Close
  • Français
  • English

2018/03/21Cyberprotection of Industrial Control Systems: a Model-Based Approach to Detect and Respond to Cyberattacks

By Franck SICARD, Éric ZAMAÏ and Jean-Marie FLAUS
Univ. Grenoble Alpes, CNRS, Grenoble INP, G-SCOP, F-38000 Grenoble, France

Industrial Control Systems (ICSs) are present in many areas to ensure the productivity and reliability of production systems. However, as security requirements were not taken into account in their design, these systems are extremely vulnerable to cyberattacks. Since the beginning of the 21st century, these systems have become the target of hackers, whose most famous attack is Stuxnet (2009), which affected the Natanz uranium enrichment plant in Iran. This article will highlight the flaws of ICSs, then suggest an innovative approach to protect these systems, using “business knowledge” and the specificities of real-time protection layers. Finally, it will describe detection mechanisms that can be developed after a critical attack.

1.      Vulnerability study in real-time protection layers of ICSs

Industrial control systems consist of a set of control devices that operate together to achieve a production objective. This construction is very similar to that of a cyberphysical system, in which the control part (level 1), whose main component is the industrial programmable logic controller (PLC), controls an operating part (level 0) composed on the one hand by the actuators that apply the commands to the production flow and on the other hand by the sensors that transmit information to the control part. This abstract representation in the form of a functional architecture makes it possible to represent ICSs (in accordance with the CIM standard). This architecture can reveal other levels such as supervision (level 2), which provides ICS operators with an image of the system status at a given moment. This article will focus on the layers 0 and 1 of the ICS architecture.

ICSs are present in many critical infrastructures such as energy production and distribution (electricity, water, oil), water treatment, chemical and manufacturing industries, and transport. They enable a physical system to evolve from an initial to a final state for production purposes. These systems have been designed to naturally ensure the productivity and operational safety of the installations. In order to further increase productivity, ICSs were equipped in the 2000s with modern means of communication such as Ethernet TCP/IP, web servers and remote maintenance tools. This has  introduced vulnerabilities at different levels of the ICS architecture that are represented in Figure 1 (for more details, see Sicard et al. [1] and McLaughlin et al. [2].

In order to secure command and control systems, several government agencies have published recommendations and good practice guides, the best known being those of ANSSI (France), NIST (USA) and ENISA (EU). Therefore different solutions to secure ICSs and take into account cyber threats are arriving on the market [3]. But these solutions are based on techniques inherited from traditional IT (Information Technology), such as firewalls, DMZ (demilitarized zone) or IDS (Intrusion Detection System). Most of them enable to secure the high network layers of the ICS without taking into account the specificities of ICSs, as presented in Sicard et al. [1]. However, if an attack were to breach these protections (non-updated rules, direct infection of an industrial PLC following programming or maintenance activities, etc.), what would protect the operative part? Thus, the current solutions can secure level 2 (Supervision), which is the most similar to a traditional “information system”. Our approach complements these IT solutions by positioning itself between layers 0 and 1 to protect it and by relying on the “business knowledge” of ICSs [4].

Sicard1

Figure 1 – Representation of the vulnerabilities present in the lower layers of the CIM architecture[1]

2.      Suggested approach to securing ICSs

The suggested approach combines two techniques: one focusing on safety (IDS), the other on security (filter approach) [4]. To this end, we designed a 3-step methodology, described by Sicard et al. [1] and shown in Figure 2, valid for both the control and the report filters. Firstly, a risk analysis is conducted (step 1) to identify the part of the ICS that must be secured (PLC, parameters). Secondly, since the suggested approach is model-based, the system must be represented by two models: the control model and the process model. These respectively represent the control law (what you want to do) and the set of achievable states of the operative part (what you can do). For each system state, all eligible orders and reports are evaluated; this is the system states exploration phase (step 2). An expert then characterizes each of these states as optimal, prohibited or permissible.

Sicard2

Figure 2 – The filter design methodology used in our approach[1]

During exploitation (step 3), and whenever an order is sent by the PLC or a report comes from the sensors, this information is injected into the models to assess whether the order or report is compatible with those considered as admissible, depending on the current state of the system. First, if the order issued by the PLC puts the system in a critical state, the control filter blocks its execution: this is the context detection mechanism.  Then, a mechanism to calculate the distance between the current state and the prohibited states is implemented to determine the risk of an event causing the system to move into a prohibited state. Last, a mechanism to calculate the trajectory allows us to evaluate whether or not a sequence of orders corresponds to an intention to harm (attack in sequence). The objective is to analyse the orders sent to the actuators to check if they present a risk and to determine if the reports emitted by the sensors are altered. To strengthen the security of ICSs, other detection and protection algorithms have been developed as part of this project [5] such as:

  • a mechanism based on time constraints. This mechanism produces time windows that must be respected by the ICS (time attack),
  • a mechanism monitoring the actuator load to prevent premature ageing,
  • a distinction algorithm to determine if a detection is a failure or an attack,
  • a fallback algorithm that drives the system to a state defined as “safe”.

3.      Illustration of the detection mechanisms developed

The approach is currently applied to various simulation examples (3 tanks [4], 5 tanks [1], [5], trolley/switchpoint…]. Figure 3 highlights mechanisms presented above that involve the notion of distance, trajectory and context detection. On the left, an attack is triggered in state 5, but the order and state reached do not correspond to the control law (dOrdreOpt and dStateOpt are equal to 1), we observe that the trajectory of the system deviates from the optimal one. In addition, a context is detected since the minimum distance to the next forbidden state dStateInt is zero (order blocked). On the right, an attack is launched in state 2; as above, the control law is not respected (dOrdreOpt and dStateOpt are equal to 1), however no critical state is reached since dStateInt is higher than 0.

Sicard3Sicard4

Figure 3 – Illustration of a few attack detection mechanisms. 

In the coming months, this approach will be implemented on an industrial platform to validate the algorithms developed and tested with simulation examples. However, other perspectives are envisaged for the rest of this project, such as the synchronization between several parts secured by filters in an ICS, or the adaptation of our approach to systems whose control law is highly variable.

Acknowledgement

This work is part of a thesis funded by the DGA (Direction Générale de l’Armement, the French Defence Procurement Agency) – Maîtrise de l’information (Information Control) located in Bruz, France. The research is done in the G-SCOP laboratory (http://www.g-scop.grenoble-inp.fr/accueil/) with the help of the CIM platform of the S-mart Grenoble Alpes (http://aip.grenoble-inp.fr/accueil/).

References

[1]  F. Sicard, É. Zamaï and J.-M. Flaus, “Cyberdéfense des systèmes de contrôle-commande industriels : une approche par filtres basée sur la distance aux états critiques pour la sécurisation face aux cyberattaques” (Cyber defence of industrial control systems: a filter-based approach based on distance from critical states for more security against cyberattacks) in C&esar 2017 – La protection des données face à la menace cyber (Data protection against cyber threat), Rennes, France, 2017.

[2]  S. McLaughlin et al., “The Cybersecurity Landscape in Industrial Control Systems,” Proc. IEEE, vol. 104, no. 5, pp. 1039–1057, May 2016.

[3]  Y. Fourastier and L. Pietre-Cambacedes, Cybersécurité des installations industrielles : défendre ses systèmes numériques (Cybersecurity of industrial installations: defending its digital systems), Cépaduès Editions, 2015.

[4]  F. Sicard, É. Zamaï and J. M. Flaus, “Distance Concept Based Filter Approach for Detection of Cyberattacks on Industrial Control Systems,” presented at the IFAC World Congress, GdR MACS Young PhD Researchers – Open Invited Track of Extended Abstract, Toulouse, France, 2017.

[5]  F. Sicard, E. Zamai and J.-M. Flaus, “Critical States Distance Filter Based Approach for Detection and Blockage of Cyberattacks in Industrial Control Systems,” in Diagnosability, Security and Safety of Hybrid Dynamic and Cyber-Physical Systems, Springer International Publishing AG 2018., M. Sayed-Mouchaweh, 2018