Network based fingerprinting techniques for industrial control systems
Loading...
Author(s)
Formby, David
Advisor(s)
Editor(s)
Collections
Supplementary to:
Permanent Link
Abstract
Fingerprinting techniques operating over the network are proposed to identify various aspects of industrial control systems (ICSs) including software, hardware, and physical devices. First, a detailed traffic characterization is performed on several power substation networks to guide the development of the techniques. Round trip times for the resource-starved embedded devices were observed to be heavily clustered based on device type no matter how large the physical distance between them, suggesting they were largely based on processing time. This insight led to the development of cross-layer response time fingerprinting to passively identify device types based on the processing time between TCP
level acknowledgments and application layer responses, with classification accuracy reaching
99% on real-world substation traffic. Complementing these techniques by addressing a different aspect of ICS networks, methods are developed to fingerprint the physical devices of the ICS. Previous work on physical fingerprinting is extended to improve relay classification from 92% to 100% and extend the scope of the methods to valves, motors, and pumps. Building on the idea behind the cross-layer response time methods, techniques are explored that expand the scope to general programmable logic controllers by generating program fingerprints from the execution times of control programs. The security of this technique is enhanced by the addition of proof-of-work functions to provide an upper
bound guarantee that no additional instructions are being executed in the program. Performance of all the fingerprinting techniques are discussed with respect to their potential to contribute to a holistic, ICS-specific intrusion detection system.
Sponsor
Date
2017-08-28
Extent
Resource Type
Text
Resource Subtype
Dissertation