‘Fingerprinting’ and neural nets could help protect power grid, other industrial systems

Scenario: Terrorists have just hacked into the U.S. electrical grid and sent false data or malicious commands to destroy a remote electrical substation, turning off power to a city…
March 1, 2016

Electrical substation (credit: Fitrah Hamid, Georgia Tech)

Georgia Tech researchers have developed a device fingerprinting technique that could improve the security of the electrical grid and other industrial systems.

“The stakes are extremely high; the systems are very different from home or office computer networks,” said Raheem Beyah, an associate professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology.

The networked systems controlling the U.S. electrical grid and other industrial systems, carried out over supervisory control and data acquisition (SCADA) protocols, often lack the ability to run modern encryption and authentication systems. The legacy systems connected to them were never designed for networked security, Beyah said. Because they are distributed around the country, often in remote areas, the systems are also difficult to update using the “patching” techniques common in computer networks.

Fingerprinting to detect false data or commands

Points of attack in a power substation network (credit: David Formby et al./Network and Distributed System Security Symposium)

Which is why Beyah and his team have developed “fingerprinting techniques” to protect various operations of the power grid to prevent or minimize spoofing of packets that could be injected to produce false data or false control commands into the system. “This is the first technique that can passively fingerprint different devices that are part of critical infrastructure networks,” he said. “We believe it can be used to significantly improve the security of the grid and other networks.”

For instance, control devices used in the power grid produce signals that are distinctive because of their unique physical configurations and compositions. Security devices listening to signals traversing the grid’s control systems can differentiate between these legitimate devices and signals produced by equipment that’s not part of the system.

Devices such as circuit breakers and electrical protection systems can also be told to open or close remotely, and they then report on the actions they’ve taken. The time required to open a breaker or a valve is determined by the physical properties of the device. If an acknowledgement arrives too soon after the command is issued — less time than it would take for a breaker or valve to open, for instance — the security system could suspect spoofing, Beyah explained.

To develop the device fingerprints, the researchers have built computer models of utility grid devices to understand how they operate. Information to build the models came from “black box” techniques — watching the information that goes into and out of the system — and “white box” techniques using schematics or physical access to the systems and unique signatures that indicates the identity of specific devices, or device type, or associated actions.

The researchers used supervised learning techniques when a list of IP addresses and corresponding device types were available; and unsupervised learning when not available, with performance nearly as high as the supervised learning methods.

The researchers have demonstrated the technique on two electrical substations, and plan to continue refining it until it becomes close to 100 percent accurate. Their current technique addresses the protocol used for more than half of the devices on the electrical grid, and future work will include examining application of the method to other protocols.

Other vulnerable systems

Beyah believes the approach could have broad application to securing industrial control systems used in manufacturing, oil and gas refining, wastewater treatment and other industries where they use devices with measurable physical properties. Beyond industrial controls, the principle could also apply to the Internet of Things (IoT), where the devices being controlled have specific signatures related to switching them on and off.

“All of these IoT devices will be doing physical things, such as turning your air-conditioning on or off,” Beyah said. “There will be a physical action occurring, which is similar to what we have studied with valves and actuators.”

The research, reported February 23 at the Network and Distributed System Security Symposium in San Diego, was supported in part by the National Science Foundation (NSF). The approach has been successfully tested in two electrical substations.


Abstract of Who’s in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems

Industrial control system (ICS) networks used in critical infrastructures such as the power grid present a unique set of security challenges. The distributed networks are difficult to physically secure, legacy equipment can make cryptography and regular patches virtually impossible, and compromises can result in catastrophic physical damage. To address these concerns, this research proposes two device type fingerprinting methods designed to augment existing intrusion detection methods in the ICS environment. The first method measures data response processing times and takes advantage of the static and low-latency nature of dedicated ICS networks to develop accurate fingerprints, while the second method uses the physical operation times to develop a unique signature for each device type. Additionally, the physical fingerprinting method is extended to develop a completely new class of fingerprint generation that requires neither prior access to the network nor an example target device. Fingerprint classification accuracy is evaluated using a combination of a real world five month dataset from a live power substation and controlled lab experiments. Finally, simple forgery attempts are launched against the methods to investigate their strength under attack.