Title: Detection and Forensic Analysis of Modern ICS Attacks via Correlating SCADA Host Operations with Physical Behavior

 

Moses Ike J

Ph.D. student

School of Cybersecurity and Privacy

Georgia Institute of Technology

 

Date: Friday, December 9, 2022

Time: 10:00 am - 11:00 am EST

Location: https://gatech.zoom.us/j/99212775135?pwd=cFhzVGNVNGYxRXIxUjliYzRJUEhxdz09

 


 

Committee:

Dr. Wenke Lee (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Saman Zonouz, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Mustaque Ahamad, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Uzoma Onunkwo, Cybersecurity Research and Development, Sandia National Laboratories

 

 

Abstract:.

The increased cyber connectivity in modern Operational Technology (OT) plants has improved overall Cyber-Physical Systems (CPS) operations. Unfortunately, it has allowed cyber attackers to penetrate previously air-gapped Industrial Control Systems (ICS), causing physical disruptions to critical infrastructure such as electricity. ICS attackers penetrate OT plants by infecting Supervisory Control and Data Acquisition (SCADA) workstations, which are cyber-facing control systems that manage physical device operations such as Programmable Logic Controllers (PLC), sensors, and actuators. In disrupting ICS devices, modern attacks blend with normal SCADA activities by injecting just enough malicious command at each step. This stealthy tactic evades existing host and sensor-based defenses due to their inability to connect SCADA host operations with their physical effects. 

 

To solve the above challenges, I propose a hybrid ICS attack detection technique that leverages CPS domain-knowledge to correlate control executions in SCADA with their effects on physical device behavior. To demonstrate the efficacy of my approach, I first present a technique called SCAPHY, which analyzes the unique execution phases of SCADA operations to detect malicious physical impact on sensors and actuators. SCAPHY works by identifying the limited set of legitimate SCADA API calls to control devices in different phases, which differentiates from attacker’s activities in these phases. SCAPHY detected real past attacks such as the Ukrainian power grid disruption with high accuracy. 

 

Next, to proactively detect ICS attacks in their early stages, I present FORECAST, a forensic forward-exploration of SCADA memory snapshots, following suspicious CPS events, to reveal "not-yet-executed" attacks. FORECAST ranks detected attacks by their likelihood of future execution, which enables OT operators to prioritize their attack response workflows. 

 

Finally, to build on FORECAST and identify the SCADA infection, I propose OTGUARD, a novel technique that uses physical information (e.g., alarm location) to guide and correlate suspicious physical events across SCADA snapshots to counter ongoing ICS attacks.