Critical Information Infrastructure (CII) refers to sectors that are important to provide services to a nation. Any loss or compromise of these essential services will have debilitating effect on a nation’s ability to function properly. With the rise in the number and sophistication of cyber attacks, there also needs to be, at a minimum, a corresponding growth and innovation in defence mechanisms.
Over the course of their research, iTrust’s researchers and students have developed a suite of attack tools that aid iTrust in the validating the effectiveness of defence mechanism for CII.
A6-L0
The A6-L0 attack tool, developed by Asst Prof Nils Tippenhauer and modified by Research Assistant Beebi Siti Salimah Binte Liyakkathali, consists of component instrument-based attacks at Layer 0 of SWaT’s network. In SWaT, Layer 0 is the communication between the Programmable Logic Controller (PLC) and the Remote Input Output (RIO) module. RIO module translates signals to bytes where each byte or bit corelates to input/output signals.
The A6–L0 tool emulates a Man-In-the-Middle attack where communications between the RIO and PLC are manipulated (see Figure 10), resulting in abnormalities not being reflected on the plant’s engineering workstation. An example of A6–L0’s attack would be switching on the motorised valve (MV101) in Stage 1 to increase the volume of water in tank. This attack scenario is carried out by sending an “ON” signal of MV101 to the RIO while simultaneously sending an “OFF” signal of MV101 to the PLC. With this, the plant operator would still see that MV101 is switched off and not take corrective measures to prevent the tank from overflowing.
A mutation can be applied to attacks. One such example is that an invalid command (a value other than 1) can be input to switch on a pump (the valid commands for turning on and off the pump are 1 and 0 respectively).
Figure 1: The network architecture at layer 0 of SWaT network (left) and how communications between the PLC and RIO can be manipulated (right, red box)
A6-L1
The A6-L1 attack tool, developed by Research Officer Francisco Furtado, decodes and mutates packets at Layer 1 of SWaT’s network. In SWaT, Layer 1 is the communication between multiple Programmable Logic Controllers (PLCs) which use Ethernet/IP (ENIP) protocol.
The A6–L1 tool emulates a Man-In-the-Middle attack where communications between 2 PLCs are compromised (see Figure), resulting in abnormalities not being reflected on the plant’s engineering workstation. An example of A6–L1’s attack would change an actual Low Water Level to a mutated Very High Water level packets from Stage 3 to Stage 1 This attack would result in the Pump in Stage 1 to turn off when it should be on to refill the tank in Stage 3. Over time, this attack will result in the tank in Stage 3 to underflow.
Figure 2: A6-L1 setup in an industrial control system
Smart Fuzzing
Smart Fuzzing is an automated, machine learning (ML) guided approach for constructing ‘test suites’ (or benchmarks) of CPS network attacks. It does not require any specific system expertise other than knowing the normal operational ranges of sensor readings. This technique, developed by postdoctoral researcher Christopher Poskitt and PhD student Yuqi Chen, uses predictive machine learning models and metaheuristic search to intelligently fuzz actuator commands, and systematically drive the system into different categories of unsafe physical states.
Smart Fuzzing consists of two broad steps. First, the researchers learnt a model of the CPS by training ML algorithms on physical data logs that characterise the CPS’ normal behaviour. The learnt model can be used to predict how the current physical state will evolve with respect to different actuator configurations. Second, they fuzzed the actuators over the network to find attack sequences that drive the system into a targeted unsafe state. This fuzzing is guided by the learnt model: potential
manipulations of the actuators are searched for (e.g., with a genetic algorithm), and then the model predicts which of them would drive the CPS closest to the unsafe state.
The tool was then implemented in SWaT and WADI testbeds. It was found that Smart Fuzzing could automatically identify suites of attacks that drove these CPSs into 27 different unsafe states involving water flow, pressure, tank levels, and consumer supply. Furthermore, it covered six unsafe states beyond those in an established expert-crafted benchmark.
Figure 3: Inputs/outputs of a learnt model
Figure 4: Overview of the ML-guided actuator fuzzing