A stealth monitoring mechanism for cyber-physical systems

Abstract

Supervisory Control and Data Acquisition (SCADA) systems, which are often used in several types of Essential Systems and Critical Infrastructures, depend on control devices such as Programmable Logic Controllers, Remote Terminal Units and Intelligent Electronic Devices. Such devices, which are deployed at the edge of the SCADA infrastructure, directly interface with the physical processes under control. They are often based on embedded systems with limited capabilities and exposed to significant security and safety-related risks, as demonstrated by past incidents such as Stuxnet. However, despite the recognized relevance of those edge devices, they usually lack monitoring mechanisms able to detect device anomalies and/or cyber-physical threats. In this paper we propose a novel approach for stealth monitoring of those control devices, for purposes of security and safety management. This approach builds on cost-effective probes, which we designate as Shadow Security Units (SSU), directly attached to the monitored control devices. This privileged positioning enables the direct and fine-grained observation of both physical inputs/outputs (i.e. the physical processes under control) and network communication flows -- allowing the exploitation of various novel monitoring approaches able to address sophisticated security threats not noticeable otherwise. Moreover, the SSU approach is not limited to SCADA scenarios, being also applicable to similar domains such as the Internet of Things (IoT), Avionics and Self-Driving systems.