SAIN: Improving ICS Attack Detection Sensitivity via State-Aware Invariants

Authors: 

Syed Ghazanfar Abbas, Muslum Ozgur Ozmen, Abdulellah Alsaheel, Arslan Khan, Z. Berkay Celik, and Dongyan Xu, Purdue University

Abstract: 

Industrial Control Systems (ICSs) rely on Programmable Logic Controllers (PLCs) to operate within a set of states. The states are composed of variables that determine how sensor data is interpreted, configuration parameters are applied, and actuator commands are issued. Recent works have shown that attackers can manipulate these variables to compromise ICS safety and security. To detect such attacks, previous approaches have leveraged invariants—a set of rules defining the correct behavior of an ICS. However, these invariants suffer from a critical limitation: they are state-agnostic. This means they define variable ranges across all possible ICS states, leading to loosely bounded detection thresholds. Unfortunately, attackers can exploit these loose bounds and launch stealthy attacks that evade detection without violating such invariants.

In this paper, we introduce SAIN, an automated method to derive state-aware ICS invariants with tighter bounds and enforce them through a PLC-based monitor. SAIN first generates invariant templates by identifying the PLC program states, state transitions, and the inter-dependencies among sensing, actuation, and configuration variables within each state through program analysis. It then partitions the ICS data traces into state-specific sub-traces and quantifies the invariant templates with concrete, tighter bounds, as system-specific knowledge about the subject ICS. Lastly, it enforces the state-aware invariants through a run-time monitor. We evaluate SAIN on a Fischertechnik manufacturing plant and a chemical plant simulator against 17 attacks. SAIN protects the plants, on average, with a false positive rate of 2% and a run-time overhead of 3%.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299553,
author = {Syed Ghazanfar Abbas and Muslum Ozgur Ozmen and Abdulellah Alsaheel and Arslan Khan and Z. Berkay Celik and Dongyan Xu},
title = {{SAIN}: Improving {ICS} Attack Detection Sensitivity via {State-Aware} Invariants},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {6597--6613},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/abbas},
publisher = {USENIX Association},
month = aug
}

Presentation Video