Understanding the physical and economic consequences of attacks on control systems



Similar documents
A Secure Password-Authenticated Key Agreement Using Smart Cards

On the Optimal Control of a Cascade of Hydro-Electric Power Stations

A Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy S-curve Regression

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

Multiple-Period Attribution: Residuals and Compounding

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

INVESTIGATION OF VEHICULAR USERS FAIRNESS IN CDMA-HDR NETWORKS

An Alternative Way to Measure Private Equity Performance

IMPACT ANALYSIS OF A CELLULAR PHONE

A DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATION-BASED OPTIMIZATION. Michael E. Kuhl Radhamés A. Tolentino-Peña

Network Security Situation Evaluation Method for Distributed Denial of Service

An Interest-Oriented Network Evolution Mechanism for Online Communities

Can Auto Liability Insurance Purchases Signal Risk Attitude?

RequIn, a tool for fast web traffic inference

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts

Application of Multi-Agents for Fault Detection and Reconfiguration of Power Distribution Systems

Answer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) , Fax: (370-5) , info@teltonika.

DEFINING %COMPLETE IN MICROSOFT PROJECT

Methodology to Determine Relationships between Performance Factors in Hadoop Cloud Computing Applications

RESEARCH ON DUAL-SHAKER SINE VIBRATION CONTROL. Yaoqi FENG 1, Hanping QIU 1. China Academy of Space Technology (CAST)

Performance Analysis of Energy Consumption of Smartphone Running Mobile Hotspot Application

Risk-based Fatigue Estimate of Deep Water Risers -- Course Project for EM388F: Fracture Mechanics, Spring 2008

Design and Development of a Security Evaluation Platform Based on International Standards

Damage detection in composite laminates using coin-tap method

Efficient Project Portfolio as a tool for Enterprise Risk Management

Fragility Based Rehabilitation Decision Analysis

sscada: securing SCADA infrastructure communications

iavenue iavenue i i i iavenue iavenue iavenue

Course outline. Financial Time Series Analysis. Overview. Data analysis. Predictive signal. Trading strategy

METHODOLOGY TO DETERMINE RELATIONSHIPS BETWEEN PERFORMANCE FACTORS IN HADOOP CLOUD COMPUTING APPLICATIONS

VoIP Playout Buffer Adjustment using Adaptive Estimation of Network Delays

ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING

The OC Curve of Attribute Acceptance Plans

Tuition Fee Loan application notes

The Safety Board recommends that the Penn Central Transportation. Company and the American Railway Engineering Association revise

A hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm

In Quest of Benchmarking Security Risks to Cyber-Physical Systems

Determination of Integrated Risk Degrees in Product Development Project

Number of Levels Cumulative Annual operating Income per year construction costs costs ($) ($) ($) 1 600,000 35, , ,200,000 60, ,000

What is Candidate Sampling

Frequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters

PAS: A Packet Accounting System to Limit the Effects of DoS & DDoS. Debish Fesehaye & Klara Naherstedt University of Illinois-Urbana Champaign

Vision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *

Hollinger Canadian Publishing Holdings Co. ( HCPH ) proceeding under the Companies Creditors Arrangement Act ( CCAA )

Automated information technology for ionosphere monitoring of low-orbit navigation satellite signals

Study on Model of Risks Assessment of Standard Operation in Rural Power Network

"Research Note" APPLICATION OF CHARGE SIMULATION METHOD TO ELECTRIC FIELD CALCULATION IN THE POWER CABLES *

An Evaluation of the Extended Logistic, Simple Logistic, and Gompertz Models for Forecasting Short Lifecycle Products and Services

LIFETIME INCOME OPTIONS

Feature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College

An Empirical Study of Search Engine Advertising Effectiveness

Risk Model of Long-Term Production Scheduling in Open Pit Gold Mining

Overview of monitoring and evaluation

FREQUENCY OF OCCURRENCE OF CERTAIN CHEMICAL CLASSES OF GSR FROM VARIOUS AMMUNITION TYPES

A Game-Theoretic Approach for Minimizing Security Risks in the Internet-of-Things

A system for real-time calculation and monitoring of energy performance and carbon emissions of RET systems and buildings

AN ONLINE SIMULATION TO LINK ASSET CONDITION MONITORING AND OPERATIONS DECISIONS IN THROUGH-LIFE ENGINEERING SERVICES. Evandro Leonardo Silva Teixeira

Assessment of the legal framework

Effective Network Defense Strategies against Malicious Attacks with Various Defense Mechanisms under Quality of Service Constraints

Secure Walking GPS: A Secure Localization and Key Distribution Scheme for Wireless Sensor Networks

Minimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures

APPLICATION OF PROBE DATA COLLECTED VIA INFRARED BEACONS TO TRAFFIC MANEGEMENT

IWFMS: An Internal Workflow Management System/Optimizer for Hadoop

Response Coordination of Distributed Generation and Tap Changers for Voltage Support

Forecasting the Demand of Emergency Supplies: Based on the CBR Theory and BP Neural Network

Depreciation of Business R&D Capital

Credit Limit Optimization (CLO) for Credit Cards

To manage leave, meeting institutional requirements and treating individual staff members fairly and consistently.

BUSINESS PROCESS PERFORMANCE MANAGEMENT USING BAYESIAN BELIEF NETWORK. 0688,

The Current Employment Statistics (CES) survey,

Feasibility of Using Discriminate Pricing Schemes for Energy Trading in Smart Grid

SPEE Recommended Evaluation Practice #6 Definition of Decline Curve Parameters Background:

Stress test for measuring insurance risks in non-life insurance

How To Calculate The Accountng Perod Of Nequalty

HOUSEHOLDS DEBT BURDEN: AN ANALYSIS BASED ON MICROECONOMIC DATA*

Open Access A Load Balancing Strategy with Bandwidth Constraint in Cloud Computing. Jing Deng 1,*, Ping Guo 2, Qi Li 3, Haizhu Chen 1

How To Solve An Onlne Control Polcy On A Vrtualzed Data Center

Extending Probabilistic Dynamic Epistemic Logic

Kiel Institute for World Economics Duesternbrooker Weg Kiel (Germany) Kiel Working Paper No. 1120

Capacity-building and training

Conferencing protocols and Petri net analysis

How To Understand The Results Of The German Meris Cloud And Water Vapour Product

How Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence

A Multi-Camera System on PC-Cluster for Real-time 3-D Tracking

A Performance Analysis of View Maintenance Techniques for Data Warehouses

An RFID Distance Bounding Protocol

Omega 39 (2011) Contents lists available at ScienceDirect. Omega. journal homepage:

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)

Bayesian Network Based Causal Relationship Identification and Funding Success Prediction in P2P Lending

Transcription:

I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 7 3 8 3 avalable at www.scencedrect.com journal homepage: www.elsever.com/locate/jcp Understandng the physcal and economc consequences of attacks on control systems Yu-Lun Huang c,, Alvaro A. Cárdenas a, Saurabh Amn b, Zong-Syun Ln c, Hsn-Y Tsa c, Shankar Sastry a a Department of Electrcal Engneerng and Computer Scences, Unversty of Calforna, Berkeley, Calforna 94720, USA b Department of Cvl and Envronmental Engneerng, Unversty of Calforna, Berkeley, Calforna 94720, USA c Department of Electrcal and Control Engneerng, Natonal Chao Tung Unversty, Hsnchu, 30010, Tawan A R T I C L E I N F O A B S T R A C T Artcle hstory: Receved 11 June 2009 Accepted 11 June 2009 Keywords: Control systems Integrty attacks Denal-of-servce attacks Consequences Ths paper descrbes an approach for developng threat models for attacks on control systems. These models are useful for analyzng the actons taken by an attacker who gans access to control system assets and for evaluatng the effects of the attacker s actons on the physcal process beng controlled. The paper proposes models for ntegrty attacks and denal-of-servce (DoS) attacks, and evaluates the physcal and economc consequences of the attacks on a chemcal reactor system. The analyss reveals two mportant ponts. Frst, a DoS attack does not have a sgnfcant effect when the reactor s n the steady state; however, combnng the DoS attack wth a relatvely nnocuous ntegrty attack rapdly causes the reactor to move to an unsafe state. Second, an attack that seeks to ncrease the operatonal cost of the chemcal reactor nvolves a radcally dfferent strategy than an attack on plant safety (.e., one that seeks to shut down the reactor or cause an exploson). c 2009 Elsever B.V. All rghts reserved. 1. Introducton Control systems are computer-based systems used to montor and control physcal processes. They are usually composed of a set of networked devces such as sensors, actuators, controllers, and communcaton devces. Control systems and networks are essental to montorng and controllng many crtcal nfrastructure assets (e.g., electrc power dstrbuton, water treatment, and transportaton management) and ndustral plants (e.g., those used for manufacturng chemcals, pharmaceutcals, and food products). Most of these nfrastructures are safety-crtcal an attack can mpact publc health, the envronment, the economy, and even lead to the loss of human lfe. Control systems are becomng more complex and nterdependent and, therefore, more vulnerable. The ncreased rsk of computer attacks has led to numerous nvestgatons of control system securty (see, e.g., [1 11]). Most of the techncal solutons nvolve extensons and mprovements to tradtonal nformaton technology (IT) mechansms. However, very few solutons consder the nteractons between securty and the physcal processes beng controlled. In partcular, researchers have not consdered how attacks affect the estmaton and control algorthms that regulate physcal systems, and, ultmately, how the attacks affect the physcal envronment. The goal of ths paper s to ntate the development of new threat models for control systems. We argue that a threat assessment must nclude an analyss of how attacks on control systems can affect the physcal envronment n order to: () understand the consequences of attacks, () estmate the possble losses, () estmate the response tme requred by defenders, and (v) dentfy the most cost-effectve defenses. Correspondng author. Tel.: +886 3 5131476. E-mal address: ylhuang@cn.nctu.edu.tw (Y.-L. Huang). 1874-5482/$ - see front matter c 2009 Elsever B.V. All rghts reserved. do:10.1016/j.jcp.2009.06.001

74 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 7 3 8 3 2. Modelng Attacks Ths secton defnes the control system abstracton and formally models ntegrty and denal of servce (DoS) attacks. 2.1. Notaton Fg. 1 Control system abstracton. Fg. 2 Attacks on control systems. The paper s organzed as follows. The next secton, Secton 2, focuses on formal models of cyber attacks n control systems. Secton 3 descrbes the expermental setup and analyzes the expermental results. The fnal secton, Secton 4, summarzes our conclusons and hghlghts areas for future research. A control system s composed of sensors, controllers, actuators, and the physcal system (plant). Sensors montor the physcal system and send measurements to a controller. The controller sends control sgnals to actuators. Upon recevng a control sgnal, an actuator performs a physcal acton (e.g., openng a valve). Fg. 1 clarfes the relatonshps between the physcal system, sensor sgnals (y), the controller, and control sgnals (u). The followng notaton s used to formally model attacks on control systems. Tme (t): The term t denotes an nstant of tme. A process runs from t = 0 to t = T. Sensor Measurement (y (t)): The term y (t) denotes the value measured by sensor at tme t. Note that,, t, y (t) Y, where Y = [y mn, y max ] (y mn and y max ) are the reasonable mnmum and maxmum values representng the plant state, respectvely. Also, Y = [y 1, y 2,..., y n ] T, where n s the number of sensors. Manpulated Varable (u (t)): The term u (t) denotes the output of controller at tme t. Note that,, t, u (t) U, where U = [u mn, u max ] s the allowable range of controller output values. Attack Duraton (T a ): The term T a denotes the duraton of an attack. An attack starts at t = t s and ends at t = t e. Note that T a = [t s, t e ]. Fg. 3 Chemcal plant.

I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 7 3 8 3 75 Fg. 4 Plant outputs wthout nose. Fg. 2 dentfes several attacks on control systems. A1 and A3 correspond to ntegrty attacks, where the adversary sends false nformaton ŷ y or û u from (one or more) sensors or controllers. The false nformaton may be an ncorrect measurement, an ncorrect tme when the measurement was observed, or an ncorrect sender dentfer. The adversary can launch these attacks by obtanng the secret keys used by the devces or by compromsng sensors (A1) or controllers (A3). We assume that each devce s unquely authentcated. Therefore, an attacker who compromses the secret key of a devce s able to mpersonate only that devce. A2 and A4 correspond to DoS attacks, where the adversary prevents the controller from recevng sensor measurements or prevents actuators from recevng control commands. The adversary can launch a DoS attack by jammng communcaton channels, compromsng devces and preventng them from sendng data, attackng routng protocols, or floodng the network. A5 corresponds to a drect attack aganst actuators or an external physcal attack on the plant. From an algorthmc perspectve, t s not possble to defend aganst such attacks (asde from detectng them). Therefore, sgnfcant efforts must be mplemented to deter and/or prevent attacks aganst physcal systems (e.g., by mplementng physcal securty controls). 2.2. Modelng ntegrty attacks A successful ntegrty attack on sensor modfes the real sensor sgnal, causng the nput to the control functon u to be changed from y to ŷ. In an ntegrty attack, the adversary sends a value ŷ or û to a sensor or actuator based on the nformaton avalable to the adversary. In an effort to develop a systematc and trackable treatment of attack strateges, we propose the nvestgaton of max attacks, mn attacks, scalng attacks, and addtve attacks. We assume that all these attacks le wthn U and Y. Note that sgnals outsde ths range are easly detected by fault-tolerant algorthms. The followng attacks can be launched aganst sensors: Mn and Max Attacks: ŷ mn y (t) (t) = y mn for t T a, and ŷ max (t) = y (t) y max for t T a.

76 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 7 3 8 3 Fg. 5 Plant outputs wth Gaussan nose. Fg. 6 Integrty attack y max 7 from t = 0 to t = 30.

I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 7 3 8 3 77 Fg. 7 Integrty attack y mn 5 from t = 0 to t = 30. Fg. 8 Integrty attack u mn 3 from t = 0 to t = 30.

78 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 7 3 8 3 Fg. 9 Integrty attack u max 1 from t = 0 to t = 30. Scalng Attacks: y (t) ŷ s (t) = α (t)y (t) y mn y max Addtve Attacks: y (t) ŷ a (t) = y (t) + α (t) y mn y max for t T a and α y (t) Y for t T a and α y (t) < y mn for t T a and α y (t) > y max. for t T a and y (t) + α (t) Y for t T a and y (t) + α (t) < y mn for t T a and y (t) + α (t) > y max. Smlar attacks can be launched aganst controllers: Mn and Max Attacks: û mn u (t) (t) = u mn for t T a. and û max (t) = u (t) u max Scalng Attacks: u (t) û s (t) = α (t)u (t) u mn u max for t T a. for t T a and α u (t) U for t T a and α u (t) < u mn for t T a and α u (t) > u max. Addtve Attacks: u (t) û a (t) = u (t) + α (t) u mn u max 2.3. Modelng DoS attacks for t T a and u (t) + α (t) U for t T a and u (t) + α (t) < u mn for t T a and u (t) + α (t) > u max. In a DoS attack, we assume that a sensor sgnal does not reach the controller or that a control sgnal does not reach an actuator. Because the controller or actuator wll notce the mssng sgnal, t s necessary to mplement functonalty that enables the devce to respond to ths event. Let û and ŷ denote the response strateges for handlng DoS attacks. A conservatve response strategy uses the last sgnal receved as the current command. In other words, the controller assumes that the mssng sensor measurement s the same as the measurement t last receved: ŷ past (t) = y (t) y (t s ) for t T a. A smlar assumpton can be made for a DoS attack on a control sgnal. In partcular, we assume that an actuator contnues operatng based on the control sgnal correspondng to the manpulated varable value that t last receved: û past (t) = u (t) u (t s ) for t T a.

I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 7 3 8 3 79 Fg. 10 DoS attack on y 5. 3. Expermental results Ths secton descrbes the expermental setup and analyzes the expermental results. 3.1. Chemcal reactor system A chemcal reactor system wth a proportonal ntegral (PI) control algorthm [12] s nvestgated n ths paper. The dynamcal model was coded n FORTRAN and the control algorthm n Matlab. The attacks were mplemented usng Matlab. Fg. 3 shows the model of the chemcal reactor system. Four chemcal components are nvolved (A, B, C, and D). The goal of the control system s to mantan the rreversble reacton A + C B D at a specfed rate whle keepng the pressure nsde the tank below 3000 kpa. Note that B s an nert component. The chemcal reactor system has three actuators. The frst actuator, whch s controlled by u 1 (t), operates a valve that controls feed F 1 contanng the chemcal components A, B, and C. The second actuator, controlled by u 2 (t), s a valve that controls feed F 2 contanng A. The thrd actuator, controlled by u 3 (t), s a valve that purges the gas created by the chemcal reacton. Each control sgnal u (t) has a range between 0% (the valve s completely closed) and 100% (the valve s completely open). The control algorthm [12] uses data from three sensors that montor the product flow (y 4 ), pressure nsde the tank (y 5 ), and amount of component A n the purge (y 7 ). Note that u 1 s a functon of y 5 and y 4, u 2 s a functon of y 7, and u 3 s a functon of y 5. Fg. 4 shows the chemcal plant outputs wthout any nose nputs. Fg. 5 shows the plant outputs wth Gaussan nose nputs. Specfcally, Gaussan process nose (dsturbance) wth a mean of 0 and a varance of 0.05 s ntroduced at each valve. Note that the dsturbances cause the system not to return to the steady state. The chemcal reactor system s smulated from t = 0 to t = 40 (h). Note that all the attacks n the experments are executed from t = 10 to t = 30 (h). 3.2. Integrty attacks We assume that the goal of the attacker s to rase the pressure nsde the reactor vessel to an unsafe value (greater than 3000 kpa), causng equpment damage and possbly an exploson. The ntegrty attacks (scalng, addtve, and constant attacks) descrbed n Secton 2.2 were mplemented. Only one sensor or controller was attacked at a tme. The max and mn attacks were the most effectve; however, not all the attacks were able to drve the pressure to an unsafe level. We summarze the results below.

80 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 7 3 8 3 Fg. 11 DoS attack on y 5 and ntegrty attack on y 4. When a sensor s attacked, the controller can be expected to output an ncorrect control sgnal because t operates on ncorrect sensor nformaton. If an attacker does not know the plant dynamcs or the control algorthm, he/she may compromse a sensor at random. We assume the attacked sensor s y 7. Fg. 6 shows the effect of a y max attack, whch nforms the 7 controller that there s a large amount of component A n the reactor vessel. The smulatons demonstrate that the plant returns to the steady (safe) state after the attack. Furthermore, the pressure n the reactor vessel s always below 3000 kpa. Our experments demonstrate that the chemcal reactor system s very reslent to attacks on y 7, y 4, and u 2. Constant attacks are the most damagng, but they do not move the system to an unsafe state. An attacker wth knowledge about the system dynamcs and control system operaton would recognze that control sgnals u 1 and u 3 drectly nfluence the pressure n the reactor vessel. Furthermore, the sensor that montors the pressure n the reactor vessel tank y 5 would be an attractve target. Fg. 7 shows the results of launchng attack y mn. Durng 5 the attack, the controller beleves the pressure n the tank to be very low (0 kpa). Therefore, t shuts the purge valve wth the goal of ncreasng the pressure. Because the sensor keeps sendng the false pressure readng of 0 kpa, the controller keeps the purge valve shut for the duraton of the attack. In our experments, t took about 20 hours for the attack to ncrease the pressure above 3000 kpa (the unsafe state). Ths tme perod s long enough for plant operators to observe the unusual phenomenon and take the approprate mtgaton steps. In the followng, we dscuss the effects of attackng control sgnals u 1 and u 3, whch appear to be promsng from an attacker s pont of vew. Intutvely, t appears that shuttng down the purge valve would ncrease the pressure. Therefore, we decded to launch attack u mn (t). The results are shown n Fg. 8. The orgnal 3 sgnal computed by the controller s dscarded and the attack forces the purge valve to close. Ths causes the chemcal components to accumulate n the reactor vessel. However, although the accumulaton rases the pressure from 2700 kpa to 2900 kpa (y 5 curve), t does not force the chemcal reactor system to an unsafe state. The reason s that the control sgnal u 1 s also dependent on y 5 ; thus, when the pressure rses, the feed rate s correspondngly reduced. Fnally, we dscuss the effects of launchng attack u max (t) 1 (Fg. 9). The orgnal sgnal computed by the controller s dscarded and the valve for Feed 1 s opened completely. In ths case, large amounts of nput flow to the reactor, causng the pressure to rse above 3000 kpa (y 5 curve). Note that ths attack forces the system to an unsafe state n the shortest tme. We conclude that n order for a plant operator to prevent an attack from movng the system to an unsafe state, he/she should prortze the protecton of the control sgnal u 1. The sensor y 5 s also a prorty. However, because elevatng the

I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 7 3 8 3 81 Fg. 12 Integrty attack on the Loop 2 controller. pressure by attackng y 5 takes a long tme, the problem may be allevated by montorng the system and mplementng the approprate response when an anomaly s detected. 3.3. DoS attacks Our experments demonstrate that launchng a DoS attack on a sngle devce and mplementng û past or ŷ past does not have a major mpact when the plant reaches a steady state. For example, note that the DoS attack on sensor y 5 n Fg. 10 does not cause the curve for y 5 to change sgnfcantly. Smlar responses are obtaned for all the other sensors and actuators. We conclude that the effects of DoS attacks on ndvdual devces are lmted and that protectng aganst ntegrty attacks should be a prorty. DoS attacks, however, can be launched n combnaton wth nnocuous ntegrty attacks to cause sgnfcant damage. Consder, for example, a DoS attack on y 5 coupled wth an ntegrty attack on the producton rate y 4 (whch ntroduces a small varaton of y s (t) wth α = 0.5). After the attacks 4 are launched, the Loop 1 controller opens the Feed 1 valve to ncrease the producton rate. Ths ncreases the flow of reactants to the reactor vessel, but the pressure sensor y 5, whch s targeted by the DoS attack, fals to observe that the pressure n the vessel s rsng. The resultng accumulaton of reactants causes the pressure to exceed 3000 kpa n a farly short tme. Note that the changes to y 4 and y 5 n Fg. 11 start at tme t = 10 when the attacks are launched. 3.4. Operatng cost attack Apart from forcng the chemcal reactor system to an unsafe state, the attacker may wsh to have a negatve economc mpact by ncreasng ts operatng cost. Such an attack s not easly detected and can produce large economc losses n the long term. Estmatng the cost of an attack n a typcal nformaton technology envronment s often dffcult because t s necessary to produce valuatons for nformaton loss (e.g., stolen data) and opportunty cost (e.g., DoS attack aganst an e- commerce webste). However, estmatng the cost of an attack on a control system s easer because the operatng cost of a plant can be computed based on the reactants consumed and the producton rate. In our plant model, the nstantaneous operatng cost depends on the quanttes of reactants A (y A3 ) and C (y C3 ) and Flow F 3 and Flow F 4. Accordng to Rcker [12], the operatng cost of the chemcal plant s gven by cost = F 3 F 4 (2.206y A3 + 6.177y C3 ). (1)

82 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 7 3 8 3 Fg. 13 Integrty attack on y 4. The operatng cost s proportonal to the purge flow (F 3 ) and the quanttes of reactants A (y A3 ) and C (y C3 ) n the purge. Thus, an attacker may ether target a controller to maxmze the purge flow or target a sensor to confuse the controller and ncrease the quanttes of the reactants A and C. Now consder an attack on the Loop 2 controller. In ths case, the purge valve s opened to ncrease the purge flow (larger F 3 value). Fg. 12 shows how the attack ncreases the operatng cost of the plant (from t = 10 to t = 30). Next, consder an ntegrty attack on sensor y 4 that sends an ncorrect (zero) sgnal to the Loop 1 controller ndcatng that there s an nsuffcent quantty of reactants n the tank. In attemptng to the mantan the producton rate, the controller ssues an ncorrect control sgnal u 1 to ncrease the feed rate of A, B, and C by openng the Feed 1 valve. The ncreased quantty of reactants results n hgher producton flow (F 4 ) and hgher reactor pressure (curve y 5 n Fg. 13). However, upon detectng the change n pressure, the Loop 2 controller turns on the purge valve to regulate the pressure. Ths ncreases the purge flow F 3, whch leads to a hgher operatng cost, as shown n Fg. 13. Based on the experment results, we can conclude that targetng the purge flow valve s the most effectve strategy for ncreasng the operatng cost of the chemcal reactor system. 4. Conclusons Formal models of process systems, control systems, and attacks provde a powerful mechansm for reasonng about attacks and ther consequences. The nvestgaton of ntegrty and DoS attacks on a chemcal reactor system reveals several mportant ponts. A DoS attack has relatvely lttle mpact on the system n steady state; however, a DoS attack launched n combnaton wth an nnocuous ntegrty attack can produce serous consequences. An attacker needs to dentfy and attack the key sensors n order to drve a system to an unsafe state; n the case of the chemcal reactor, targetng the reactor pressure sensor s most effectve as t rapdly causes the system to cross the safety threshold. In general, attacks on control sgnals are more serous than attacks on sensor sgnals. Fnally, an attack on plant economy nvolves a radcally dfferent strategy that an attack on plant safety. Our future research wll attempt to develop systematc technques for evaluatng the mpact of smultaneous attacks. Another area of focus s the desgn of automatc attack

I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 7 3 8 3 83 detecton and response mechansms that can enhance the reslence of control systems. Acknowledgements We wsh to thank Adran Perrg, Bruno Snopol, Gabor Karsa, and Jon Wley for useful dscussons related to control systems securty. Ths effort was partally supported by the Internatonal Collaboraton for Advancng Securty Technology (CAST) and the Tawan Informaton Securty Center (TWISC) Projects under Grants NSC97-2745- P-001-001, NSC97-2918-I-009-005 and NSC98-2219-E-009-003, respectvely. R E F E R E N C E S [1] E. Byres, Desgnng secure networks for process control, IEEE Industry Applcatons 6 (5) (2000) 33 39. [2] E. Byres, J. Lowe, The myths and facts behnd cyber securty rsks for ndustral control systems, n: VDE Congress, 2004. [3] E. Goetz, S. Sheno (Eds.), Crtcal Infrastructure Protecton, Sprnger, Boston, Massachusetts, 2007. [4] V. Igure, S. Laughter, R. Wllams, Securty ssues n SCADA networks, Computers and Securty 25 (7) (2006) 498 506. [5] T. Klpatrck, J. Gonzalez, R. Chanda, M. Papa, S. Sheno, Forensc analyss of SCADA systems and networks, Internatonal Journal of Securty and Networks 3 (2) (2008) 95 102. [6] P. Oman, E. Schwetzer, J. Roberts, Protectng the grd from cyber attack Part 2: Safeguardng IEDs, substatons and SCADA systems, Utlty Automaton & Engneerng T&D 7 (1) (2002) 25 32. [7] M. Papa, S. Sheno (Eds.), Crtcal Infrastructure Protecton II, Sprnger, Boston, Massachusetts, 2008. [8] K. Stouffer, J. Falco, K. Kent, Gude to Supervsory Control and Data Acquston (SCADA) and ndustral control systems securty ntal publc draft, Natonal Insttute of Standards and Technology, Gathersburg, Maryland, 2006. [9] P. Tsang, S. Smth, YASIR: A low-latency, hgh-ntegrty securty retroft for legacy SCADA systems, n: Proceedngs of the Twenty-Thrd IFIP TC 11 Internatonal Informaton Securty Conference, 2008, pp. 445 459. [10] Unted States Computer Emergency Readness Team (US- CERT), Control Systems Securty Program, U.S. Department of Homeland Securty, Washngton, DC. www.us-cert.gov/ control_systems/ndex.html. [11] A. Wrght, J. Knast, J. McCarty, Low-latency cryptographc protecton for SCADA communcatons, n: Proceedngs of the Second Internatonal Conference on Appled Securty and Network Securty, 2004, pp. 263 277. [12] N. Rcker, Model predctve control of a contnuous, nonlnear, two-phase reactor, Journal of Process Control 3 (2) (1993) 109 123.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information