Title: Locating subverted processes using random packet comparison in SCADA systems

Authors: Thomas Richard McEvoy; Stephen D. Wolthusen

Addresses: Department of Mathematics, Royal Holloway, University of London, Egham, Surrey TW20 0EX, UK; HP ESS, Vistorm House, Daresbury Park, Warrington WA4 4BU, USA ' Department of Mathematics, Royal Holloway, University of London, Egham, Surrey TW20 0EX, UK; Norwegian Information Security Laboratory, Gjøvik University College, N-2818 Gjøvik, Norway

Abstract: A supervisory control and data acquisition (SCADA) system may be subject to integrity attacks. Anomalies in sensor measurements may be used to detect these attacks, but such techniques do not permit us to locate attacking nodes. We propose a novel technique to enable this. Each participating network node probabilistically copies packets and marks them with routing information, before encrypting them with private keys and forwarding them to the operator. Nodes regularly release the keys used to encrypt packets. At that point, the operator may compare the copied packets with the original. Using the differences in packet content and routing information, it is possible to deduce to within one or two processes the location of an attack. Our approach is based on IP traceback techniques originally used for detecting the origin of denial of service attacks. The complexity of the approach is low and the technique can be shown to be resilient to counter-attack.

Keywords: pi-calculus; supervisory control; data acquisition; SCADA systems; adversary detection; subverted processes; random packet comparison; integrity attacks; attacking node location; attack location; packet content; routing information; IP traceback; critical infrastructures.

DOI: 10.1504/IJCIS.2013.051609

International Journal of Critical Infrastructures, 2013 Vol.9 No.1/2, pp.32 - 51

Published online: 28 Apr 2014 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article