In recent years, a number of evasion attacks for Industrial Control Systems have been proposed. During an evasion attack, the
attacker attempts to hide ongoing process anomalies to avoid anomaly detection. Examples of such attacks range from replay attacks to
adversarial machine learning techniques. Those attacks generally
are applied to existing datasets with normal and anomalous data,
to which the evasion attacks are added post-hoc. This represents
a very strong attacker, who is effectively able to observe and manipulate data from anywhere in the system, in real-time, with zero
processing delay, and no computational constraints. Prior work has
shown that such strong attackers are theoretically difficult to detect
by most existing countermeasures. So far, it is unclear if such an
attack could be practically realized, and if there are challenges that
would impair the attacker. In this work, we systematically discuss
options for an attacker to mount evasion attacks in real-world ICS,
and show the constraints that result from those options. To validate
our findings, we design and implement a framework that allows
the realization of evasion attacks and anomaly detection for ICS
emulation. We demonstrate practical constraints that arise from
different settings, and their effect on attack performance. For example, we found that network packet replay might trigger network
errors, which will result in unexpected spoofing patterns.
History
Primary Research Area
Threat Detection and Defenses
Name of Conference
ACM International Workshop on Re-design Industrial Control Systems with Security (RICSS)
Journal
Proceedings of ACM International Workshop on Re-design Industrial Control Systems with Security (RICSS)
Open Access Type
Gold
BibTeX
@conference{Erba:Murillo:Taormina:Galelli:Tippenhauer:2024,
title = "On Practical Realization of Evasion Attacks for Industrial Control Systems",
author = "Erba, Alessandro" AND "Murillo, Andres" AND "Taormina, Riccardo" AND "Galelli, Stefano" AND "Tippenhauer, Nils Ole",
year = 2024,
month = 10,
journal = "Proceedings of ACM International Workshop on Re-design Industrial Control Systems with Security (RICSS)",
doi = "10.1145/3689930.3695213"
}