Understanding the physical and economic consequences of attacks on control systems

Transcription

1 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( ) avalable at journal homepage: Understandng the physcal and economc consequences of attacks on control systems Yu-Lun Huang c,, Alvaro A. Cárdenas a, Saurabh Amn b, Zong-Syun Ln c, Hsn-Y Tsa c, Shankar Sastry a a Department of Electrcal Engneerng and Computer Scences, Unversty of Calforna, Berkeley, Calforna 94720, USA b Department of Cvl and Envronmental Engneerng, Unversty of Calforna, Berkeley, Calforna 94720, USA c Department of Electrcal and Control Engneerng, Natonal Chao Tung Unversty, Hsnchu, 30010, Tawan A R T I C L E I N F O A B S T R A C T Artcle hstory: Receved 11 June 2009 Accepted 11 June 2009 Keywords: Control systems Integrty attacks Denal-of-servce attacks Consequences Ths paper descrbes an approach for developng threat models for attacks on control systems. These models are useful for analyzng the actons taken by an attacker who gans access to control system assets and for evaluatng the effects of the attacker s actons on the physcal process beng controlled. The paper proposes models for ntegrty attacks and denal-of-servce (DoS) attacks, and evaluates the physcal and economc consequences of the attacks on a chemcal reactor system. The analyss reveals two mportant ponts. Frst, a DoS attack does not have a sgnfcant effect when the reactor s n the steady state; however, combnng the DoS attack wth a relatvely nnocuous ntegrty attack rapdly causes the reactor to move to an unsafe state. Second, an attack that seeks to ncrease the operatonal cost of the chemcal reactor nvolves a radcally dfferent strategy than an attack on plant safety (.e., one that seeks to shut down the reactor or cause an exploson). c 2009 Elsever B.V. All rghts reserved. 1. Introducton Control systems are computer-based systems used to montor and control physcal processes. They are usually composed of a set of networked devces such as sensors, actuators, controllers, and communcaton devces. Control systems and networks are essental to montorng and controllng many crtcal nfrastructure assets (e.g., electrc power dstrbuton, water treatment, and transportaton management) and ndustral plants (e.g., those used for manufacturng chemcals, pharmaceutcals, and food products). Most of these nfrastructures are safety-crtcal an attack can mpact publc health, the envronment, the economy, and even lead to the loss of human lfe. Control systems are becomng more complex and nterdependent and, therefore, more vulnerable. The ncreased rsk of computer attacks has led to numerous nvestgatons of control system securty (see, e.g., [1 11]). Most of the techncal solutons nvolve extensons and mprovements to tradtonal nformaton technology (IT) mechansms. However, very few solutons consder the nteractons between securty and the physcal processes beng controlled. In partcular, researchers have not consdered how attacks affect the estmaton and control algorthms that regulate physcal systems, and, ultmately, how the attacks affect the physcal envronment. The goal of ths paper s to ntate the development of new threat models for control systems. We argue that a threat assessment must nclude an analyss of how attacks on control systems can affect the physcal envronment n order to: () understand the consequences of attacks, () estmate the possble losses, () estmate the response tme requred by defenders, and (v) dentfy the most cost-effectve defenses. Correspondng author. Tel.: E-mal address: ylhuang@cn.nctu.edu.tw (Y.-L. Huang) /$ - see front matter c 2009 Elsever B.V. All rghts reserved. do: /j.jcp

2 74 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( ) Modelng Attacks Ths secton defnes the control system abstracton and formally models ntegrty and denal of servce (DoS) attacks Notaton Fg. 1 Control system abstracton. Fg. 2 Attacks on control systems. The paper s organzed as follows. The next secton, Secton 2, focuses on formal models of cyber attacks n control systems. Secton 3 descrbes the expermental setup and analyzes the expermental results. The fnal secton, Secton 4, summarzes our conclusons and hghlghts areas for future research. A control system s composed of sensors, controllers, actuators, and the physcal system (plant). Sensors montor the physcal system and send measurements to a controller. The controller sends control sgnals to actuators. Upon recevng a control sgnal, an actuator performs a physcal acton (e.g., openng a valve). Fg. 1 clarfes the relatonshps between the physcal system, sensor sgnals (y), the controller, and control sgnals (u). The followng notaton s used to formally model attacks on control systems. Tme (t): The term t denotes an nstant of tme. A process runs from t = 0 to t = T. Sensor Measurement (y (t)): The term y (t) denotes the value measured by sensor at tme t. Note that,, t, y (t) Y, where Y = [y mn, y max ] (y mn and y max ) are the reasonable mnmum and maxmum values representng the plant state, respectvely. Also, Y = [y 1, y 2,..., y n ] T, where n s the number of sensors. Manpulated Varable (u (t)): The term u (t) denotes the output of controller at tme t. Note that,, t, u (t) U, where U = [u mn, u max ] s the allowable range of controller output values. Attack Duraton (T a ): The term T a denotes the duraton of an attack. An attack starts at t = t s and ends at t = t e. Note that T a = [t s, t e ]. Fg. 3 Chemcal plant.

3 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( ) Fg. 4 Plant outputs wthout nose. Fg. 2 dentfes several attacks on control systems. A1 and A3 correspond to ntegrty attacks, where the adversary sends false nformaton ŷ y or û u from (one or more) sensors or controllers. The false nformaton may be an ncorrect measurement, an ncorrect tme when the measurement was observed, or an ncorrect sender dentfer. The adversary can launch these attacks by obtanng the secret keys used by the devces or by compromsng sensors (A1) or controllers (A3). We assume that each devce s unquely authentcated. Therefore, an attacker who compromses the secret key of a devce s able to mpersonate only that devce. A2 and A4 correspond to DoS attacks, where the adversary prevents the controller from recevng sensor measurements or prevents actuators from recevng control commands. The adversary can launch a DoS attack by jammng communcaton channels, compromsng devces and preventng them from sendng data, attackng routng protocols, or floodng the network. A5 corresponds to a drect attack aganst actuators or an external physcal attack on the plant. From an algorthmc perspectve, t s not possble to defend aganst such attacks (asde from detectng them). Therefore, sgnfcant efforts must be mplemented to deter and/or prevent attacks aganst physcal systems (e.g., by mplementng physcal securty controls) Modelng ntegrty attacks A successful ntegrty attack on sensor modfes the real sensor sgnal, causng the nput to the control functon u to be changed from y to ŷ. In an ntegrty attack, the adversary sends a value ŷ or û to a sensor or actuator based on the nformaton avalable to the adversary. In an effort to develop a systematc and trackable treatment of attack strateges, we propose the nvestgaton of max attacks, mn attacks, scalng attacks, and addtve attacks. We assume that all these attacks le wthn U and Y. Note that sgnals outsde ths range are easly detected by fault-tolerant algorthms. The followng attacks can be launched aganst sensors: Mn and Max Attacks: ŷ mn y (t) (t) = y mn for t T a, and ŷ max (t) = y (t) y max for t T a.

4 76 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( ) Fg. 5 Plant outputs wth Gaussan nose. Fg. 6 Integrty attack y max 7 from t = 0 to t = 30.

5 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( ) Fg. 7 Integrty attack y mn 5 from t = 0 to t = 30. Fg. 8 Integrty attack u mn 3 from t = 0 to t = 30.

6 78 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( ) Fg. 9 Integrty attack u max 1 from t = 0 to t = 30. Scalng Attacks: y (t) ŷ s (t) = α (t)y (t) y mn y max Addtve Attacks: y (t) ŷ a (t) = y (t) + α (t) y mn y max for t T a and α y (t) Y for t T a and α y (t) < y mn for t T a and α y (t) > y max. for t T a and y (t) + α (t) Y for t T a and y (t) + α (t) < y mn for t T a and y (t) + α (t) > y max. Smlar attacks can be launched aganst controllers: Mn and Max Attacks: û mn u (t) (t) = u mn for t T a. and û max (t) = u (t) u max Scalng Attacks: u (t) û s (t) = α (t)u (t) u mn u max for t T a. for t T a and α u (t) U for t T a and α u (t) < u mn for t T a and α u (t) > u max. Addtve Attacks: u (t) û a (t) = u (t) + α (t) u mn u max 2.3. Modelng DoS attacks for t T a and u (t) + α (t) U for t T a and u (t) + α (t) < u mn for t T a and u (t) + α (t) > u max. In a DoS attack, we assume that a sensor sgnal does not reach the controller or that a control sgnal does not reach an actuator. Because the controller or actuator wll notce the mssng sgnal, t s necessary to mplement functonalty that enables the devce to respond to ths event. Let û and ŷ denote the response strateges for handlng DoS attacks. A conservatve response strategy uses the last sgnal receved as the current command. In other words, the controller assumes that the mssng sensor measurement s the same as the measurement t last receved: ŷ past (t) = y (t) y (t s ) for t T a. A smlar assumpton can be made for a DoS attack on a control sgnal. In partcular, we assume that an actuator contnues operatng based on the control sgnal correspondng to the manpulated varable value that t last receved: û past (t) = u (t) u (t s ) for t T a.

7 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( ) Fg. 10 DoS attack on y Expermental results Ths secton descrbes the expermental setup and analyzes the expermental results Chemcal reactor system A chemcal reactor system wth a proportonal ntegral (PI) control algorthm [12] s nvestgated n ths paper. The dynamcal model was coded n FORTRAN and the control algorthm n Matlab. The attacks were mplemented usng Matlab. Fg. 3 shows the model of the chemcal reactor system. Four chemcal components are nvolved (A, B, C, and D). The goal of the control system s to mantan the rreversble reacton A + C B D at a specfed rate whle keepng the pressure nsde the tank below 3000 kpa. Note that B s an nert component. The chemcal reactor system has three actuators. The frst actuator, whch s controlled by u 1 (t), operates a valve that controls feed F 1 contanng the chemcal components A, B, and C. The second actuator, controlled by u 2 (t), s a valve that controls feed F 2 contanng A. The thrd actuator, controlled by u 3 (t), s a valve that purges the gas created by the chemcal reacton. Each control sgnal u (t) has a range between 0% (the valve s completely closed) and 100% (the valve s completely open). The control algorthm [12] uses data from three sensors that montor the product flow (y 4 ), pressure nsde the tank (y 5 ), and amount of component A n the purge (y 7 ). Note that u 1 s a functon of y 5 and y 4, u 2 s a functon of y 7, and u 3 s a functon of y 5. Fg. 4 shows the chemcal plant outputs wthout any nose nputs. Fg. 5 shows the plant outputs wth Gaussan nose nputs. Specfcally, Gaussan process nose (dsturbance) wth a mean of 0 and a varance of 0.05 s ntroduced at each valve. Note that the dsturbances cause the system not to return to the steady state. The chemcal reactor system s smulated from t = 0 to t = 40 (h). Note that all the attacks n the experments are executed from t = 10 to t = 30 (h) Integrty attacks We assume that the goal of the attacker s to rase the pressure nsde the reactor vessel to an unsafe value (greater than 3000 kpa), causng equpment damage and possbly an exploson. The ntegrty attacks (scalng, addtve, and constant attacks) descrbed n Secton 2.2 were mplemented. Only one sensor or controller was attacked at a tme. The max and mn attacks were the most effectve; however, not all the attacks were able to drve the pressure to an unsafe level. We summarze the results below.

8 80 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( ) Fg. 11 DoS attack on y 5 and ntegrty attack on y 4. When a sensor s attacked, the controller can be expected to output an ncorrect control sgnal because t operates on ncorrect sensor nformaton. If an attacker does not know the plant dynamcs or the control algorthm, he/she may compromse a sensor at random. We assume the attacked sensor s y 7. Fg. 6 shows the effect of a y max attack, whch nforms the 7 controller that there s a large amount of component A n the reactor vessel. The smulatons demonstrate that the plant returns to the steady (safe) state after the attack. Furthermore, the pressure n the reactor vessel s always below 3000 kpa. Our experments demonstrate that the chemcal reactor system s very reslent to attacks on y 7, y 4, and u 2. Constant attacks are the most damagng, but they do not move the system to an unsafe state. An attacker wth knowledge about the system dynamcs and control system operaton would recognze that control sgnals u 1 and u 3 drectly nfluence the pressure n the reactor vessel. Furthermore, the sensor that montors the pressure n the reactor vessel tank y 5 would be an attractve target. Fg. 7 shows the results of launchng attack y mn. Durng 5 the attack, the controller beleves the pressure n the tank to be very low (0 kpa). Therefore, t shuts the purge valve wth the goal of ncreasng the pressure. Because the sensor keeps sendng the false pressure readng of 0 kpa, the controller keeps the purge valve shut for the duraton of the attack. In our experments, t took about 20 hours for the attack to ncrease the pressure above 3000 kpa (the unsafe state). Ths tme perod s long enough for plant operators to observe the unusual phenomenon and take the approprate mtgaton steps. In the followng, we dscuss the effects of attackng control sgnals u 1 and u 3, whch appear to be promsng from an attacker s pont of vew. Intutvely, t appears that shuttng down the purge valve would ncrease the pressure. Therefore, we decded to launch attack u mn (t). The results are shown n Fg. 8. The orgnal 3 sgnal computed by the controller s dscarded and the attack forces the purge valve to close. Ths causes the chemcal components to accumulate n the reactor vessel. However, although the accumulaton rases the pressure from 2700 kpa to 2900 kpa (y 5 curve), t does not force the chemcal reactor system to an unsafe state. The reason s that the control sgnal u 1 s also dependent on y 5 ; thus, when the pressure rses, the feed rate s correspondngly reduced. Fnally, we dscuss the effects of launchng attack u max (t) 1 (Fg. 9). The orgnal sgnal computed by the controller s dscarded and the valve for Feed 1 s opened completely. In ths case, large amounts of nput flow to the reactor, causng the pressure to rse above 3000 kpa (y 5 curve). Note that ths attack forces the system to an unsafe state n the shortest tme. We conclude that n order for a plant operator to prevent an attack from movng the system to an unsafe state, he/she should prortze the protecton of the control sgnal u 1. The sensor y 5 s also a prorty. However, because elevatng the

9 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( ) Fg. 12 Integrty attack on the Loop 2 controller. pressure by attackng y 5 takes a long tme, the problem may be allevated by montorng the system and mplementng the approprate response when an anomaly s detected DoS attacks Our experments demonstrate that launchng a DoS attack on a sngle devce and mplementng û past or ŷ past does not have a major mpact when the plant reaches a steady state. For example, note that the DoS attack on sensor y 5 n Fg. 10 does not cause the curve for y 5 to change sgnfcantly. Smlar responses are obtaned for all the other sensors and actuators. We conclude that the effects of DoS attacks on ndvdual devces are lmted and that protectng aganst ntegrty attacks should be a prorty. DoS attacks, however, can be launched n combnaton wth nnocuous ntegrty attacks to cause sgnfcant damage. Consder, for example, a DoS attack on y 5 coupled wth an ntegrty attack on the producton rate y 4 (whch ntroduces a small varaton of y s (t) wth α = 0.5). After the attacks 4 are launched, the Loop 1 controller opens the Feed 1 valve to ncrease the producton rate. Ths ncreases the flow of reactants to the reactor vessel, but the pressure sensor y 5, whch s targeted by the DoS attack, fals to observe that the pressure n the vessel s rsng. The resultng accumulaton of reactants causes the pressure to exceed 3000 kpa n a farly short tme. Note that the changes to y 4 and y 5 n Fg. 11 start at tme t = 10 when the attacks are launched Operatng cost attack Apart from forcng the chemcal reactor system to an unsafe state, the attacker may wsh to have a negatve economc mpact by ncreasng ts operatng cost. Such an attack s not easly detected and can produce large economc losses n the long term. Estmatng the cost of an attack n a typcal nformaton technology envronment s often dffcult because t s necessary to produce valuatons for nformaton loss (e.g., stolen data) and opportunty cost (e.g., DoS attack aganst an e- commerce webste). However, estmatng the cost of an attack on a control system s easer because the operatng cost of a plant can be computed based on the reactants consumed and the producton rate. In our plant model, the nstantaneous operatng cost depends on the quanttes of reactants A (y A3 ) and C (y C3 ) and Flow F 3 and Flow F 4. Accordng to Rcker [12], the operatng cost of the chemcal plant s gven by cost = F 3 F 4 (2.206y A y C3 ). (1)

10 82 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( ) Fg. 13 Integrty attack on y 4. The operatng cost s proportonal to the purge flow (F 3 ) and the quanttes of reactants A (y A3 ) and C (y C3 ) n the purge. Thus, an attacker may ether target a controller to maxmze the purge flow or target a sensor to confuse the controller and ncrease the quanttes of the reactants A and C. Now consder an attack on the Loop 2 controller. In ths case, the purge valve s opened to ncrease the purge flow (larger F 3 value). Fg. 12 shows how the attack ncreases the operatng cost of the plant (from t = 10 to t = 30). Next, consder an ntegrty attack on sensor y 4 that sends an ncorrect (zero) sgnal to the Loop 1 controller ndcatng that there s an nsuffcent quantty of reactants n the tank. In attemptng to the mantan the producton rate, the controller ssues an ncorrect control sgnal u 1 to ncrease the feed rate of A, B, and C by openng the Feed 1 valve. The ncreased quantty of reactants results n hgher producton flow (F 4 ) and hgher reactor pressure (curve y 5 n Fg. 13). However, upon detectng the change n pressure, the Loop 2 controller turns on the purge valve to regulate the pressure. Ths ncreases the purge flow F 3, whch leads to a hgher operatng cost, as shown n Fg. 13. Based on the experment results, we can conclude that targetng the purge flow valve s the most effectve strategy for ncreasng the operatng cost of the chemcal reactor system. 4. Conclusons Formal models of process systems, control systems, and attacks provde a powerful mechansm for reasonng about attacks and ther consequences. The nvestgaton of ntegrty and DoS attacks on a chemcal reactor system reveals several mportant ponts. A DoS attack has relatvely lttle mpact on the system n steady state; however, a DoS attack launched n combnaton wth an nnocuous ntegrty attack can produce serous consequences. An attacker needs to dentfy and attack the key sensors n order to drve a system to an unsafe state; n the case of the chemcal reactor, targetng the reactor pressure sensor s most effectve as t rapdly causes the system to cross the safety threshold. In general, attacks on control sgnals are more serous than attacks on sensor sgnals. Fnally, an attack on plant economy nvolves a radcally dfferent strategy that an attack on plant safety. Our future research wll attempt to develop systematc technques for evaluatng the mpact of smultaneous attacks. Another area of focus s the desgn of automatc attack

11 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( ) detecton and response mechansms that can enhance the reslence of control systems. Acknowledgements We wsh to thank Adran Perrg, Bruno Snopol, Gabor Karsa, and Jon Wley for useful dscussons related to control systems securty. Ths effort was partally supported by the Internatonal Collaboraton for Advancng Securty Technology (CAST) and the Tawan Informaton Securty Center (TWISC) Projects under Grants NSC P , NSC I and NSC E , respectvely. R E F E R E N C E S [1] E. Byres, Desgnng secure networks for process control, IEEE Industry Applcatons 6 (5) (2000) [2] E. Byres, J. Lowe, The myths and facts behnd cyber securty rsks for ndustral control systems, n: VDE Congress, [3] E. Goetz, S. Sheno (Eds.), Crtcal Infrastructure Protecton, Sprnger, Boston, Massachusetts, [4] V. Igure, S. Laughter, R. Wllams, Securty ssues n SCADA networks, Computers and Securty 25 (7) (2006) [5] T. Klpatrck, J. Gonzalez, R. Chanda, M. Papa, S. Sheno, Forensc analyss of SCADA systems and networks, Internatonal Journal of Securty and Networks 3 (2) (2008) [6] P. Oman, E. Schwetzer, J. Roberts, Protectng the grd from cyber attack Part 2: Safeguardng IEDs, substatons and SCADA systems, Utlty Automaton & Engneerng T&D 7 (1) (2002) [7] M. Papa, S. Sheno (Eds.), Crtcal Infrastructure Protecton II, Sprnger, Boston, Massachusetts, [8] K. Stouffer, J. Falco, K. Kent, Gude to Supervsory Control and Data Acquston (SCADA) and ndustral control systems securty ntal publc draft, Natonal Insttute of Standards and Technology, Gathersburg, Maryland, [9] P. Tsang, S. Smth, YASIR: A low-latency, hgh-ntegrty securty retroft for legacy SCADA systems, n: Proceedngs of the Twenty-Thrd IFIP TC 11 Internatonal Informaton Securty Conference, 2008, pp [10] Unted States Computer Emergency Readness Team (US- CERT), Control Systems Securty Program, U.S. Department of Homeland Securty, Washngton, DC. control_systems/ndex.html. [11] A. Wrght, J. Knast, J. McCarty, Low-latency cryptographc protecton for SCADA communcatons, n: Proceedngs of the Second Internatonal Conference on Appled Securty and Network Securty, 2004, pp [12] N. Rcker, Model predctve control of a contnuous, nonlnear, two-phase reactor, Journal of Process Control 3 (2) (1993)