TY - JOUR
T1 - Process-Aware Covert Channels Using Physical Instrumentation in Cyber-Physical Systems
AU - Krishnamurthy, Prashanth
AU - Khorrami, Farshad
AU - Karri, Ramesh
AU - Paul-Pena, David
AU - Salehghaffari, Hossein
N1 - Funding Information:
Manuscript received November 30, 2017; revised April 3, 2018; accepted April 4, 2018. Date of publication May 3, 2018; date of current version May 22, 2018. This work was supported in part by the U.S. Office of Naval Research under Award N00014-15-1-2182 and Award N00014-17-1-2006 and in part by Boeing. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Yiorgos Makris. (Corresponding author: Farshad Khorrami.) The authors are with the Department of Electrical and Computer Engineering, New York University Tandon School of Engineering, Brooklyn, NY 11201 USA (e-mail: [email protected]; [email protected]; [email protected]; [email protected]; [email protected]@nyu.edu).
Publisher Copyright:
© 2005-2012 IEEE.
PY - 2018/11
Y1 - 2018/11
N2 - We propose using the analog emissions of physical instrumentation (e.g., actuators, sensors, and mechanical structures) in a cyber-physical system (CPS) to send or leak information without impacting the CPS process characteristics. We show that one can use the analog emissions as covert channels to send information to a remote receiver without altering the functioning of the CPS by considering the dynamics of the controller and its closed-loop characteristics. We demonstrate the control-theoretic approach using the Tennessee Eastman (TE) controller benchmark implemented in a hardware-in-the-loop simulator. Two feedback loops (out of 18) in the TE process are implemented on a programmable logic controller (PLC) driving a geared motor. Assuming that a malware has compromised this PLC, we show that the malware can use the acoustic emissions of a motor controlling a valve in a feedback control loop as a covert channel. This secret transmission over the covert acoustic channel can be done without affecting the stability, performance, and signal characteristics of the closed-loop process. An attacker can exfiltrate sensitive information, such as the proprietary gains or the thresholds used in the controller and the system passwords using covert channels.
AB - We propose using the analog emissions of physical instrumentation (e.g., actuators, sensors, and mechanical structures) in a cyber-physical system (CPS) to send or leak information without impacting the CPS process characteristics. We show that one can use the analog emissions as covert channels to send information to a remote receiver without altering the functioning of the CPS by considering the dynamics of the controller and its closed-loop characteristics. We demonstrate the control-theoretic approach using the Tennessee Eastman (TE) controller benchmark implemented in a hardware-in-the-loop simulator. Two feedback loops (out of 18) in the TE process are implemented on a programmable logic controller (PLC) driving a geared motor. Assuming that a malware has compromised this PLC, we show that the malware can use the acoustic emissions of a motor controlling a valve in a feedback control loop as a covert channel. This secret transmission over the covert acoustic channel can be done without affecting the stability, performance, and signal characteristics of the closed-loop process. An attacker can exfiltrate sensitive information, such as the proprietary gains or the thresholds used in the controller and the system passwords using covert channels.
KW - Cyber physical system
KW - embedded systems
KW - hardware performance counters
UR - http://www.scopus.com/inward/record.url?scp=85046492760&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85046492760&partnerID=8YFLogxK
U2 - 10.1109/TIFS.2018.2833063
DO - 10.1109/TIFS.2018.2833063
M3 - Article
AN - SCOPUS:85046492760
SN - 1556-6013
VL - 13
SP - 2761
EP - 2771
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
IS - 11
ER -