Detecting Anomalous Programmable Logic Controller Behavior using RF-based Hilbert Transform Features and a Correlation-based Verification Process

Industrial control systems are used to operate critical infrastructure assets in the civilian and military sectors. Current industrial control system architectures are predominantly based on networked digital computers that enable reliable monitoring and control of critical functions via localized and distributed operations. Many industrial control systems, in particular, supervisory control and data acquisition (SCADA) systems, implement monitoring and control using programmable logic controllers, which have served as gateways through which cyber attacks have been orchestrated against high-profile industrial control system targets. This paper focuses on securing the programmable logic controller gateway against unauthorized entry and mitigating attack risks by (i) adopting a previously demonstrated capability that provides hardware device discrimination using information extracted from intentional radio frequency (RF) emissions; and (ii) adapting the RF-based verification methodology to exploit information in unintentional programmable logic controller emissions to detect anomalous operations and enhance industrial control system security. Operational status verification (normal operation versus anomalous operation) is demonstrated using emissions from 10 like-model programmable logic controllers. The correlation-based verification approach with Hilbert transform features demonstrates superior performance than with untransformed time domain features. Experimental results demonstrate that an arbitrary equal error rate (EER) benchmark (EER≤10%) is achieved for all programmable logic controllers with a signal-to-noise ratio (SNR) of 5.0 dB when Hilbert-transformed features are used for complete programmable logic controller program scans or SNR=0.0 dB when each programmable logic controller program operation is compared independently. This benchmark was not achieved for any programmable logic controllers when untransformed time domain features were employed

Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process

Industrial control systems are used to operate critical infrastructure assets in the civilian and military sectors. Current industrial control system architectures are predominantly based on networked digital computers that enable reliable monitoring and control of critical functions via localized and distributed operations. Many industrial control systems, in particular, supervisory control and data acquisition (SCADA) systems, implement monitoring and control using programmable logic controllers, which have served as gateways through which cyber attacks have been orchestrated against high-profile industrial control system targets. This paper focuses on securing the programmable logic controller gateway against unauthorized entry and mitigating attack risks by (i) adopting a previously demonstrated capability that provides hardware device discrimination using information extracted from intentional radio frequency (RF) emissions; and (ii) adapting the RF-based verification methodology to exploit information in unintentional programmable logic controller emissions to detect anomalous operations and enhance industrial control system security. Operational status verification (normal operation versus anomalous operation) is demonstrated using emissions from 10 like-model programmable logic controllers. The correlation-based verification approach with Hilbert transform features demonstrates superior performance than with untransformed time domain features. Experimental results demonstrate that an arbitrary equal error rate (EER) benchmark (EER≤10%) is achieved for all programmable logic controllers with a signal-to-noise ratio (SNR) of 5.0 dB when Hilbert-transformed features are used for complete programmable logic controller program scans or SNR=0.0 dB when each programmable logic controller program operation is compared independently. This benchmark was not achieved for any programmable logic controllers when untransformed time domain features were employed

Comparison of Radio Frequency Distinct Native Attribute and Matched Filtering Techniques for Device Discrimination and Operation Identification

The research presented here provides a comparison of classification, verification, and computational time for three techniques used to analyze Unintentional Radio- Frequency (RF) Emissions (URE) from semiconductor devices for the purposes of device discrimination and operation identification. URE from ten MSP430F5529 16-bit microcontrollers were analyzed using: 1) RF Distinct Native Attribute (RFDNA) fingerprints paired with Multiple Discriminant Analysis/Maximum Likelihood (MDA/ML) classification, 2) RF-DNA fingerprints paired with Generalized Relevance Learning Vector Quantized-Improved (GRLVQI) classification, and 3) Time Domain (TD) signals paired with matched filtering. These techniques were considered for potential applications to detect counterfeit/Trojan hardware infiltrating supply chains and to defend against cyber attacks by monitoring executed operations of embedded systems in critical Supervisory Control And Data Acquisition (SCADA) networks

Air Force Institute of Technology Research Report 2015

This report summarizes the research activities of the Air Force Institute of Technology’s Graduate School of Engineering and Management. It describes research interests and faculty expertise; lists student theses/dissertations; identifies research sponsors and contributions; and outlines the procedures for contacting the school. Included in the report are: faculty publications, conference presentations, consultations, and funded research projects. Research was conducted in the areas of Aeronautical and Astronautical Engineering, Electrical Engineering and Electro-Optics, Computer Engineering and Computer Science, Systems Engineering and Management, Operational Sciences, Mathematics, Statistics and Engineering Physics

Air Force Institute of Technology Research Report 2015

This report summarizes the research activities of the Air Force Institute of Technology’s Graduate School of Engineering and Management. It describes research interests and faculty expertise; lists student theses/dissertations; identifies research sponsors and contributions; and outlines the procedures for contacting the school. Included in the report are: faculty publications, conference presentations, consultations, and funded research projects. Research was conducted in the areas of Aeronautical and Astronautical Engineering, Electrical Engineering and Electro-Optics, Computer Engineering and Computer Science, Systems Engineering and Management, Operational Sciences, Mathematics, Statistics and Engineering Physics