TY - GEN
T1 - Stealthy rootkits in smart grid controllers
AU - Krishnamurthy, Prashanth
AU - Salehghaffari, Hossein
AU - Duraisamy, Shiva
AU - Karri, Ramesh
AU - Khorrami, Farshad
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/11
Y1 - 2019/11
N2 - This paper presents a stealthy and persistent attack on a Cyber-Physical System (CPS), namely the smart grid and a multi-layer approach to detect such an attack. The attack on the CPS controller uses a rootkit-based malware. When activated, the rootkit overwrites operator commands to the smart grid relays while evading detection by the operator control station. The rootkit sends valid replies to the operator while corrupting the controller operation through a dynamically loaded library, which is hidden by the rootkit. The attack persists even when the controller stops and restarts since the rootkit automatically restarts the process with the malicious library by using a background daemon, which the rootkit hides from user-space tools. Using a high-fidelity simulation of the smart grid CPS, we show that the attack drastically impacts the CPS, especially when the adversary strategically chooses the target relays to attack. We design an ensemble of detectors to detect the attack and uncover its persistence and insertion mechanisms. The detector uses measures such as hardware performance counters (HPCs), change detection in binary signatures, change detection in system calls, and detection of hidden processes and file system entries.
AB - This paper presents a stealthy and persistent attack on a Cyber-Physical System (CPS), namely the smart grid and a multi-layer approach to detect such an attack. The attack on the CPS controller uses a rootkit-based malware. When activated, the rootkit overwrites operator commands to the smart grid relays while evading detection by the operator control station. The rootkit sends valid replies to the operator while corrupting the controller operation through a dynamically loaded library, which is hidden by the rootkit. The attack persists even when the controller stops and restarts since the rootkit automatically restarts the process with the malicious library by using a background daemon, which the rootkit hides from user-space tools. Using a high-fidelity simulation of the smart grid CPS, we show that the attack drastically impacts the CPS, especially when the adversary strategically chooses the target relays to attack. We design an ensemble of detectors to detect the attack and uncover its persistence and insertion mechanisms. The detector uses measures such as hardware performance counters (HPCs), change detection in binary signatures, change detection in system calls, and detection of hidden processes and file system entries.
KW - Actuator Spoofing
KW - Anomaly Detection
KW - Cyber Security
KW - Malware
KW - Power Grid Resiliency
KW - Programmable Logic Controller
KW - Resilient Control
KW - Rootkit
KW - Stealthy Attacks
UR - http://www.scopus.com/inward/record.url?scp=85081167955&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85081167955&partnerID=8YFLogxK
U2 - 10.1109/ICCD46524.2019.00012
DO - 10.1109/ICCD46524.2019.00012
M3 - Conference contribution
AN - SCOPUS:85081167955
T3 - Proceedings - 2019 IEEE International Conference on Computer Design, ICCD 2019
SP - 20
EP - 28
BT - Proceedings - 2019 IEEE International Conference on Computer Design, ICCD 2019
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 37th IEEE International Conference on Computer Design, ICCD 2019
Y2 - 17 November 2019 through 20 November 2019
ER -