Title:  Network Based Fingerprinting Techniques for Industrial Control Systems

Committee:

Dr. Raheem Beyah, Chair, Advisor

Dr. John Copeland, Co-Advisor

Dr. Henry Owen, ECE

Dr. Yusun Chang, ECE

Dr. Alenka Zajic, ECE

Dr. Saman Zonouz

Abstract:

Fingerprinting techniques operating over the network were proposed to identify various
aspects of industrial control systems (ICSs) including software, hardware, and physical
devices. First, a detailed traffic characterization was performed on several power substation networks to guide the development of the techniques. Round trip times for the resourcestarved embedded devices were observed to be heavily clustered based on device type no matter how large the physical distance between them, suggesting they were largely based on processing time. This insight led to the development of cross-layer response time fingerprinting to passively identify device types based on the processing time between TCP level acknowledgments and application layer responses, with classification accuracy reaching 99% on real-world substation traffic. Complementing these techniques by addressing a different aspect of ICS networks, methods were developed to fingerprint the physical devices of the ICS. Previous work on physical fingerprinting was extended to improve relay classification from 92% to 100% and extend the scope of the methods to valves, motors, and pumps. Building on the idea behind the cross-layer response time methods, techniques were explored that expand the scope to general programmable logic controllers by generating program fingerprints from the execution times of control programs. The security of this technique was enhanced by the addition of proof-of-work functions to provide an upper bound guarantee that no additional instructions are being executed in the program. Performance of all the fingerprinting techniques were discussed with respect to their potential to contribute to a holistic, ICS-specific intrusion detection system.