Elsevier

Computers & Security

Volume 97, October 2020, 101955
Computers & Security

False data injection attacks and the insider threat in smart systems

https://doi.org/10.1016/j.cose.2020.101955Get rights and content

Abstract

Smart networks and smart city systems, which are increasing in use with new approaches every day, are now in the investment plan of each state. At many points, these two concepts combine. Industrial Control Systems (ICS), which constitute the infrastructure of these systems, have opened to external networks due to the requirements of the era. Once smart grids are integrated with smart cities, ICS left its isolated structure. This process has emerged more security vulnerabilities. In this study, False Data Injection (FDI) attack was carried out to change the memory address values of Programmable Logic Controller (PLC)s which is an important component of ICS. Initially, the feasibility of the attack was examined. Thereafter, in the event of an attack, the effect on the systems was revealed. Eventually, important software and hardware solution suggestions to prevent the attack are mentioned. Thus, in the possible cyber attacks that may occur, it is aimed to recover critical systems with minimum damage and make them to be operational as soon as possible. It is considered that this study will make important contributions to other studies regarding ICS security.

Introduction

The transition to both smart cities and smart networks today and in the future will be a necessity, not a luxury. The introduction of many systems such as natural gas distribution monitoring, traffic signaling, IP CCTV monitoring, energy monitoring and control in critical infrastructures of industrial zones, health centers, big shopping malls and some cities is an indication that this transition will accelerate and increase (Üstünsoy and Sayan, 2018).

ICS are one of the most critical components used in smart grid and smart city infrastructures. The vulnerabilities of the ICS and infrastructure architectures built on them effect the entire system. There are several attack methods that can be done through these vulnerabilities, but the FDI attack is one of the most damaging. Because with FDI attack, it is possible to change the data in a controlled way and to change the firmware codes. When the impact of the FDI attack on the system is evaluated, it will take a long time especially to bring the system back to its current working state and great damage may occur. In addition, with this attack, it is possible to obtain data by manipulating the data in a controlled manner. For this reason, it is critical to take the countermeasures by revealing the procedures of the FDI attack.

Industrial Control Systems (ICS), which constitute the infrastructure of smart city and smart network systems providing very important contributions to human life, were opened to external networks (internet-intranet) due to the requirements of the era such as efficiency, early failure intervention and remote access. These systems have become vulnerable to various cyber attacks because of the hybrid communication protocols (TCP / IP (Transmission Control Protocol / Internet Protocol), wireless IP and Bluetooth) used with this transition (Adepu et al., 2018). Since some SCADA systems have been avoided updating over the years for the high risk of interference that may result in a live system, older technologies are still present in many environments. As a result, nations have confronted with very dangerous attacks on the CNI (Critical National Infrastructure) via ICS, such as the Trans-Siberian Pipeline Explosion (Miller and Rowe, 2012), Maroochy Shire Water System (Stouffer et al., 2011), Stuxnet (Lagner, 2013), Flame (Kim et al., 2014), Duqu (Bencsáth et al., 2011), Havex (Thames and Schaefer, 2017), Black Energy (Lee et al., 2016). When incidents occur, a forensic investigation must be carried out to identify the cause and those responsible, but traditional IT forensic tools and methodologies cannot be directly applied in ICS because they are COTS (Commercial/Consumer off-the-shelf) products. There are studies on ICS forensics in literature, although it is not sufficient. In this context of the study, Vliet et al. Examined forensic analysis after a fire in the wind turbine in their research. In the analysis phase of the study, while traditional forensics tools were used for device analysis, SCADA-specific OPC was used in historian in network analysis (Van Vliet et al., 2015). In another study for ICS forensics, Knijff introduced the tools that can be used after important ICS events. In the study, evaluations were made regarding tools that can be used in ICS such as OPC, Sleuth Kit and Xiraf due to the difficulty of using existing traditional network specific tools in ICS (Van der Knijff, 2014). Wu et al. proposed a new SCADA forensic process model, in their study on ICS forensics. They argued that although there are significant deficiencies, Historian and OPC client can be used in the storage and analysis of SCADA data in the model, while RSLogix 5000 can be used in fault logging (Wu et al., 2013). Therefore, continuous monitoring of the ICS, on a 24/7 basis, managing smart cities/grids has to be essential (Yılmaz and Gönen, 2018; Zanella et al., 2014). Because there are different types of attacks including attacks on data availability, data privacy, and data integrity for smart cities/grids (Cintuglu et al., 2016). One such attack is the injection of false data into the Programmable Logic Controller (PLC), a vital component of the intelligent grid operating module. This attack is an example of a data integrity attack. Recently, these types of attacks, commonly known as False Data Injection (FDI) attacks (Myers et al., 2018), have attracted great attention as they can bypass existing security measures and take advantage of system operations. In these types of attacks, either insider contribution or stealing data by intervening communication plays an important role. For example, almost all of the nuclear theft and sabotage incidents have been carried out with the help of insiders. In 2014, an insider at the Doel-4 nuclear power plant in Belgium emptied all the lubricant inside the turbine, causing the plant to remain closed for months and hundreds of millions of dollars of economic damage. (Bunn et al., 2016) In an attack at waste management facilities in Queensland, Australia, large amounts of waste were poured into public areas. This attack was also carried out by a former employee of the institution (Slay and ve Miller, 2008).

Its widespread use and the embedded existence of the Modbus protocol in all devices increase the utilization tendency of this communication protocol to design compatible and trouble-free systems. Besides, many PLCs used in the industry support Modbus protocols, while they do not support other protocols or require additional modules. For this reason, this protocol has become indispensable in ICS for different brand model PLCs to work in harmony with each other.

In the vast majority of the studies above ready-made simulation programs or simulated mathematical models have been used and the results have been presented. Simulation and modeling techniques are useful for modeling and testing complex systems. The development of realistic models can help create scenarios that do not yet exist or are very costly to build. However, the approach based on simulation systems has two main disadvantages. The first is the difficulty of fully reflecting the real system and second is the possibility that the analyzes may not give the same results in the real system. Also, by utilizing the configuration information of an industrial control system or measurement system, an attacker could inject malicious measurements that would mislead the forecasting process without being detected by any of the available techniques.

The Modbus protocol has some basic security issues, such as authentication, encryption, and no integrity at all (Nardone et al., 2016). For example, if the master sends data to the slave, the slave must first authenticate the device from which it receives the data packet and then processes the packet. The Modbus protocol does not have this capability and therefore man-in-the-middle attacks (MitM) can easily take place in Modbus. As a result, the widely used Modbus protocol has serious cyber security vulnerabilities. Therefore, these vulnerabilities of the Modbus protocol were utilized in the target of the attack analysis of the study.

Apart from Modbus protocol, there are many other communication protocols, such as Distributed Network Protocol (DNP) 3.0 and Profibus, currently used in the industry. The DNP 3.0 protocol transmits unsolicited data along with requested data from field elements in SCADA systems. In this way, the SCADA system does not have to send continuous requests to the field staff. However, a small number of large data transmissions can be provided with this protocol. Although some improvements in security vulnerabilities have been made, it has not become widespread such as Modbus. Profibus protocol has found a wide range of applications in production and building automation. On the other hand, Modbus protocol is frequently used in many devices due to its open source and simple operation structure.

To perform an FDI attack, it is not easy for the attacker to obtain the power grid topology and transmission line acceptance value. In their study, Sun et al. aimed to circumvent the bad data detection systems. In the result of the study, it was claimed that the attack on IEEE 30-bus simulation test systems was successful (Sun et al., 2015). When the literature is examined, there are several studies on FDI attacks like (Li and Wang, 2019). In the majority of these studies, theoretical modeling and experimental evaluation methods have been used on various simulation-based test environments (IEEE benchmark, IEEE-RTS-24-bus) (Li and Wang, 2019; Liu et al., 2015). In another section of studies, mathematical modeling (Rahman and Mohsenian-Rad, 2012) and graphical theoretical approach to network modeling (Kosut et al., 2011) have used for the detection of attacks. Although the simulation systems are used in the majority of the attacks and detections carried out for ICS, there are also studies, such as (Alves and Morris, 2018; Anwar et al., 2015), about attacks and detections carried out on the actual ICS. Simulation studies have important contributions to ICS security, however, the biggest deficiency of studies based on simulation systems is the difficulty of fully reflecting the real system and therefore the probability of the analyzes performed may not give the same results in the real system. However, the PLC (OpenPLC) designed with (Alves and Morris, 2018) could overcome this specific injection attack, but could not solve the authentication, integrity and confidentiality issues associated with the Modbus protocol that initially made the injection attack possible. The study carried out in (Anwar et al., 2015) has also consisted of a theoretical framework for integrity attacks. In the study by Urbina et al., they proposed physics-based intrusion detection algorithms for erroneous data ejection to real ICS testbeds (Urbina et al., 2016). In the study conducted by Adepu and Mathur, they proposed a detection algorithm labeled Distributed Intrusion Detection against successful intruder attacks. They carried out attacks analysis on an operational water treatment facility called Secure Water Treatment (SWaT) established in the iTrust research (Adepu and Mathur, 2018a). In another study conducted by Adapu and Mathur on the real ICS systems at iTrust research center, the effectiveness of attack detection mechanisms was addressed in the Hackfests event named SWaT Security Showdown (S3) (Adepu and Mathur, 2018b). The results obtained are very important because these three studies were implemented on the real ICS systems in the iTrust center. Lin et al. proposed a machine learning based ICS IDS model for detecting attacks on water level control and air pollution control infrastructures. However, the attack on the testbed and subsequent outcomes for detection were not mentioned in the study (Lin et al., 2017).

In this study, an FDI attack was carried out on SCADA infrastructure designed to represent the smart city and smart grid systems by taking advantage of the vulnerabilities of communication protocols used in ICS. Although security measures (Firewall, IDS / IPS) were active during the attack, user electricity consumption costs in the system were changed and the integrity component of the system was disrupted.

The analysis of the study consists of an FDI attack on SCADA and detection and prevention of the attack. Therefore, an FDI attack was carried out by using the vulnerabilities of Modbus protocol and the data was physically manipulated despite password protection in ICS and SCADA system. Followingly, after enumerating recommendations for the prevention of this attack, the detection and prevention model (LiFi Model) were proposed.

The remainder of this paper is organized as follows: In Section 2, the testbed used in the study is explained in detail. While Section 3 deals with the register manipulation with false data injection attack carried out on PLC, which is an important component of ICS, the effects on the system are discussed in Section 4. In the 5th section of the study, the precautions to be taken against the FDI attack on the system have been stated and subsequently the continuous monitoring model with the LiFi model has been proposed as a solution. The study has been completed with the conclusion section.

Section snippets

Testbed

In order for the work to be done correctly, a real system structure must be used first. For this purpose, a system prediction covering a whole system was realized before the testbed was prepared. The system architecture and the point where the attack is carried out are shown in Fig. 1.

The system architecture consists of the transmission of energy consumption and network data received from the smart meter of each electricity consumer to the distribution transformer that transmits energy to the

Register manipulation with false data injection

FDI attack was carried out by an insider to Schneider M241 PLC used as a controller in the test environment according to the attack procedure listed below and the results were observed in WEB, PLC program interface (Somachine) and SCADA interface (Vijeo Citect).

FDI Attack Procedure;

  • Username and password identification:

    • Firstly, user name and password were defined to device and interface to prevent read / write in order to prevent insider attacks via PLC program interface (Somachine). In this

Attack analysis

With the FDI attack, the invoice cost was raised to high levels by changing the memory address which was defined as variable global at% MW1448 address in PLC and known to an insider. In this study, the variable global memory address was the first index data of invoice consumption price and entered manually by the operator. This first index value, which was not a consistently overwritable memory address, was decreased and the consumption value was increased. In this way, the invoice price was

Precautions to be taken

Although IDS / IPS are effectively used within the scope of the measures taken against cyber attacks in traditional networks, IDS / IPS for ICS and SCADA systems have some limitations. We can state these limitations in the following headings:

  • Lack of a well-known threat model,

  • High probability of false alarm or false-negative,

  • The development of IDS systems customized for ICS environments is not yet proven for real systems,

  • The ability to analyze intrusion detection and prevention software to be

Conclusion

Cyber attacks, especially industrial espionage and information disclosure, could result in serious financial damage. It is important to know the attack method to prevent cyber attack. In this study, it is focused on insider changing the consumption cost by exploiting PLCs, which is one of the important components of ICS, Subsequently, precautions taken to overcome this attack are listed. Attack analyses results have emphasized the importance of the integrity component, which is one of the three

Credit author statement

Serkan Gönen: Cyber security expert, Software, Writing- Reviewing and Editing

H. Hüseyin Sayan: Applied mathematics, formulations

Ercan Nurcan Yılmaz: Supervision, Writing- Reviewing and Editing, Software

Furkan Üstünsoy: SCADA program development, Software

Gökçe Karacayılmaz: Cyber security expert.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (31)

  • M. Bunn et al.

    Preventing Nuclear Terrorism: Continuous Improvement Or Dangerous Decline? (Cambridge, Mass.: Project on Managing the Atom

    (2016)
  • M.H. Cintuglu et al.

    A survey on smart grid cyber-physical system testbeds

    IEEE Commun. Surv. Tutor.

    (2016)
  • S.J. Kim et al.

    Secure model against APT in m-connected SCADA network

    Int. J. Distrib. Sens. Netw.

    (2014)
  • O. Kosut et al.

    Malicious data attacks on the smart grid

    IEEE Trans. Smart Grid

    (2011)
  • R. Lagner

    A Technical Analysis of What Stuxnet's Creators Tried to Achieve -To Kill a Centrifuge

    (2013)
  • Cited by (12)

    • Launch of denial of service attacks on the modbus/TCP protocol and development of its protection mechanisms

      2022, International Journal of Critical Infrastructure Protection
      Citation Excerpt :

      As a result, master reads and reports data that differs from what the slave device’s memory registers (coils) truly contains; exploitation of CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). Authors in [12] launch data integrity attack. The analysis of the study conducted consisted of a false data injection (FDI) attack on SCADA and detection and prevention of that attack.

    View all citing articles on Scopus
    View full text