Title: Detection and Forensic Analysis of Modern ICS Attacks via Correlating SCADA Host Operations with Physical Behavior

Date: Monday, June 26, 2023

Time: 12pm – 2pm Eastern Standard Time

Location: Zoom (online) Meeting: https://gatech.zoom.us/j/8741589206

Meeting ID: 874 158 9206

Moses Ike

Ph.D. Candidate in Computer Science

School of Cybersecurity and Privacy

Georgia Institute of Technology

Committee:

Dr. Wenke Lee (Advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Saman Zonouz, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Mustaque Ahamad, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Uzoma Onunkwo, Cybersecurity Research and Development, Sandia National Laboratories

Dr. Sukarno Mertoguno, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Vijay Madisetti, School of Cybersecurity and Privacy, Georgia Institute of Technology

Abstract:

The increased cyber connectivity in modern Industrial Control Systems (ICS) has improved the overall operations of life-essential industrial processes such as electricity supply. Unfortunately, it also widened the attack surface of ICS, allowing cyber adversaries to penetrate previously air-gapped ICS plants, causing physical disruptions and damages to critical infrastructure. Modern ICS attackers penetrate plants by infecting cyber-facing Supervisory Control and Data Acquisition (SCADA) workstations, which directly manage industrial processes and physical devices. To evade deployed defenses, attackers use knowledge of ICS to blend with normal SCADA activities by injecting just enough malicious command at each step, which overtime leads to damages. This stealthy attack tactic evades current host and sensor-based solutions due to their inability to correlate SCADA operations with their physical effects.

To address this issue, this dissertation proposes a hybrid approach that leverages ICS domain knowledge to correlate control host operations in SCADA with the physical behavior of ICS processes. To demonstrate the efficacy of this approach, I first present an ICS attack detection technique called SCAPHY. SCAPHY leverages the unique execution phases of SCADA to identify the limited set of SCADA API calls to legitimately control physical processes in different phases, which differentiates from attacker’s activities in these phases. SCAPHY detected real past attacks with high accuracy such as the Ukrainian electricity disruption that was launched from the plant’s SCADA systems. Next, to proactively detect attack payloads which have been staged for execution, I present FORECAST, a forward symbolic exploration of SCADA execution states following suspicious ICS process symptoms. FORECAST detects “not-yet-executed” or staged attack behaviors in collected states, and ranks them by their likelihood of future execution, enabling ICS operators to prioritize their attack response workflows. Finally, I present OTGUARD, which extends the ideas from FORECAST into a technique capable of identifying the infection source of ICS attacks across multiple SCADA execution states. OTGUARD uses the physical location of the triggered ICS process symptom to correlate suspicious SCADA execution states leading up to the attack.