*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Detection and Forensic Analysis of Modern ICS Attacks via Correlating SCADA Host Operations with Physical Behavior
Moses Ike J
Ph.D. student
School of Cybersecurity and Privacy
Georgia Institute of Technology
Date: Friday, December 9, 2022
Time: 10:00 am - 11:00 am EST
Location: https://gatech.zoom.us/j/99212775135?pwd=cFhzVGNVNGYxRXIxUjliYzRJUEhxdz09
Committee:
Dr. Wenke Lee (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology
Dr. Saman Zonouz, School of Cybersecurity and Privacy, Georgia Institute of Technology
Dr. Mustaque Ahamad, School of Cybersecurity and Privacy, Georgia Institute of Technology
Dr. Uzoma Onunkwo, Cybersecurity Research and Development, Sandia National Laboratories
Abstract:.
The increased cyber connectivity in modern Operational Technology (OT) plants has improved overall Cyber-Physical Systems (CPS) operations. Unfortunately, it has allowed cyber attackers to penetrate previously air-gapped Industrial Control Systems (ICS), causing physical disruptions to critical infrastructure such as electricity. ICS attackers penetrate OT plants by infecting Supervisory Control and Data Acquisition (SCADA) workstations, which are cyber-facing control systems that manage physical device operations such as Programmable Logic Controllers (PLC), sensors, and actuators. In disrupting ICS devices, modern attacks blend with normal SCADA activities by injecting just enough malicious command at each step. This stealthy tactic evades existing host and sensor-based defenses due to their inability to connect SCADA host operations with their physical effects.
To solve the above challenges, I propose a hybrid ICS attack detection technique that leverages CPS domain-knowledge to correlate control executions in SCADA with their effects on physical device behavior. To demonstrate the efficacy of my approach, I first present a technique called SCAPHY, which analyzes the unique execution phases of SCADA operations to detect malicious physical impact on sensors and actuators. SCAPHY works by identifying the limited set of legitimate SCADA API calls to control devices in different phases, which differentiates from attacker’s activities in these phases. SCAPHY detected real past attacks such as the Ukrainian power grid disruption with high accuracy.
Next, to proactively detect ICS attacks in their early stages, I present FORECAST, a forensic forward-exploration of SCADA memory snapshots, following suspicious CPS events, to reveal "not-yet-executed" attacks. FORECAST ranks detected attacks by their likelihood of future execution, which enables OT operators to prioritize their attack response workflows.
Finally, to build on FORECAST and identify the SCADA infection, I propose OTGUARD, a novel technique that uses physical information (e.g., alarm location) to guide and correlate suspicious physical events across SCADA snapshots to counter ongoing ICS attacks.
