Researchers: Virgil Gligor, Soo Bum Lee
Real-life and simulated attacks against Industrial Control Systems (ICSs) have shown that malicious software code can have kinetic consequences that yield substantial infrastructure destruction. While these types of attacks could be anticipated, their lethality in real-life incidents will undoubtedly inspire others to seek new opportunities to damage (or threaten to damage) parts of critical ICS infrastructures. Hence, countering such attacks using realistic commodity systems is a critical concern. Several research objectives will guide our work in this area.
First, attacks against ICSs are persistent; i.e., enabled by fundamental business considerations and by human behavior (i.e., insider attacks), and hence are very unlikely to disappear in the future. These considerations include (1) use of commodity software and hardware platforms, (2) increased complexity of physical processes and embedded physical controllers, and (3) external connectivity to corporate networks and the Internet for troubleshooting purposes, scalable maintenance, and efficient operations. Hence, a primary objective is to investigate the vulnerability of realistic ICSs to persistent attacks. Second, the notion of the “attack vector” has been fairly widely used both in technical literature and discourse with very different meanings. Some use this notion to mean vulnerability to attacks, without specification of adversary capabilities and steps necessary to exploit a particular vulnerability. Others have defined attack vectors via attacker models, which describe attackers’ generic capabilities, without specification of a specific locus of attack or asset or vulnerability to be exploited. Hence, another important objective is to provide a unified definition of “attack vectors” in a way that would enable clear and precise definitions of adversary behaviors. Third, we will define a set of specific assurances (i.e., desired system properties) that leverage measurable properties of physical processes to prevent/avoid/detect anomalous system states, and hold in the continuous presence of an adversary. Finally, we will define systems architectures that enable composition of assurances obtained for independently verified components.
The results of this research will be demonstrated by compelling examples of networked commodity systems where operators can control remote ICS devices in the continuous presence of malware, external network adversaries, and privileged insiders. A key result will be the demonstration of a practical design that would counter attacks in the Stuxnet, Duqu, Flame, and Nigh Dragon’s classes.