Detection and Forensic Analysis of Modern ICS Attacks Via Correlating Scada Host Operations with Physical Behavior

Files
IKE-DISSERTATION-2023.pdf (28.72 MB)
Author(s)
Ike, Moses Junior
Advisor(s)
Editor(s)
Associated Organization(s)
Organizational Unit
Organizational Unit
School of Computer Science
School established in 2007
Series
Collections
Theses and Dissertations
Supplementary to:
Permanent Link
https://hdl.handle.net/1853/72698
Abstract
The increased cyber connectivity in modern Industrial Control Systems (ICS) improved the overall operations of life-essential processes such as power and water treatment plants. Unfortunately, it also widened the cyber-attack surface of ICS, allowing adversaries to penetrate previously air-gapped plants, causing physical disruptions to critical infrastructure. Modern ICS attacks penetrate plants by infecting cyber-facing Supervisory Control and Data Acquisition (SCADA) workstations, which manage physical processes and devices. To evade defenses, attackers use ICS knowledge to stage and blend their attacks with normal SCADA activities, injecting just enough payloads at each step. As such, existing host and physical anomaly-based defenses miss these stealthy tactics due to their inability to correlate SCADA operations with physical behavior. To address this problem, this dissertation presents a hybrid approach that applies ICS domain knowledge to correlate SCADA operations with physical effects, enabling it to analyze the multistage behaviors of modern attacks. To demonstrate the efficacy of my approach, I first present an attack detection technique, SCAPHY. SCAPHY leverages the unique execution phases of SCADA to identify the limited set of behaviors to legitimately control physical processes, which differentiate from the attacker’s activities. SCAPHY detected real past attacks such as the Ukrainian power disruption. Next, to proactively detect staged attacks, I present FORECAST, a symbolic execution-based exploration of SCADA execution states following suspicious process symptoms. FORECAST detects “not-yet-executed” attacks and ranks them by their likelihood of future execution, enabling operators to prioritize their attack response. Finally, I present a post-mortem attack recovery technique, OTGUARD, which extends the ideas from SCAPHY and FORECAST to connect process symptoms to SCADA infections. OTGUARD uses the physical location of process symptoms to guide a symbolic exploration of multiple SCADA execution states leading up to the attack.
Sponsor
Date
2023-07-07
Extent
Resource Type
Text
Resource Subtype
Dissertation
Rights Statement
Rights URI