Stealthy rootkits in smart grid controllers

Prashanth Krishnamurthy, Hossein Salehghaffari, Shiva Duraisamy, Ramesh Karri, Farshad Khorrami

Research output: Chapter in Book/Report/Conference proceedingConference contribution


This paper presents a stealthy and persistent attack on a Cyber-Physical System (CPS), namely the smart grid and a multi-layer approach to detect such an attack. The attack on the CPS controller uses a rootkit-based malware. When activated, the rootkit overwrites operator commands to the smart grid relays while evading detection by the operator control station. The rootkit sends valid replies to the operator while corrupting the controller operation through a dynamically loaded library, which is hidden by the rootkit. The attack persists even when the controller stops and restarts since the rootkit automatically restarts the process with the malicious library by using a background daemon, which the rootkit hides from user-space tools. Using a high-fidelity simulation of the smart grid CPS, we show that the attack drastically impacts the CPS, especially when the adversary strategically chooses the target relays to attack. We design an ensemble of detectors to detect the attack and uncover its persistence and insertion mechanisms. The detector uses measures such as hardware performance counters (HPCs), change detection in binary signatures, change detection in system calls, and detection of hidden processes and file system entries.

Original languageEnglish (US)
Title of host publicationProceedings - 2019 IEEE International Conference on Computer Design, ICCD 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages9
ISBN (Electronic)9781538666487
StatePublished - Nov 2019
Event37th IEEE International Conference on Computer Design, ICCD 2019 - Abu Dhabi, United Arab Emirates
Duration: Nov 17 2019Nov 20 2019

Publication series

NameProceedings - 2019 IEEE International Conference on Computer Design, ICCD 2019


Conference37th IEEE International Conference on Computer Design, ICCD 2019
Country/TerritoryUnited Arab Emirates
CityAbu Dhabi


  • Actuator Spoofing
  • Anomaly Detection
  • Cyber Security
  • Malware
  • Power Grid Resiliency
  • Programmable Logic Controller
  • Resilient Control
  • Rootkit
  • Stealthy Attacks

ASJC Scopus subject areas

  • Information Systems and Management
  • Computer Networks and Communications
  • Control and Optimization
  • Hardware and Architecture


Dive into the research topics of 'Stealthy rootkits in smart grid controllers'. Together they form a unique fingerprint.

Cite this