Code Integrity Attestation for PLCs using Black Box Neural Network Predictions

Cyber-physical systems (CPSs) are widespread in critical domains, and significant damage can be caused if an attacker is able to modify the code of their programmable logic controllers (PLCs). Unfortunately, traditional techniques for attesting code integrity (i.e. verifying that it has not been modified) rely on firmware access or roots-of-trust, neither of which proprietary or legacy PLCs are likely to provide. In this paper, we propose a practical code integrity checking solution based on privacy-preserving black box models that instead attest the input/output behaviour of PLC programs. Using faithful offline copies of the PLC programs, we identify their most important inputs through an information flow analysis, execute them on multiple combinations to collect data, then train neural networks able to predict PLC outputs (i.e. actuator commands) from their inputs. By exploiting the black box nature of the model, our solution maintains the privacy of the original PLC code and does not assume that attackers are unaware of its presence. The trust instead comes from the fact that it is extremely hard to attack the PLC code and neural networks at the same time and with consistent outcomes. We evaluated our approach on a modern six-stage water treatment plant testbed, finding that it could predict actuator states from PLC inputs with near-100% accuracy, and thus could detect all 120 effective code mutations that we subjected the PLCs to. Finally, we found that it is not practically possible to simultaneously modify the PLC code and apply discreet adversarial noise to our attesters in a way that leads to consistent (mis-)predictions.Comment: Accepted by the 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2021

A Novel Approach to Determining Real-Time Risk Probabilities in Critical Infrastructure Industrial Control Systems

Critical Infrastructure Industrial Control Systems are substantially different from their more common and ubiquitous information technology system counterparts. Industrial control systems, such as distributed control systems and supervisory control and data acquisition systems that are used for controlling the power grid, were not originally designed with security in mind. Geographically dispersed distribution, an unfortunate reliance on legacy systems and stringent availability requirements raise significant cybersecurity concerns regarding electric reliability while constricting the feasibility of many security controls. Recent North American Electric Reliability Corporation Critical Infrastructure Protection standards heavily emphasize cybersecurity concerns and specifically require entities to categorize and identify their Bulk Electric System cyber systems; and, have periodic vulnerability assessments performed on those systems. These concerns have produced an increase in the need for more Critical Infrastructure Industrial Control Systems specific cybersecurity research. Industry stakeholders have embraced the development of a large-scale test environment through the Department of Energy’s National Supervisory Control and Data Acquisition Test-bed program; however, few individuals have access to this program. This research developed a physical industrial control system test-bed on a smaller-scale that provided an environment for modeling a simulated critical infrastructure sector performing a set of automated processes for the purpose of exploring solutions and studying concepts related to compromising control systems by way of process-tampering through code exploitation, as well as, the ability to passively and subsequently identify any risks resulting from such an event. Relative to the specific step being performed within a production cycle, at a moment in time when sensory data samples were captured and analyzed, it was possible to determine the probability of a real-time risk to a mock Critical Infrastructure Industrial Control System by comparing the sample values to those derived from a previously established baseline. This research achieved such a goal by implementing a passive, spatial and task-based segregated sensor network, running in parallel to the active control system process for monitoring and detecting risk, and effectively identified a real-time risk probability within a Critical Infrastructure Industrial Control System Test-bed. The practicality of this research ranges from determining on-demand real-time risk probabilities during an automated process, to employing baseline monitoring techniques for discovering systems, or components thereof, exploited along the supply chain

Active fuzzing for testing and securing cyber-physical systems

National Research Foundation (NRF) Singapore under its National Satellite of Excellence Programm

Preventing Capability Abuse through Systematic Analysis of Exposed Interface

Connectivity and interoperability are becoming more and more critical in today’s software and cyber-physical systems. Different components of the system can better collaborate, enabling new innovation opportunities. However, to support connectivity and interoperability, systems and applications have to expose certain capabilities, which inevitably expands their attack surfaces and increases the risk of being abused. Due to the complexity of software systems and the heterogeneity of cyber-physical systems, it is challenging to secure their exposed interfaces and completely prevent abuses. To address the problems in a proactive manner, in this dissertation, we demonstrate that systematic studies of exposed interfaces and their usage in the real world, leveraging techniques such as program analysis, can reveal design-level, implementation-level, as well as configuration-level security issues, which can help with the development of defense solutions that effectively prevent capability abuse. This dissertation solves four problems in this space. First, we detect inconsistent security policy enforcement, a common implementation flaw. Focusing on the Android framework, we design and build a tool that compares permissions enforced on different code paths and identifies the paths enforcing weaker permissions. Second, we propose the Application Lifecycle Graph (ALG), a novel modeling approach to describing system-wide app lifecycle, to assist the detection of diehard behaviors that abuse lifecycle interfaces. We develop a lightweight runtime framework that utilizes ALG to realize fine-grained app lifecycle control. Third, we study real-world programmable logic controller programs for identifying insecure configurations that can be abused by adversaries to cause safety violations. Lastly, we conduct the first systematic security study on the usage of Unix domain sockets on Android, which reveals both implementation flaws and configuration weaknesses.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/149960/1/yurushao_1.pd

FieldFuzz: In Situ Blackbox Fuzzing of Proprietary Industrial Automation Runtimes via the Network

Networked Programmable Logic Controllers (PLCs) are proprietary industrial devices utilized in critical infrastructure that execute control logic applications in complex proprietary runtime environments that provide standardized access to the hardware resources in the PLC. These control applications are programmed in domain specific IEC 61131-3 languages, compiled into a proprietary binary format, and process data provided via industrial protocols. Control applications present an attack surface threatened by manipulated traffic. For example, remote code injection in a control application would directly allow to take over the PLC, threatening physical process damage and the safety of human operators. However, assessing the security of control applications is challenging due to domain-specific challenges and the limited availability of suitable methods. Network-based fuzzing is often the only way to test such devices but is inefficient without guidance from execution tracing. This work presents the FieldFuzz framework that analyzes the security risks posed by the Codesys runtime (used by over 400 devices from 80 industrial PLC vendors). FieldFuzz leverages efficient network-based fuzzing based on three main contributions: i) reverse-engineering enabled remote control of control applications and runtime components, ii) automated command discovery and status code extraction via network traffic and iii) a monitoring setup to allow on-system tracing and coverage computation. We use FieldFuzz to run fuzzing campaigns, which uncover multiple vulnerabilities, leading to three reported CVE IDs. To study the cross-platform applicability of FieldFuzz, we reproduce the findings on a diverse set of Industrial Control System (ICS) devices, showing a significant improvement over the state-of-the-art

Discovering Physical Interaction Vulnerabilities in IoT Deployments

Internet of Things (IoT) applications drive the behavior of IoT deployments according to installed sensors and actuators. It has recently been shown that IoT deployments are vulnerable to physical interactions, caused by design flaws or malicious intent, that can have severe physical consequences. Yet, extant approaches to securing IoT do not translate the app source code into its physical behavior to evaluate physical interactions. Thus, IoT consumers and markets do not possess the capability to assess the safety and security risks these interactions present. In this paper, we introduce the IoTSeer security service for IoT deployments, which uncovers undesired states caused by physical interactions. IoTSeer operates in four phases (1) translation of each actuation command and sensor event in an app source code into a hybrid I/O automaton that defines an app's physical behavior, (2) combining apps in a novel composite automaton that represents the joint physical behavior of interacting apps, (3) applying grid-based testing and falsification to validate whether an IoT deployment conforms to desired physical interaction policies, and (4) identification of the root cause of policy violations and proposing patches that guide users to prevent them. We use IoTSeer in an actual house with 13 actuators and six sensors with 37 apps and demonstrate its effectiveness and performance

What Ukraine Taught NATO about Hybrid Warfare

Russia’s invasion of Ukraine in 2022 forced the United States and its NATO partners to be confronted with the impact of hybrid warfare far beyond the battlefield. Targeting Europe’s energy security, Russia’s malign influence campaigns and malicious cyber intrusions are affecting global gas prices, driving up food costs, disrupting supply chains and grids, and testing US and Allied military mobility. This study examines how hybrid warfare is being used by NATO’s adversaries, what vulnerabilities in energy security exist across the Alliance, and what mitigation strategies are available to the member states. Cyberattacks targeting the renewable energy landscape during Europe’s green transition are increasing, making it urgent that new tools are developed to protect these emerging technologies. No less significant are the cyber and information operations targeting energy security in Eastern Europe as it seeks to become independent from Russia. Economic coercion is being used against Western and Central Europe to stop gas from flowing. China’s malign investments in Southern and Mediterranean Europe are enabling Beijing to control several NATO member states’ critical energy infrastructure at a critical moment in the global balance of power. What Ukraine Taught NATO about Hybrid Warfare will be an important reference for NATO officials and US installations operating in the European theater.https://press.armywarcollege.edu/monographs/1952/thumbnail.jp