Introduction to Attacks on Cyber Physical Systems
In Part 7 of this new Cyber Physical Systems series, I will introduce the different types of attacks that can target these type of systems and discuss the different layers where they occur.
Attacks on CPS
Previously, reliability, fault-tolerance and robus controls were enough to protect CPSs form cyber-attacks. However, for more than a decade, these mechanisms are only good enough for non-malicious failures.
These mechanisms, for instance fault-detection, can be bypassed by an adversary that sends incorrect data that is inconsistent and plausible with the system configuration but at the same time is erroneous enough to cause problems to the system.
An example is when an attacker injects a small amount of false data in sensors so that fault-detection systems cannot identify them as anomalies but over a long period of time, these attacks can drive systems to a dangerous state.
The data transmission layer transmits information through the communication network. This use of communication network makes CPSs more vulnerable to network attacks. Behaviours of a CPS may be changed due to network attacks, and then the CPS will reach an unsafe state that damages the system.
The unsafe state will then affect production processes and pose a threat to the economy and society.
As an example, a nuclear plant was shutdown for 48 hours due to a software update.
This highlights that updates and patching might violate safety certifications. Additionally, preventing unauthorized users from accessing a CPS might also prevent first responders from access to the system in case of an emergency
Security solutions should take these CPS safety concerncs into account when designing and deploying new security mechanisms.
Types of Attacks
Attacks can happen at any point in the general architecture of the CPSs.
Attack 1
An attacker who compromised a sensor (e.g. if the sensor data is unauthenticated or if the attacker has the secret key for the sensors) and inject false sensor signals, causing the control logic of the system to act on malicious data (also called transduction attack).
If the sensor is compromised, they can induce wrong measurements in the sensor which is then carried to the controller. The controller would then make a decision based on wrong data (e.g. opening a valve).
Attack 2
An attacker in the communication path between the sensor and the controller can delay or even completely block the information from the sensors to the controller. Controller loses observability of the system (loss of view). Examples are DoS and stale data attacks.
Attack 3
An attacker compromised the controller and sends incorrect control signals to the actuators. They can potentially reprogram the PLC with a malicious program as an example.
Attack 4
An attacker delays or block control commands, causing a denial of control to the system. This attack has been considered as a DoS to the actuators.
Attack 5
An attacker compromised the actuators and execute control action that is different to what the controller intended. An attacker can also study the control system by collecting data and crafting a zero dynamic attack (ZDA).
ZDA takes advantage of the conditions that can make the closed-loop control system unstable by manipulating the input such that the control system creates an overcorrecting or self-destructive behaviour.
Attack 6
An attacker physically attacks the system, physically destroying part of the infrastructure.
Attack 7
An attacker can delay or block communications to and from the supervisory control system or devices (HMI, SCADA, Historian).
Attack 8
An attacker compromises or impersonates the SCADA system or the configuration devices and sends malicious controls or configuration changes to controller. Examples are: attacks on the power grid in Ukraine (an attacker compromised computers in control room of SCADA system).
Traditionally, the attacks on CPSs have been software-based. However, integrity of CPSs can be compromised without a computer-based exploit, also referred to as tranduction attacks. Attackers find a physical way to inject false signals (similiar to Attack 1) by targeting the way sensors capture real-world data.
Attackers can inject a false sensor reading or even a false actuator action, by manipulating the physical environment around the sensor.
For example, attackers can use speakers to affect the gyroscope of a drone, exploit unintentional receiving antennas in the wires connecting sensors to controllers, use intentional electromagnetic interference (IEMI) to cause an actuator to follow the attacker's commands or inject inaudible voice commands to digital assistants.
The simplest IEMI attack on an analogue sensor would involve an attacker transmitting a narrow-band sinusoidal signal, which in turn would induce an AC voltage on a victim circuit - think of it as adding a lot of noise to the measurements that sensors should acquire.
Classification of Attacks
Typically, there are three types of network attacks on CPSs:
Attacks on perception execution layer
Attacks on data transmission layer
Attacks on the application control layer
Perception Layer Attacks
Devices are often in unsupervised environments and easily targeted. These type of attacks are further divided into:
Actuator enablement attacks (AE)
Actuator disablement attacks (AD)
Sensor erasure attacks (SE)
Sensor insertion attack (SI)
For example, it is possible to change the sensor readings (by erasing a genuine sensor event or inserting a fictitious one). You can change the actuator commands (from disable to enable).
As a result, an unsafe state may be reached in the environment.
We can consider an attack scenario where the attacker has infiltrated a set of vulnerable actuators and overrides "disable" control actions from the supervisor by "enabling" actions for the compromised actuators.
The goal of the attacker is to use these enable control actions to potentially drive the system to an unsafe state. We call these attacks Actuator Enablement Attacks (AE-Attacks).
A good paper to read about it is found here.
A short summary can be found below:
Some examples - by people much smarter than me - are the following videos:
Additionally, if you want more information, two papers can be found here and here.
Data Transmission Layer Attacks
This layer bridges between perception and application layer. It mainly transmits data through communication networks such as the Internet, a private network, and a LAN.
The diversity of communication network access methods and the complexity of network equipment and architecture will bring certain security issues to CPSs.
If the data transmission layer is intruded, then the information transmitted in attacked network channel can be freely changed especially with unencrypted communication.
MITM (Man in the Middle) is a powerful attack on a compromised transmission layer. It can observe, hide, create and even change info transmitted from one device to another communication channel.
DoS (Denial of Service) can cut off the communication between actuator and controller effectively causing the system getting out of control. This is achieved by a large number of invalid service requests. Remember, embedded systems used in OT do not have the power and memory to deal with regular IT data flow.
Application Layer Attacks
This layer is made of controllers and user applications that generate executive control commands based on the info they received from perception layer (via transmission layer).
Some apps store large amount of data such as consumption habits and personal information. Attacks can lead to obtaining unauthorized access, privacy info leak, and compromising lower layers.
Because of the diversity of applications and their protocols, there is a huge challenge of securing the application control layer. Security concerns in this layer are closer to traditional IT security rather than ICS network.
Most ICS breaches use attack vectors that were eliminated from IT networks ages ago. Attacks in OT can directly target the protocol itself, which is quite easy to accomplish especially with the protocols that are not implementing any encryption or integrity checks.
Control theory related cyber attacks are attacks that target the control systems mechanism and design such as the zero dynamic attack. Understanding them requires extensive knowledge of the control system design theories which is out of the scope I will cover here.
This link will take you to a survey of attacks on CPSs that you can study. It also contains some of the attacks that are specific to control systems.