risk-based performance standards.
Meanwhile, DHS presented seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems (percentages indicate incidents that potentially were mitigated by each strategy):
· Implement Application Whitelisting (38%)
· Ensure Proper Configuration/Patch Management (29%)
· Reduce Your Attack Surface Area (17%)
· Build a Defendable Environment (9%)
· Manage Authentication (4%)
· Monitor and Respond (2%)
· Implement Secure Remote Access (1%)
“The stakes are extremely high, but the systems are very different from home or office computer networks,” Raheem Beyah, an associate professor in the School of Electrical and Computer Engineering at Georgia Tech, said. “It is critical that we secure these systems against attackers who may introduce false data or issue malicious commands.”
Beyah added that the research program, partially funded by a grant from the National Science Foundation, is the first that passively fingerprints different devices that are part of critical infrastructure networks.
For future work, the Georgia Tech group said it plans to improve on its “white box” modeling, extend the methods to fingerprinting embedded devices in the “Internet of Things,” and also investigate the possibility of developing active fingerprinting techniques to increase classification accuracy.
