I came, I saw, I hacked Automated Generation of Process-independent Attacks for ICS
一、摘要
在发现和利用脆弱性方面最先进的研究通常假设工业过程完全可视和控制,这在现实场景中是不现实的。我们研究了在仅感染一台工业计算机的受限场景中,对未知控制进程进行自动端到端攻击的可能性。我们使用公开可用的资源创建人机界面图像数据库和可编程逻辑控制器(PLC)二进制文件,分别为ICS部门和流程的模块化和粒度指纹识别培训机器学习模型。然后,我们利用PLC二进制逆向工程工具探索对过程的控制理论攻击,利用常见/普遍的控制算法模块,如比例积分衍生块,在工厂的运行极限内造成稳定或振荡的偏差。我们将自动攻击打包,并针对一个标准的化学过程进行评估,证明即使在受限的情况下,高级攻击也是可行的。
二、介绍
在大多数ICS安全评估方法中,缺少三个重要考虑因素:1)大多数攻击假设工业系统完全可见或假设至少一种类型的设备(例如,工厂中的所有控制器)完全可控;2)很少讨论侦察自动化,攻击启动和攻击维持阶段;3)缺乏适用于各种部门的通用攻击向量。
ICS的多样性本质上限制了其安全评估通用框架的创建,但我们利用ICS部门、流程和通用控制算法之间的相似性来克服这些限制并确定动态攻击的边界。
在我们所研究的场景中,我们考虑了对工业设备的受限访问的攻击。我们的攻击是从一台基于HMI Windows的计算机开始的,传统恶意软件可以达到这一点。我们提出了一种自动侦察和攻击开发的方法,其中对手可以发起秘密过程感知攻击。
主要贡献:
①使用HMI屏幕截图的ICS部门指纹:我们构建了HMI公开可用图像数据库和经过培训的机器学习模型,可以将HMI屏幕截图分类为特定ICS部门的一部分,从而成功识别工业部门。
②使用ICS二进制文件的ICS过程指纹识别:一旦确定了工业部门,必须对特定的目标过程进行指纹识别。我们使用一个公开的ICS二进制文件数据库来训练机器学习模型,以确定它们在该领域内控制的特定过程。
③设计基于扰动的攻击的通用方法:给定一个受约束的攻击者,该攻击者对过程具有部分可见性;我们利用控制理论来设计可以在行为上控制的攻击。这些通用攻击的目标是任何使用广泛使用的PID控制器的系统,同时保持在操作点内,将电厂驱动到次优状态。
端到端案例研究:我们在田纳西州伊士曼(Tennessee Eastman)开发了一个端到端的示范,这是一个标准的化学过程,并展示了所提出攻击的可行性。
三、威胁模型
对于我们的威胁模型,我们做出以下假设:
•攻击者事先不知道ICS
•攻击者可以在HMI上访问并执行程序
•HMI连接到PLC,可以提取其二进制文件
攻击场景如下:
攻击者到达并可以在承载HMI的通用计算机上执行代码。接下来,代码获取HMI的屏幕截图,并将其通过预先训练的分类器,该分类器同时执行基于图像和基于提取文本的分类。当识别出ICS扇区时,代码穿过网络以扫描潜在的目标PLC。之后,当代码到达PLC时,它从PLC下载控制二进制文件并对其进行分析,以对该PLC控制的过程进行分类,它还提取有趣的参数。使用动态提取的所有信息,代码可以部署许多操作上无法检测的攻击之一。这些攻击可以是对物理量造成稳定扰动从而导致非最优运行的攻击,也可以是在上下限范围内引起振荡扰动从而导致系统基础设施长期物理损坏的攻击。另一种类型的攻击是定时炸弹攻击,它允许攻击者在部署攻击之前通过使用ICSREF操纵PLC二进制文件逃跑。
四、确定ICS部门
为了有效地攻击未知的工业设置,我们首先需要确定ICS部门,然后确定HMI监控和控制的特定ICS过程。ICS过程指纹识别是指识别受感染PLC控制的过程。这提供了更细粒度的信息。
为了建立知识,我们使用公开可用的信息(图像和PLC二进制文件)来构建机器学习模型,该模型可以有效地提取指纹和数据,从而在感染后发起过程感知攻击。我们不会试图进行任何人工侦察以获取有关目标的任何具体信息。ICS部门指纹识别需要对受感染的设备进行更一般的观察:HMI屏幕截图可以以浓缩的形式提供该信息。因此,我们主要使用HMI屏幕截图来了解更多关于ICS部门的信息。另一方面,在受感染的PLC上运行的代码提供有关特定进程的信息。因此,我们选择PLC控制二进制文件来执行ICS过程指纹识别。我们还使用HMI屏幕截图执行过程指纹识别,使用PLC二进制文件执行扇区指纹识别,并观察到有限的准确性。
五、结论
在这项工作中,我们考虑了一个约束威胁模型,对手没有先验知识的目标集成电路环境。
我们提出了一种通过HMI进行单点渗透的方法。为了成功识别电厂,我们使用公开的ICS HMI图像和PLC二进制文件构建了一个数据集。
然后,我们训练了几个机器学习模型来选择识别ICS部门和流程的最终分类器。我们还使用HMI屏幕截图和二进制文件提取数据,为攻击设计构建智能。
我们利用控制理论来设计IC中基于一般扰动的攻击。我们的结果表明,根据扇区/进程/可见性,对手可以进行高精度的端到端攻击,即使事先不知道。这就要求对ICS进行彻底的安全评估,并设计鲁棒的防御机制,以减少攻击面。
六、参考文献
构建的数据集以及为ICS部门和过程指纹识别培训的ML模型在https://github.com/momalab/ICS_research_resources
[1]S. Amin, X. Litrico, S. Sastry, and A. M. Bayen. 2013. Cyber Security of Water
SCADA Systems—Part I: Analysis and Experimentation of Stealthy Deception
Attacks.IEEE Transactions on Control Systems Technology21, 5 (2013), 1963–1970.
[2]S. Amin, X. Litrico, S. S. Sastry, and A. M. Bayen. 2013. Cyber Security of
Water SCADA Systems—Part II: Attack Detection Using Enhanced Hydrodynamic
Models.IEEE Transactions on Control Systems Technology21, 5 (2013), 1679–1693.
[3]W. Aoudi, M. Iturbe, and M. Almgren. 2018. Truth Will Out: Departure-Based
Process-Level Detection of Stealthy Attacks on Control Systems. InProceedings
of the 2018 ACM CCS (CCS ’18). 817–831.
[4]W. Ashford. 2018. Social engineering at the heart of critical infrastructure at-
tack.https://www.computerweekly.com/news/252454369/Social-engineering-at-
the-heart-of-critical-infrastructure-attack. [Online].
[5]K.J. Astrom and R. M. Murray. 2008.PID Tuning, Feedback Systems: An Introduction
for Scientists and Engineers. Princeton University Press, Princeton, NJ, USA.
[6]J. Berr. 2017. WannaCry ransomware attack losses could reach $4
billion.https://www.cbsnews.com/news/wannacry-ransomware-attacks-
wannacry-virus-losses/. [Online].
[7]E. Byres. 2012. #1 ICS and SCADA Security Myth: Protection by Air
Gap.https://www.tofinosecurity.com/blog/1-ics-and-scada-security-myth-
protection-air-gap.
[8]A. A. Cárdenas, S. Amin, Z. Lin, Y. Huang, C. Huang, and S. S. Sastry. 2011.
Attacks against process control systems: risk assessment, detection, and response.
InAsiaCCS.
[9]Critical Infrastructure Protection Vigilence. 2011. SCADA Security Evaporates
in Texas.https://ciip.wordpress.com/tag/scada-incidents/. [Online].
[10]J.J. Downs and E.F. Vogel. 1993. A plant-wide industrial process control problem.
Computers & Chemical Engineering17, 3 (1993), 245 – 255.
[11]Dragos. 2017. TRISIS Malware: Analysis of Safety System Targeted Malware.
https://dragos.com/wp-content/uploads/TRISIS-01.pdf. [Online].
[12]N. Falliere, L. O. Murchu, and E. Chien. 2011. W32. stuxnet dossier.White paper,
Symantec Corp., Security Response(Feb 2011).
[13]C. Feng, T. Li, Z. Zhu, and D. Chana. 2017. A Deep Learning-based
Framework for Conducting Stealthy Attacks in Industrial Control Systems.
arXiv:cs.CR/1709.06397
[14]David Formby, Preethi Srinivasan, Andrew M. Leonard, Jonathan D. Rogers, and
Raheem A. Beyah. 2016. Who’s in Control of Your Control System? Device
Fingerprinting for Cyber-Physical Systems. The Internet Society.
[15]L. Garcia, F. Brasser, M. Hazar Cintuglu, A. Sadeghi, O. A. Mohammed, and S. A.
Zonouz. 2017. Hey, My Malware Knows Physics! Attacking PLCs with Physical
Model Aware Rootkit. InNDSS.
[16] F. Golnaraghi and B. C. Kuo. 2009.Automatic Control Systems(9th ed.). Wiley.
[17]N. Govil, A. Agrawal, and N.O. Tippenhauer. 2018. On Ladder Logic Bombs in
Industrial Control Systems. Springer International Publishing, 110–126.
[18]D. Hadžiosmanović, R. Sommer, E. Zambon, and P. H. Hartel. 2014. Through
the Eye of the PLC: Semantic Security Monitoring for Industrial Processes. In
Proceedings of the 30th ACSAC (ACSAC ’14). 126–135.
[19]Y. Huang, M. Esmalifalak, H. Nguyen, R. Zheng, Z. Han, H. Li, and L. Song.
2013. Bad data injection in smart grid: attack and defense mechanisms.IEEE
Communications Magazine51, 1 (2013), 27–33.
[20]Kaspersky. 2017. ICS cybersecurity: A view from the field.https://www.kaspersky.
com/blog/ics-report-2017/16967/. [Online].
[21]A. Keliris and M. Maniatakos. 2019. ICSREF: A Framework for Automated Reverse
Engineering of Industrial Control Systems Binaries. InNDSS.
[22]A. Keliris, H. Salehghaffari, B. Cairl, P. Krishnamurthy, M. Maniatakos, and F.
Khorrami. 2016. Machine learning-based defense against process-aware attacks
on Industrial Control Systems. In2016 IEEE International Test Conference (ITC).
[23]C. Konstantinou, M. Sazos, and M. Maniatakos. 2016. Attacking the smart grid
using public information. In2016 17th Latin-American Test Symposium (LATS).
105–110.https://doi.org/10.1109/LATW.2016.7483348
[24]Kowsari, J. Meimandi, H., Mendu, Barnes, and Brown. 2019. Text Classification
Algorithms: A Survey.Information10, 4 (Apr 2019), 150.
[25]M. Krotofil. 2017. Evil Bubbles.https://www.blackhat.com/us-
17/briefings/schedule/#evil-bubbles-or-how-to-deliver-attack-payload-
via-the-physics-of-the-process-7689. [Online].
[26]M. Krotofil and J Larsen. 2015. rocking the pocket book: Hacking chemical
plants for competition and extortion cite.https://www.blackhat.com/docs/us-
15/materials/us-15-Krotofil-Rocking-The-Pocket-Book-Hacking-Chemical-
Plant-For-Competition-And-Extortion-wp.pdf. [Online].
[27]Marina Krotofil, Jason Larsen, and Dieter Gollmann. 2015. The Process Matters:
Ensuring Data Veracity in Cyber-Physical Systems. InProceedings of the 10th
ACM Symposium on Information, Computer and Communications Security (ASIA
CCS ’15). Association for Computing Machinery, New York, NY, USA, 133–144.
https://doi.org/10.1145/2714576.2714599
[28]R. M. Lee, M. J. Assante, and T. Conway. 2016. Analysis of the cyber attack on
the Ukrainian power grid.SANS Industrial Control Systems23 (2016).
[29]Y. Liu, P. Ning, and M. K. Reiter. 2009. False Data Injection Attacks Against State
Estimation in Electric Power Grids. InProceedings of the 16th ACM CCS.
[30] J. Matherly. 2019. SHODAN.https://www.shodan.io/. [Online].
[31]A. P. Mathur and N. O. Tippenhauer. 2016. SWaT: a water treatment testbed
for research and training on ICS security. In2016 International Workshop on
Cyber-physical Systems for Smart Water Networks (CySWater). 31–36.
[32]S. McLaughlin. 2011. On Dynamic Malware Payloads Aimed at Programmable
Logic Controllers. InProceedings of the 6th USENIX Conference on Hot Topics in
Security (HotSec’11). USENIX Association, Berkeley, CA, USA, 10–10.
[33]S. McLaughlin and P. McDaniel. 2012. SABOT: Specification-based Payload
Generation for Programmable Logic Controllers. InProceedings of the 2012 ACM
CCS (CCS ’12). New York, NY, USA, 439–449.
[34]Department of Homeland Security. [n.d.]. Critical Infrastructure Sectors.https:
//www.dhs.gov/cisa/critical-infrastructure-sectors. [Online].
[35]Prashant Hari Narayan Rajput, Pankaj Rajput, Marios Sazos, and Michail Mani-
atakos. 2019. Process-Aware Cyberattacks for Thermal Desalination Plants. In
Proceedings of the 2019 ACM Asia Conference on Computer and Communications
Security (Asia CCS ’19). Association for Computing Machinery, New York, NY,
USA, 441–452.https://doi.org/10.1145/3321705.3329805
[36]SANS Institute. 2014. German Steel Mill Cyber Attack.https://ics.sans.org/media/
ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf. [Online].
[37]SANS Institute. 2016. The Impact of Dragonfly Malware on Industrial Control Sys-
tems.https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-
malware-industrial-control-systems-36672. [Online].
[38]E. Sarkar, Y. Alkindi, and M. Maniatakos. 2020. Backdoor Suppression in Neural
Networks using Input Fuzzing and Majority Voting.IEEE Design Test(2020), 1–1.
https://doi.org/10.1109/MDAT.2020.2968275
[39]M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter. 2016. Accessorize to a Crime:
Real and Stealthy Attacks on State-of-the-Art Face Recognition. InProceedings of
the 2016 ACM CCS (CCS ’16). 1528–1540.
[40]Y. Shoukry, P. Martin, Y. Yona, S. Diggavi, and M. Srivastava. 2015. PyCRA:
Physical Challenge-Response Authentication For Active Sensors Under Spoofing
Attacks. InProceedings of the 22Nd ACM CCS (CCS ’15). 1004–1015.
[41]C. Song and V.Shmatikov. 2018. Fooling OCR Systems with Adversarial Text
Images. arXiv:cs.LG/1802.05385
[42]N. Srivastava, G. Hinton, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov. 2014.
Dropout: A Simple Way to Prevent Neural Networks from Overfitting.Journal
of Machine Learning Research15 (2014), 1929–1958.
[43]Keith A. Stouffer, Joseph A. Falco, and Karen A. Scarfone. 2011.SP 800-82. Guide to
Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition
(SCADA) Systems, Distributed Control Systems (DCS), and Other Control System
Configurations Such As Programmable Logic Controllers (PLC). Technical Report.
Gaithersburg, MD, United States.
[44]D. I. Urbina, J. Giraldo, A. A. Cardenas, J. Valente, M. Faisal, N. O. Tippenhauer, J.
Ruths, R. Candell, and H. Sandberg. 2016.Survey and new directions for physics-
based attack detection in control systems. US Department of Commerce, NIST.
[45]David I. Urbina, Jairo A. Giraldo, Alvaro A. Cardenas, Nils Ole Tippenhauer, Junia
Valente, Mustafa Faisal, Justin Ruths, Richard Candell, and Henrik Sandberg.
2016. Limiting the Impact of Stealthy Attacks on Industrial Control Systems. In
Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications
Security (CCS ’16). Association for Computing Machinery, New York, NY, USA,
1092–1105.https://doi.org/10.1145/2976749.2978388
[46]A.R. Winnicki, M. Krotofil, and D. Gollmann. 2017. Cyber-Physical System
Discovery: Reverse Engineering Physical Processes. InProceedings of the 3rd
ACM Workshop on Cyber-Physical System Security (CPSS ’17). 3–14.
[47]T. Yardley. 2008. SCADA: issues, vulnerabilities, and future directions.https:
//www.usenix.org/system/files/login/articles/258-yardley.pdf. [Online].
[48]M. B. Younis and G. Frey. 2006. UML-based Approach for the Re-Engineering
of PLC Programs. InIECON 2006 - 32nd Annual Conference on IEEE Industrial
Electronics. 3691–3696.
[49]S. Zonouz, J. Rrushi, and S. McLaughlin. 2014. Detecting Industrial Control
Malware Using Automated PLC Code Analytics.IEEE Security Privacy(2014).