Written by Martin Ochoa on July 31, 2019
Our Black Hat Talk: Fingerprinting sensors to detect data integrity attacks on cyber physical systems
Detecting attacks executed in both the physical and cyber domains.
A data integrity attack against a cyber physical system, such as the smart grid or implantable medical devices, can have catastrophic consequences, including the loss of life. It’s imperative that we protect these systems. Doing so, however, presents a unique challenge: the need to detect attacks executed in both the physical and cyber domains.
Cyber physical systems (CPS) are becoming more common as connectivity helps improve the monitoring and operation of a physical process. Increasingly, CPSes are being used in autonomous vehicles, water treatment plants, and the like. Unfortunately, connectivity also increases the risk of a data integrity attack.
A CPS is composed of a set of actuators, sensors, controllers, and communication networks. The sensors serve as a bridge between the physical and cyber domains. Sensor data is transmitted to a programmable logic controller (PLC) to take an appropriate action based on the sensor measurement. Sensor data can be attacked or spoofed in either the physical or cyber domain. What’s more, an attack executed in the cyber domain can have life-threatening consequences in the physical world.
Security researchers have studied data integrity attacks, such as false data injection, replay attacks, and stealthy attacks, and their impact on sensor measurement. Researchers have also proposed attack detection methods based on system model and statistical fault detectors. But fault detectors have their limitations. Attacks on sensor measurement can be launched by analog spoofing attacks or by tampering with the communication channel between a sensor and a controller by means of a man-in-the-middle attack.
In a traditional IT environment, an intrusion detection system (IDS) monitors a communication network or a computing host to detect attacks. However, a legacy IDS might not detect the physical tampering of a sensor or sensor spoofing in the physical domain. In legacy computer security, the focus is on data confidentiality. In the case of CPS, our focus must be on data integrity and trustworthiness.
At Black Hat, we’ll share the results of the research, performed in collaboration with the iTrust Research Center at the Singapore University of Technology and Design, that establishes a device identification framework and demonstrates how it can detect a range of attacks against sensors. Our proposed attack detection framework improves on the limitations of model-based attack detection schemes.
Manufacturing imperfections in the sensors and the unique features of a physical process cause each sensor to produce a unique noise—fingerprints, if you will. A data injection attack against a sensor causes deviations from this fingerprint. We created a system-model based approach to create a sensor’s fingerprint during the system’s normal operation and a proposed scheme to detect anomalies that arise during an attack.
Our research details the experiments we performed on a dataset from a real-world water treatment (SWaT) facility. We executed a class of stealthy attacks against the proposed scheme and then carried out extensive security analysis. We found that a range of sensors can be uniquely identified with an accuracy as high as 99%.
While the physical domain introduces security challenges, an understanding of the physics of the process can help secure a CPS. Our session at Black Hat will dig deeper into our research and demonstrate how we can better protect our vital systems, whether they be the smart grid, autonomous vehicles, or, as in the case of implantable medical devices, our very selves.