Hamid Reza Ghaeini, Singapore University of Technology and Design; Matthew Chan, Rutgers University; Raad Bahmani and Ferdinand Brasser, TU Darmstadt; Luis Garcia, University of California, Los Angeles; Jianying Zhou, Singapore University of Technology and Design; Ahmad-Reza Sadeghi, TU Darmstadt; Nils Ole Tippenhauer, CISPA, Helmholtz Center for Information Security; Saman Zonouz, Rutgers University
Ensuring the integrity of embedded programmable logic controllers (PLCs) is critical for safe operation of industrial control systems. In particular, a cyber-attack could manipulate control logic running on the PLCs to bring the process of safety-critical application into unsafe states. Unfortunately, PLCs are typically not equipped with hardware support that allows the use of techniques such as remote attestation to verify the integrity of the logic code. In addition, so far remote attestation is not able to verify the integrity of the physical process controlled by the PLC.
In this work, we present PAtt, a system that combines remote software attestation with control process validation. PAtt leverages operation permutations—subtle changes in the operation sequences based on integrity measurements—which do not affect the physical process but yield unique traces of sensor readings during execution. By encoding integrity measurements of the PLC’s memory state (software and data) into its control operation, our system allows to remotely verify the integrity of the control logic based on the resulting sensor traces. We implement the proposed system on a real PLC controlling a robot arm, and demonstrate its feasibility. Our implementation enables the detection of attackers that manipulate the PLC logic to change process state and/or report spoofed sensor readings (with an accuracy of 97% against tested attacks).
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Hamid Reza Ghaeini and Matthew Chan and Raad Bahmani and Ferdinand Brasser and Luis Garcia and Jianying Zhou and Ahmad-Reza Sadeghi and Nils Ole Tippenhauer and Saman Zonouz},
title = {{PAtt}: Physics-based Attestation of Control Systems},
booktitle = {22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)},
year = {2019},
isbn = {978-1-939133-07-6},
address = {Chaoyang District, Beijing},
pages = {165--180},
url = {https://www.usenix.org/conference/raid2019/presentation/ghaeini},
publisher = {USENIX Association},
month = sep
}