Control Behavior Integrity for Distributed Cyber-Physical Systems

Cyber-physical control systems, such as industrial control systems (ICS), are increasingly targeted by cyberattacks. Such attacks can potentially cause tremendous damage, affect critical infrastructure or even jeopardize human life when the system does not behave as intended. Cyberattacks, however, are not new and decades of security research have developed plenty of solutions to thwart them. Unfortunately, many of these solutions cannot be easily applied to safety-critical cyber-physical systems. Further, the attack surface of ICS is quite different from what can be commonly assumed in classical IT systems.We present Scadman, a novel control-logic aware anomaly detection system for distributed cyber-physical systems. By observing the system-wide behavior, the correctness of individual controllers (like programmable logic controllers–PLCs) in ICS can be verified. This allows Scadman to detect a wide range of attacks, including malware attacks, code-reuse and dataonly attacks, as well as sensor attacks. We implemented and evaluated Scadman based on a real-world water treatment testbed for ICS security research and training. Our results show that we can detect a wide range of attacks–including attacks that have previously been undetectable by typical state estimation techniques–while causing no false-positive warning for nominal threshold values.