Hide and Seek: An Architecture for Improving Attack-Visibility in Industrial Control Systems

dc.contributor.authorGiraldo, Jairo
dc.contributor.authorUrbina, David
dc.contributor.authorCardenas, A. A.
dc.contributor.authorTippenhauer, N. O.
dc.contributor.utdAuthorGiraldo, Jairo
dc.contributor.utdAuthorUrbina, David
dc.descriptionDue to copyright restrictions and/or publisher's policy full text access from Treasures at UT Dallas is limited to current UTD affiliates (use the provided Link to Article).
dc.description.abstractIn the past years we have seen an emerging field of research focusing on using the “physics” of a Cyber-Physical System to detect attacks. In its basic form, a security monitor is deployed somewhere in the industrial control network, observes a time-series of the operation of the system, and identifies anomalies in those measurements in order to detect potentially manipulated control commands or manipulated sensor readings. While there is a growing literature on detection mechanisms in that research direction, the problem of where to monitor the physical behavior of the system has received less attention. In this paper, we analyze the problem of where should we monitor these systems, and what attacks can and cannot be detected depending on the location of this network monitor. The location of the monitor is particularly important, because an attacker can bypass attack-detection by lying in some network interfaces while reporting that everything is normal in the others. Our paper is the first detailed study of what can and cannot be detected based on the devices an attacker has compromised and where we monitor our network. We show that there are locations that maximize our visibility against such attacks. Based on our analysis, we design a low-level security monitor that is able to directly observe the field communication between sensors, actuators, and Programmable Logic Controllers (PLCs). We implement that security monitor in a realistic testbed, and demonstrate that it can detect attacks that would otherwise be undetected at the supervisory network. © Springer Nature Switzerland AG 2019.
dc.description.departmentErik Jonsson School of Engineering and Computer Science
dc.description.sponsorshipNational Science Foundation with award number CNS-1718848, by the National Institute of Standards and Technology with award number 70NANB17H282, and by the Air Force Research Laboratory under agreement number FA8750-19-2-0010.
dc.identifier.bibliographicCitationGiraldo, J., D. Urbina, A. A. Cardenas, and N. O. Tippenhauer. 2019. "Hide and seek: An architecture for improving attack-visibility in industrial control systems." Lecture Notes In Computer Science 11464: 175-195, doi: 10.1007/978-3-030-21568-2_9
dc.publisherSpringer Verlag
dc.relation.isPartOf">Lecture Notes In Computer Science
dc.rights©2019 Springer Nature Switzerland AG
dc.sourceInternational Conference on Applied Cryptography and Network Security
dc.subjectEmbedded computer systems
dc.subjectProgrammable logic devices
dc.subjectComputer networks—Security measures
dc.titleHide and Seek: An Architecture for Improving Attack-Visibility in Industrial Control Systems


Original bundle

Now showing 1 - 1 of 1
Thumbnail Image
182.93 KB
Adobe Portable Document Format
Link to Article