Cyber-Air-Gapped Detection of Controller Attacks through Physical Interdependencies (2016)
Etigowni, S., Cintuglu, M., Kazerooni, M., Hossain, S., Sun, P., Davis, K., Mohammed, O., Zonouz, S.
Trustworthy operation of the power grid critical infrastructures requires real-time intrusion detection systems to identify compromised and malfunctioning controller devices. The past three decades of direct application of the traditional purely-cyber security solutions against these infrastructures has proved insufficient in practice due to emerging sophisticated malicious attacks against power grid control systems. In this paper, we propose PhiDS, a physics-aware intrusion detection system to identify compromised controllers through continuous observation of remote power system sensor measurements. Real-time remote sensor data analysis enables PhiDS to determine the power system state trajectory and infer the control commands issued by the distributed controllers on the plant. Given the power system safety requirements, PhiDS monitors the data stream and identifies the controllers that issue control commands that violates the safety of the power system. PhiDS does not require any cyber communication with the (potentially compromised) controller devices, and hence provides an air-gap between the the security monitor and the target device. Consequently, if the controller is infected, the adversary cannot compromise and corrupt the monitor’s reports. The will ensure that the monitor will always remain away from the adversaries’ access and hence provide trustworthy reports. We implemented and evaluated PhiDS on a real-world power system test-bed, where the programmable logic controllers are targets for and attacked by the remote network adversaries. PhiDS was able to identify all the infected controllers efficiently without any cyber link to the controllers. PhiDS’s outcomes were instead purely based on the power system measurements from sensors that are deployed adjacent to the controllers.
This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.
- The following copyright notice applies to all of the above items that appear in IEEE publications: "Personal use of this material is permitted. However, permission to reprint/publish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from IEEE."
- The following copyright notice applies to all of the above items that appear in ACM publications: "© ACM, effective the year of publication shown in the bibliographic information. This file is the authorís version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in the journal or proceedings indicated in the bibliographic data for each item."
- The following copyright notice applies to all of the above items that appear in IFAC publications: "Document is being reproduced under permission of the Copyright Holder. Use or reproduction of the Document is for informational or personal use only."