Discovering Attack Signature and Its Travel Path using Graphical Model in CPS: A Case Study

Cyber Physical Systems (CPSs) have a larger attack surface due to the integration of unprotected sensors and actuators into cyber infrastructure and hence a significant amount of research effort is devoted to address the problems of cyber attacks on these systems. In this article, we address the problem of discovering the signatures of a broad type of cyber attacks that can be launched by a remote attacker using malware on an operational CPS. Our aim is to efficiently detect and prevent such attacks at the boundary of cyber infrastructure and before the payloads can actually cause any damage to the system. In particular, we have considered a large dataset of an operational and popular CPS testbed, called SWaT (Secure Water Treatment), where a number of such cyber attacks have been launched and the network traces, without any specific evidence of such attacks, have been made public recently so that effective security solutions can be developed. We have proposed an effective method to analyze the traffic to discover the signatures of these cyber attacks. Our method has discovered an exact set of signatures based on the packets of Common Industrial Protocol (CIP) in EtherNet/Industrial Protocol stack (ENIP/CIP) of all “sensor reading distortion” and “actuator state alteration” attacks present in SWaT.A6_Dec2019 dataset for the first time in this article. Leveraging these signatures, we have proposed an algorithm that takes as input a network trace file containing ENIP/CIP packets and a set of signatures and automatically generates as output a graphical model of the cyber infrastructure of SWaT without using any background information and the path in the model that the signatures travel. Our analysis of computational time to execute the algorithm shows that the processing of raw network trace files, a step in the algorithm, consumes a considerable amount of time. Hence, we have developed a set of rules using the signatures and deployed them in Suricata, a well-known and well-adopted rules-based network intrusion detection system, to generate effective alert logs. We found that the rules in Suricata can produce alerts with zero false positives and false negatives in the SWaT.A6_Dec2019 dataset and in three other SWaT datasets for the two types of attacks.