Stealthy Deception Attacks Against SCADA Systems

SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage

Stability analysis of token-based wireless networked control systems under deception attacks

Currently, cyber-security has attracted a lot of attention, in particular in wireless industrial control networks (WICNs). In this paper, the stability of wireless networked control systems (WNCSs) under deception, attacks is studied with a token-based protocol applied to the data link layer (DLL) of WICNS. Since deception attacks cause the stability problem of WNCSs by changing the data transmitted over a wireless network, it is important to detect deception attacks, discard the injected false data and compensate for the missing data (i.e., the discarded original data with the injected false data). The main contributions of this paper are: 1) With respect to the character of the token-based protocol, a switched system model is developed. Different from the traditional switched system where the number of subsystems is fixed, in our new model this number will be changed under deception attacks. 2) For this model, a new Kalman filter (KF) is developed for the purpose of attack detection and the missing data reconstruction. 3) For the given linear feedback WNCSs, when the noise level is below a threshold derived in this paper, the maximum allowable duration of deception attacks is obtained to maintain the exponential stability of the system. Finally, a numerical example based on a linearized model of an inverted pendulum is provided to demonstrate the proposed design

Quadratic estimation for stochastic systems in the presence of random parameter matrices, time-correlated additive noise and deception attacks

This research was suported by the ``Ministerio de Ciencia e Innovación, Agencia Estatal de Investigación'' of Spain and the European Regional Development Fund [grant number PID2021-124486NB-I00].Networked systems usually face different random uncertainties that make the performance of the least-squares (LS) linear filter decline significantly. For this reason, great attention has been paid to the search for other kinds of suboptimal estimators. Among them, the LS quadratic estimation approach has attracted considerable interest in the scientific community for its balance between computational complexity and estimation accuracy. When it comes to stochastic systems subject to different random uncertainties and deception attacks, the quadratic estimator design has not been deeply studied. In this paper, using covariance information, the LS quadratic filtering and fixed-point smoothing problems are addressed under the assumption that the measurements are perturbed by a time-correlated additive noise, as well as affected by random parameter matrices and exposed to random deception attacks. The use of random parameter matrices covers a wide range of common uncertainties and random failures, thus better reflecting the engineering reality. The signal and observation vectors are augmented by stacking the original vectors with their second-order Kronecker powers; then, the linear estimator of the original signal based on the augmented observations provides the required quadratic estimator. A simulation example illustrates the superiority of the proposed quadratic estimators over the conventional linear ones and the effect of the deception attacks on the estimation performance.Ministerio de Ciencia e Innovación MICINNEuropean Regional Development Fund PID2021-124486NB-I00 ERDFAgencia Estatal de Investigación AE

Detection of replay attacks in cyber-physical systems using a frequency-based signature

This paper proposes a frequency-based approach for the detection of replay attacks affecting cyber-physical systems (CPS). In particular, the method employs a sinusoidal signal with a time-varying frequency (authentication signal) into the closed-loop system and checks whether the time profile of the frequency components in the output signal are compatible with the authentication signal or not. In order to carry out this target, the couplings between inputs and outputs are eliminated using a dynamic decoupling technique based on vector fitting. In this way, a signature introduced on a specific input channel will affect only the output that is selected to be associated with that input, which is a property that can be exploited to determine which channels are being affected. A bank of band-pass filters is used to generate signals whose energies can be compared to reconstruct an estimation of the time-varying frequency profile. By matching the known frequency profile with its estimation, the detector can provide the information about whether a replay attack is being carried out or not. The design of the signal generator and the detector are thoroughly discussed, and an example based on a quadruple-tank process is used to show the application and effectiveness of the proposed method.Peer ReviewedPostprint (author's final draft