Research On Security Analysis And Protection Technologies For Industrial Control Field System

The industrial control system(ICS)is widely used for supporting the automatic operation of many national critic infrastructures which plays an important role in industrial upgrading,intelligent manufacturing,and lean production.With the integration of information technology(IT)and operation technology(OT),ICS is becoming vulnerable for cyber attacks due to the lack of security mechanism which leading increasing cyber-attacks to ICS in recent years.Compared with the traditional cyber-attacks,ICS attacks can break through the boundary between cyberspace and physical space that could threaten to the security of national critic infrastructures.Although there already exists a lot of security protection technologies in the IT layer of ICS,some security issues in the field layer still need to be resolved.This thesis focuses on the security of the ICS field system,especially the system containing programmable logic controller(PLC),and researches several security analysis and protection technologies which include: 1)an ICS threat model based on the attack surface which is used for discovering the vulnerabilities of ICS field system and PLC;2)a physical-simulated-hybrid ICS testbed which could support ICS security analysis and evaluation;3)a PLC malware detection technology based on SMT model checking which could effectively detect the PLC malwares and defense the code tempering attack;4)an ICS attack detection technology based on probability estimation which can detect the false data injection attacks in real time.The main research contents and innovations are as follows:1.The Threat Modeling and Vulnerability Analysis of Industrial Control System Based on Attack Surface.Most of the current threat models are used for security assessment,but they are not suitable to deep discover the vulnerability of ICS since that they usually ignore to model the attackers' behaviors.The thesis proposes a threat model from the attackers' perspective: Firstly,a formal definition of ICS device threat is presented,and the threat model which contains the attack path and the corresponding conditions is constructed.Then based on this model,the potential vulnerabilities of field system is deduced.The work is evaluated in a model of a single PLC.The vulnerabilities of a real PLC including protocol,password verification and code tempering is discovered.The above work shows that the threat model based on the attack surface can provide effective guidance for the ICS security assessment and analysis on both theoretical and practical aspect.2.The Construction and Implementation of Physical-Simulated-Hybrid ICS Testbed.The ICS testbeds are widely used for analysis and evaluating the security techniques.But the physical ICS testbed is price consuming and the experiments would be high risk that would limit its usage.The full-simulated testbed could not well support the attack recurrence.In order to solve these limitations,the thesis designs an ICS testbed architecture which could support physical and simulated devices to connect and control via network.The testbed architecture integrates a simulated TE process,PLC simulator and physical PLC.The migrating of TE controller to a real PLC is implemented to simulate the real-world control scheme.The physical and simulated devices are connected in a real-world network using different ICS protocols which act as the physical components in ICS.The testbed is evaluated using 5different attack targeting devices on the testbed.The result shows that the testbed is available to recur the ICS attack.This testbed can simulate the risky and destructive experiments for ICS security research which makes it suitable to deploy in the lab environment.3.The PLC Malware Detection based on SMT Model Checking.The theis presents a PLC malware detection method based on model checking.Most of the PLC program model checking methods focus on modeling the program,the lack of the process model would affect the accuracy of the model checking result.In order to deal with this problem,a novel SMT-based model which integrates the program and process is proposed in the thesis which could reduce the false-positive result.In addition,the SMT constraints are used for describe the model and the corresponding program-to-constraint algorithm is presented,that can avoid the state explosion problem.To facilitate the detection rule generation,two methods are proposed which could help the user that are not familiar with formal method to design the rule.This method is evaluated on 3 representative real systems,the result show that the method could detect different types of malwares.4.ICS Attack Detection based on Probability Estimation.Current ICS attack detection technologies are depending on detect the anomaly in a single time frame but ignoring the association of the time frames.In order to improve the accuracy,the thesis proposes an attack detection scheme based on the probability of the signal time series.A definition of ICS attack from the perspective of probability is presented,and the equations of signal time series based on some assumptions with the feature of ICS is deduced.In order to decrease the complexity of calculation,a probability estimation method is proposed which could be used for realtime detection.The scheme is evaluated in a real dataset,the result shows that it can detect 90%of the attacks and their durations.