TY - JOUR
T1 - Locating Subverted Processes using Random Packet Comparison in SCADA Systems
AU - Mcevoy, Richard
AU - Wolthusen, Stephen D.
PY - 2013
Y1 - 2013
N2 - A supervisory control and data acquisition (SCADA) system may be subject to integrity attacks. Anomalies in sensor measurements may be used to detect these attacks, but such techniques do not permit us to locate attacking nodes. We propose a novel technique to enable this. Each participating network node probabilistically copies packets and marks them with routing information, before encrypting them with private keys and forwarding them to the operator. Nodes regularly release the keys used to encrypt packets. At that point, the operator may compare the copied packets with the original. Using the differences in packet content and routing information, it is possible to deduce to within one or two processes the location of an attack. Our approach is based on IP traceback techniques originally used for detecting the origin of denial of service attacks. The complexity of the approach is low and the technique can be shown to be resilient to counter-attack.
AB - A supervisory control and data acquisition (SCADA) system may be subject to integrity attacks. Anomalies in sensor measurements may be used to detect these attacks, but such techniques do not permit us to locate attacking nodes. We propose a novel technique to enable this. Each participating network node probabilistically copies packets and marks them with routing information, before encrypting them with private keys and forwarding them to the operator. Nodes regularly release the keys used to encrypt packets. At that point, the operator may compare the copied packets with the original. Using the differences in packet content and routing information, it is possible to deduce to within one or two processes the location of an attack. Our approach is based on IP traceback techniques originally used for detecting the origin of denial of service attacks. The complexity of the approach is low and the technique can be shown to be resilient to counter-attack.
U2 - 10.1504/IJCIS.2013.051609
DO - 10.1504/IJCIS.2013.051609
M3 - Article
SN - 1475-3219
VL - 9
SP - 32
EP - 51
JO - International Journal of Critical Infrastructures
JF - International Journal of Critical Infrastructures
IS - 1/2
ER -