| Industrial Control Systems (ICS) are crucial for the productivity and efficiency of modern industrial facilities. ICS technology is used in omnipresent industries such as power, gas, transportation, and manufacturing. However, these systems do not possess any built-in cyber-security measures, leaving them vulnerable to modern cyber-attacks. This research was aimed at the development of advanced ICS modeling methods, suitable for automatic implementation. This modeling is performed in the cyber domain using graphs to represent system communication patterns between devices. Modeling is also performed on the cyber processes that control the physical operations of the system by tracking the physical data flow between devices and determining computational models of how these devices process the data. Combining these models provides a comprehensive model of ICS operations, and any deviation in system performance can be determined.;Additionally, ICS communication is analyzed to determine information about the devices, communication pattern, and system, taking this comprehensive modeling approach further. Common Industrial Protocol (CIP) is one of the most commonly used network-based process control protocols, and utilizes an object-oriented communication structure for device-to-device interaction. Due to this object-oriented structure, CIP communication reveals detailed information about the devices, the communication patterns, and the system, providing an in-depth, detailed view of the system. The details from this system perspective can be utilized as part of a system cyber-security or discovery approach. However, due to the variety of commands, corresponding parameters, and variable layer structure of the CIP network layer, processing this layer is a challenging task for network analyzers. This dissertation presents a tool, Advanced CIP Evaluator (ACE), which passively processes the CIP communication layer and automatically extracts device, communication, and system information from observed network traffic. Since ACE operates passively, without generating any network traffic of its own, system operations are not disturbed. This novel tool provides information at a greater depth and breadth than other tools, providing analysts and automated tools with a higher fidelity assessment.;Building upon the capabilities provided by ACE, the information discovered by the tool can be used to further understand system operations and the overall system process. The ability to extract details of ICS operation, design, and configuration automatically is useful for system operators, integrators, and intelligence gathering operations. Unlike other methods that focus on device fingerprinting using active means, this paper presents a passive method to derive a system model through passive data capture methods and data correlation of both static and dynamic information, from a CIP-enabled ICS environment. Facets of the system model include device information, the number and type of individual devices found within the system, control flow, process model, and physical characteristics.;This ICS security and modeling approach was tested and verified using a representative ICS power generation testbed. The approach and results demonstrate that an ICS system model can be obtained passively through the selective combination and application of protocol analysis, signals analysis, causality determination, and process modeling. The resulting system model will enable future ICS security capabilities such as custom Intrusion Detection Systems (IDS), attack path generation analysis, and health monitoring. |
