Scanning the Cycle: Timing-based Authentication on PLCs（扫描周期：基于时序的PLC认证）

一、摘要

  本文提出了一种新的PLC认证技术，其目的是在与实时系统兼容的同时提高针对强大攻击者的标准。扫描周期是PLC的一个独特特性，可以通过观察网络流量来被动地进行估计。攻击者通过PLC发出的欺骗命令将偏离此类指纹。为了检测重放攻击，提出了一种PLC水印技术。PLC水印通过将输入/输出建模为PLC的请求/响应消息的函数，对扫描周期和控制逻辑之间的关系进行建模。

二、介绍

  PLC指纹：PLC指纹是其硬件和控制功能的一个函数，即PLC的时序特性。
  PLC水印：建立在扫描周期时间估计和这种估计对控制逻辑的依赖之上，一个PLC水印是一个随机延迟注入控制逻辑，这个水印反映在估计的扫描周期时间。
  扫描循环有三个主要步骤: 1)读取输入，2)执行控制逻辑，3)写入输出。
$$T_{SC}=T_{IN}+T_{CL}+T_{OP}$$
  其中，T_SC是PLC的扫描周期时间，T_IN是输入读取时间，T_CL是控制逻辑执行时间，T_OP是输出写入时间
MSG指令IAT时间：
$$T_{ESC}=T_{Proc}+T_{Txn}+T_{Prog}+T_{SC}+T_{Que}$$
  其中，T_ESC标识MSG指令的到达时间间隔(IAT)，T_Proc是PLC的分组处理延迟，T_Txn和T_Prog分别是包的传输和传播延迟，T_Que代表着排队延迟。
  队列延迟是影响扫描周期估计的重要因素。排队延迟的随机性取决于指向特定PLC的网络流量及其处理器使用情况。

三、威胁建模

  考虑如下的攻击场景: 拒绝服务(DoS)、中间人(MiTM)和伪装。需要注意的是，伪装攻击可以通过MiTM攻击来实现，MiTM攻击也可以丢弃给定PLC产生的原始报文。对于伪装攻击，可以考虑三种类型的攻击者。
（1） Naive，试图模仿PLC，但对PLC的估计扫描周期一无所知。
（2） Powerful Partial Distribution Knowledge (PDK)，它试图模仿PLC，并知道估计的PLC扫描周期的平均值。
（3） Powerful Full Distribution Knowledge (FDK), 它试图模拟PLC，并知道估计扫描周期的全分布。

四、实验评估

  实验在最先进的水处理设施和智能电网试验台进行。该技术在六个不同的Allen Bradley PLC，四个西门子IEDs和四个Wago PLC上进行了测试。

（一）PLC指纹

（1）识别

  将PLC数据与预先创建的模型进行比较，如果配置文件匹配，则返回PLC ID。在测试阶段，如果配置文件与预先训练的模型不匹配，就会发出警报，并宣布潜在的攻击。

  根据实验结果估计的数据扫描周期时间的均值和方差，我们可以轻易区分6个PLC，这种视觉表现证明了基于扫描循环的指纹的存在。据观察，120个样本在识别精度和检测时间之间是一个很好的折衷，精度为96.12%. 平均只需要3.6秒做出检测决定。我们选择的分类器函数的精度在数据划分范围内是稳定的，不取决于数据集大小的选择。指纹对于不同的运行和温度变化是稳定的。

（2）检测

  一个强大的伪装者试图模仿PLC，利用PLC的知识在准确的时间发送假消息。现在，基于网络流量模式的方法无法检测到这个强大的攻击者，因为数据包的数量、数据包长度、报头信息和其他网络配置文件都与正常操作相同。
  如下图1所示，在MiTM和伪装攻击（前两种）场景中，我们提出的技术能够检测到这种攻击，因为攻击者偏离了指纹特征。最右边的图中可以看到尽管数据包的数量和其他网络配置没有那么大的不同，但是这种伪装攻击下的配置文件与正常指纹配置文件有很大的不同。

图1

  在高精度中，通过向攻击者提供估计的扫描周期向量的完整分布，攻击者可以变得更加强大，攻击者能够更加完美模拟PLC，从而避免检测。尽管攻击者拥有完整的分布知识，但在某些情况下，由于攻击者的硬件缺陷，仍然获得了较高的检测率。
  如下图2所示，在全知识分布场景中，攻击者能够模拟PLC的消息传输行为，但在大多数情况下，由于攻击者自身硬件的限制，仍然会暴露出来。

图2

（二）PLC水印

（1）水印建模：闭环反馈系统

  PLC水印利用PLC独特的扫描周期特性与PLC之间交换的网络层数据请求消息之间的关系。PLC水印的思想是将静态指纹扩展为动态、随机生成的方案，以对付强大的攻击者。水印中的随机性是通过以下方式生成的：1）使用PLC的时钟注入随机延迟；2）注入随机数扫描周期计数的水印信号，即添加特定水印的扫描周期数。
  PLC请求和响应消息之间有很强的关系，这种信息交换过程从控制理论的角度可以建模为一个闭环反馈系统，这个系统模型如图3所示。

图3

（2）检测

  定义1：MSG请求和响应的内部到达时间(IAT)分别为定义为x_k 的系统状态，其中k是消息号。
  定义2：MSG响应时间作为系统的输出，如传感器的输出，定义为y_k 。
  定义3：扫描周期的动态、PLC硬件和逻辑复杂性决定了发送到其他PLC的请求消息的动态。这些反映在估计扫描周期中的动态控制接收响应消息的时间。此控制动作表示为u_k其中k是消息号。
  定义4：y_k是系统的输出，它是响应消息定时配置文件。
  定义5： v_k，ŋ_k是由于通信信道而产生的相同且独立分布的噪声源。
  使用子空间系统识别方法，过程动力学可以建模并表示为状态空间形式如下:
$$\begin{gathered} {x_k}_{+1}=A_{x_k}+B_{u_k}+v_k,\text{（}1\text{）} \\ {y}_k=C{x}_k+{\eta }_k\text{（}2\text{）} \end{gathered}$$
  定义6：PLC水印Δu_k：输出，即MSG响应时间，取决于请求MSG配置文件。
  根据公式（1）和（2）的系统模型，使用PLC水印技术可以检测到重放攻击。
  证明：
  重放攻击将使用公式(1)和(2)中定义的正常数据和系统模型。不知道水印的攻击者将被暴露如下:
$$\begin{gathered} x_{k+1}=A{x}_k+B\left(u_k+△u_k\right)+v_k,\left(3\right) \\ {y}_{k+1}=C{x}_{k+1}+{\eta }_{k+1}\left(4\right) \end{gathered}$$
  将x_k+1进行替换之后，得到如（5）所示结果：
$$y_{k+1}=CA{x}_k+CB{u}_k+v_{k+1}+{\eta }_{k+1}+CB\Delta u_k\text{（}5\text{）}$$
  式（5）中的最后一项是利用PLC时钟随机产生的水印信号。这个水印信号将暴露重放攻击。

  其次考虑水印在检测伪装攻击中的作用，图4是强大的伪装攻击的一个例子。在这种情况下，防御者期望在从其他PLC接收到的响应中出现水印，但它没有得到期望的水印并发出警报。

图4

五、总结

  本文提出的技术是第一个利用PLC独特的操作特性来被动和非侵入式创建网络指纹的技术。所提出的PLC指纹识别技术成功地识别了PLC，准确率高达99%，攻击检测准确率高达100%。
  提出了一种用于工业PLC的时序指纹识别技术。该技术用于估计扫描周期时间。可以观察到，PLC可以被唯一识别，而不需要对控制逻辑进行任何修改。可以为同一型号的PLC创建独特的指纹。利用所提出的PLC水印技术，可以检测到具有扫描周期和重放攻击知识的强大攻击者。

[1]Carlos Aguayo Gonzalez and Alan Hinton. 2014. Detecting Malicious Software Execution in Programmable Logic Controllers Using Power Fingerprinting. In Critical Infrastructure Protection VIII. Springer Berlin Heidelberg.
[2]Chuadhry Mujeeb Ahmed and Nandha Kumar Kandasamy. 2020. A Comprehen-sive Dataset from a Smart Grid Testbed for Machine Learning based CPS Security Research. InCPS4CIP Workshop 2020, in conjunction with ESORICS 2020.
[3]Chuadhry Mujeeb Ahmed, Aditya P. Mathur, and Martín Ochoa. 2020. NoiSense Print: Detecting Data Integrity Attacks on Sensor Measurements Using Hardware-Based Fingerprints.ACM Trans. Priv. Secur.24, 1, Article 2 (Sept. 2020), 35 pages. https://doi.org/10.1145/3410447
[4]Chuadhry Mujeeb Ahmed, Martin Ochoa, Jianying Zhou, Aditya P. Mathur,Rizwan Qadeer, Carlos Murguia, and Justin Ruths. 2018. NoisePrint: Attack Detection Using Sensor and Process Noise Fingerprint in Cyber Physical Systems.InAsiaCCS. ACM, NY, USA, 483–497.https://doi.org/10.1145/3196494.3196532
[5]Chuadhry Mujeeb Ahmed, Jay Prakash, Rizwan Qadeer, Anand Agrawal, and Jianying Zhou. 2020.Process Skew: Fingerprinting the Process for Anomaly Detection in Industrial Control Systems. ACM WiSec 2020, New York, NY, USA, 219–230.https://doi.org/10.1145/3395351.3399364
[6]C. M. Ahmed and J. Zhou. 2020. Challenges and Opportunities in Cyberphysical Systems Security: A Physics-Based Perspective.IEEE Security Privacy18, 6 (2020), 14–22. https://doi.org/10.1109/MSEC.2020.3002851
[7]Karl J. Aström and Björn Wittenmark. 1997.Computer-controlled Systems (3rd Ed.). Prentice-Hall, Inc., Upper Saddle River, NJ, USA.
[8]Allen Bradley. 2018. Logix 5000 Controllers Messages.
https://literature.rockwellautomation.com/idc/groups/literature/
documents/pm/1756-pm005_-en-p.pdf.
[9]Allen Bradley. 2018. Logix 5000 Controllers Tasks, Programs, and Routines.https://literature.rockwellautomation.com/idc/groups/literature/documents/pm/1756-pm012_-en-p.pdf.
[10]Alvaro Cardenas, Saurabh Amin, Bruno Sinopoli, Annarita Giani, Adrian Perrig,and Shankar Sastry. 2009. Challenges for Securing Cyber Physical Systems. In Workshop on Future Directions in Cyber-physical Systems Security. DHS. http://chess.eecs.berkeley.edu/pubs/601.html
[11]Marco Caselli, Dina Hadžiosmanović, Emmanuele Zambon, and Frank Kargl.2013. On the Feasibility of Device Fingerprinting in Industrial Control Systems. InCritical Information Infrastructures Security. Springer.
[12]John Henry Castellanos, Daniele Antonioli, Nils Ole Tippenhauer, and Martín Ochoa. 2017. Legacy-Compliant Data Authentication for Industrial Control System Traffic. InApplied Cryptography and Network Security. Springer.
[13]ICS CERT. 2014.ICS-MM201408: May-August 2014. Technical Report. U.S. Department of Homeland Security-Industrial Control Systems-Cyber Emergency Response Team, Washington, D.C. Available online at https://ics-cert.us-cert.gov.
[14]Kyong-Tak Cho and Kang G. Shin. 2016. Fingerprinting Electronic Control Units for Vehicle Intrusion Detection. In25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 911–927.
[15]S. Dey, N. Roy, W. Xu, R. R. Choudhury, and S. Nelakuditi. 2014. Accelprint:Imperfections of accelerometers make smartphones trackable. InNetwork and Distributed System Security Symposium (NDSS). Internet Society.
[16]D. Formby and R. Beyah. 2020. Temporal Execution Behavior for Host Anomaly Detection in Programmable Logic Controllers.IEEE Transactions on Information Forensics and Security15 (2020), 1455–1469.
[17]David Formby, Preethi Srinivasan, Andrew Leonard, Jonathan Rogers, and Ra-heem A Beyah. 2016. Who’s in Control of Your Control System? Device Finger-printing for Cyber-Physical Systems.. InNDSS.
[18]Igor Nai Fovino, Andrea Carcano, Marcelo Masera, and Alberto Trombetta. 2009.An experimental investigation of malware attacks on SCADA systems.IJCIP2, 4(2009), 139 – 145.
[19]P. Gaj, J. Jasperneite, and M. Felser. 2013. Computer Communication Within Industrial Distributed Environment—a Survey.IEEE Transactions on Industrial Informatics9, 1 (Feb 2013), 182–189.https://doi.org/10.1109/TII.2012.2209668
[20]Béla Genge, Dorin Adrian Rusu, and Piroska Haller. 2014. A Connection Pattern-based Approach to Detect Network Traffic Anomalies in Critical Infrastructures.InEuroSec(Amsterdam, The Netherlands)(’14). ACM.
[21]Naman Govil, Anand Agrawal, and Nils Ole Tippenhauer. 2017. On Ladder Logic Bombs in Industrial Control Systems.CoRRabs/1702.05241 (2017). http://arxiv.org/abs/1702.05241
[22]D. Huang, K. Yang, C. Ni, W. Teng, T. Hsiang, and Y. Lee. 2012. Clock Skew Based Client Device Identification in Cloud Environments. In2012 IEEE 26th International Conference on Advanced Information Networking and Applications.526–533. https://doi.org/10.1109/AINA.2012.51
[23]Abdulmalik Humayed, Jingqiang Lin, Fengjun Li, and Bo Luo. 2017. Cyber-Physical Systems Security - A Survey.CoRRabs/1701.04525 (2017).
arXiv:1701.04525 http://arxiv.org/abs/1701.04525
[24]Sungho Jeon, Jeong-Han Yun, Seungoh Choi, and Woonyon Kim. 2016. Passive Fingerprinting of SCADA in Critical Infrastructure Network without Deep Packet Inspection.CoRRabs/1608.07679 (2016). arXiv:1608.07679
[25]T. Kohno, A. Broido, and K. C. Claffy. 2005. Remote physical device fingerprinting.IEEE Transactions on Dependable and Secure Computing2, 2 (April 2005), 93–108. https://doi.org/10.1109/TDSC.2005.26
[26]R. Langner. 2011. Stuxnet: Dissecting a Cyberwarfare Weapon.IEEE Security Privacy9, 3 (May 2011), 49–51. https://doi.org/10.1109/MSP.2011.67
[27]Eireann Leverett and Reid Wightman. 2013. Vulnerability inheritance in pro-grammable logic controllers.GreyHat 2013(2013). https://ics-cert.us-cert.gov/content/cyber-threat-source-descriptions
[28]Ralph E Mackiewicz. 2006. Overview of IEC 61850 and Benefits. In2006 IEEE Power Engineering Society General Meeting. IEEE, 8–pp.
[29]A. P. Mathur and N. O. Tippenhauer. 2016. SWaT: a water treatment testbed for research and training on ICS security. In2016 International Workshop (CySWater).
[30]Robert Mitchell and Ing-Ray Chen. 2014. A Survey of Intrusion Detection Tech-niques for Cyber-physical Systems.ACM Comput. Surv.46, 4, Article 55 (March 2014), 29 pages. https://doi.org/10.1145/2542049
[31]S. B. Moon, P. Skelly, and D. Towsley. 1999. Estimation and removal of clock skew from network delay measurements. InIEEE INFOCOM ’99., Vol. 1. 227–234 vol.1.
[32]X. Morten Gjendemsjø. 2013.Creating a Weapon of Mass Disruption: Attacking Programmable Logic Controllers. Ph.D. Dissertation. Norwegian University of Science and Technology.
[33]Yong Peng, Chong Xiang, Haihui Gao, Dongqing Chen, and Wang Ren. 2015. Industrial Control System Fingerprinting and Anomaly Detection. InCritical Infrastructure Protection IX. Springer.
[34]John Platt, Bernhard Schaklkopf, John Shawe-Taylor, Alex J. Smola, and Robert C. Williamson. 1999.Estimating the Support of a High-Dimensional Distribution. Technical Report MSR-TR-99-87. 30 pages.https://www.microsoft.com/en-us/research/publication/estimating-the-support-of-a-high-dimensional-distribution/
[35]S. V. Radhakrishnan, A. S. Uluagac, and R. Beyah. 2015. GTID: A Technique for Physical DeviceandDevice Type Fingerprinting.IEEE TDSC12, 5 (Sep. 2015).
[36]Ruben Santamarta. 2012. Here be backdoors: A journey into the secrets of in-dustrial firmware.CoRR(2012). https://media.blackhat.com/bh-us-12/Briefings/ Santamarta/BHUS12SantamartaBackdoorsWP.pdf
[37]Swati Sharma, Alefiya Hussain, and Huzur Saran. 2012. Experience with Het-erogenous Clock-skew Based Device Fingerprinting. InLASER ’12(Arlington,Virginia, USA). ACM, NY, USA, 9–18. https://doi.org/10.1145/2379616.2379618
[38]Yasser Shoukry, Paul Martin, Yair Yona, Suhas Diggavi, and Mani Srivastava.2015. PyCRA: Physical Challenge-Response Authentication For Active SensorsUnder Spoofing Attacks. InProceedings of the 22Nd ACM CCS(Denver, Colorado,USA)(CCS ’15).
[39]Robin Sommer and Vern Paxson. 2010. Outside the closed world: On using machine learning for network intrusion detection. In2010 IEEE symposium on security and privacy. IEEE, 305–316.
[40]Samuel J. Stone, Michael A. Temple, and Rusty O. Baldwin. 2015. Detecting Anomalous Programmable Logic Controller Behavior Using RF-based Hilbert Transform Features and a Correlation-based Verification Process.Int. J. Crit.Infrastruct. Prot.9, C (June 2015), 41–51. https://doi.org/10.1016/j.ijcip.2015.02.001
[41]Robert J. Turk. 2005. Cyber incidents involving control systems. https://pdfs.semanticscholar.org/\1f8f/a134eca5fe92143bd154ec9f6446b38b63ae.pdf
[42]David I. Urbina, Jairo A. Giraldo, Alvaro A. Cardenas, Nils Ole Tippenhauer, Junia Valente, Mustafa Faisal, Justin Ruths, Richard Candell, and Henrik Sandberg. 2016. Limiting the Impact of Stealthy Attacks on Industrial Control Systems. In Proceedings of the 2016 ACM CCS(Vienna, Austria)(CCS ’16).
[43]Xiukun Wei, Michel Verhaegen, and Tim van Engelen. 2010. Sensor fault detection and isolation for wind turbines based on subspace identification and Kalman filter techniques.International Journal of Adaptive Control and Signal Processing
24, 8 (2010), 687–707. https://doi.org/10.1002/acs.1162
[44]Peter Welch. 1967. The use of fast Fourier transform for the estimation of power spectra: a method based on time averaging over short, modified periodograms.IEEE Transactions on audio and electroacoustics15, 2 (1967), 70–73.
[45]Theodore J. Williams. 1993. The Purdue Enterprise Reference Architecture. In Proceedings of the JSPE/IFIP TC5/WG5.3 DIISM. North-Holland Publishing Co.,Amsterdam, 43–64. http://dl.acm.org/citation.cfm?id=647134.716786
[46]Bradley C. Wright. 2014.PLC Hardware Discrimination using RF-DNA fin-gerprinting. Ph.D. Dissertation. AIR FORCE INSTITUTE OF TECHNOLOGY.https://apps.dtic.mil/dtic/tr/fulltext/u2/a602984.pdf
[47]Yu-jun Xiao, Wen-yuan Xu, Zhen-hua Jia, Zhuo-ran Ma, and Dong-lian Qi.2017. NIPAD: a non-invasive power-based anomaly detection scheme for pro-grammable logic controllers.Frontiers of Information Technology & Electronic Engineering18, 4 (01 Apr 2017), 519–534. https://doi.org/10.1631/FITEE.1601540
[48]K. Yang, Q. Li, X. Lin, X. Chen, and L. Sun. 2020. iFinger: Intrusion Detection in Industrial Control Systems via Register-based Fingerprinting.IEEE Journal on Selected Areas in Communications(2020), 1–1.
[49]Sebastian Zander and Steven J. Murdoch. 2008. An Improved Clock-skew Mea-surement Technique for Revealing Hidden Services. InProceedings of the 17th  Conference on Security Symposium(San Jose, CA)(SS’08). USENIX Association,Berkeley, CA, USA, 211–225. http://dl.acm.org/citation.cfm?id=1496711.1496726