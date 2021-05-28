Abstract: Despite all the increasing research efforts in large cyber-physical (CPS) systems, these systems still fail to defend themselves at the time of some high-profile cyber attacks. The most high-profile attack events include but not limited to the Stuxnet attack on an Iranian nuclear power plant in 2010, the Industroyer malware attack on the Ukrainian power grid in 2016, and the recent ransomware attack on the U.S. Colonial pipeline in May 2021, which severely limit the fuel supply to half of the east coast.

The critical infrastructures, such as the power grid and oil/gas systems, used to isolate their operational networks from the Internet. They have gradually migrated from the traditional serial communication network to the TCP/IP compatible networks within the recent decades. Consequently, the Supervisory Control and Data Acquisition (SCADA) networks expose themselves to a broader attack surface. The system design of the industrial control systems mainly dedicates to functionality, availability, and durability, with almost no consideration to security and resilience. Therefore, they are susceptible to cyber-attacks. Another main reason why the security and resilience of SCADA networks have limited improvements over the decade is that the majority of the previous work does not have access to real-world systems or datasets. Because of the critical roles of these infrastructures, it is hardly possible for security professionals to interrupt normal operations or perform any security experiments onsite actively. Instead, the security research of such systems usually takes two paths: 1. researchers build a simulation/emulation testbed mimicking some particular system and conduct experiment there; 2. the operators provide the researchers with a dataset of network traffic, and the researchers study the system behaviors passively from the network captures. Not surprisingly, it is not easy to earn the trust of the operators and obtain data access.

This proposal proposes a physical-process-based anomaly detection method by applying deep packet inspection (DPI), and unsupervised machine learning algorithms on network captures from the SCADA networks in real-world industrial control systems, specifically the power grid and the gas system. Our system knowledge levels range from the system owners providing the complete network topology and hardware devices, supporting partial knowledge, to no support. This knowledge variation marks our anomaly detection design from white-box, grey-box, to black-box. The primary industrial protocol under investigation is IEC 60870-5-104, an application-layer protocol designed to control and monitor the physical processes in federated networks. Approaching from the perspective of network measurements, we are trying to establish the normal behavior baseline of the anomaly detector and have already captured several intriguing outliers that are not available in a simulation/emulation environment.