Physics-based early warnings for forensic readiness in industrial control systems

Attacks on safety-critical Industrial Control Systems (ICS) can cause significant physical damage to equipment. Forensic investigations are often used to understand how such attacks occurred. However, such investigations may be hindered by the loss of potential digital evidence due to physical damage. Therefore, ICS need to be Forensic-Ready, i.e. capable of preserving, in advance, data that could constitute evidence of a potential attack. A possible solution would be to collect and preserve all data generated by an ICS at all times. However, such a solution may not be feasible as it can result in a large amount of collected data that would require a large amount of time and storage resources to be analysed. Furthermore, not all data generated by an ICS may be relevant to forensic investigations, and its real-time collection could incur a control performance overhead. Thus, proactive data collection in ICS must (i) be triggered only at specific points in time and before a potential attack could cause damage; and (ii) must be restricted to data that could be relevant to forensic investigations, while ensuring it incurs little control performance overhead. To the best of our knowledge, most of the existing work on ICS forensics only considers post-incident investigations. Exceptions to this line of work propose to collect data in real-time whenever an attack is detected. However, the reliability of a detection-based trigger may be compromised if an attack on ICS can evade detection before causing damage. Such attacks are generally referred to as stealthy attacks. Additionally, no approach to identify data that could be relevant to the investigation of such attacks exists. In this thesis, we propose an approach for the engineering of Forensic Readiness in ICS faced with the threat stealthy attacks. Our contribution is twofold: 

1. First, we propose an approach that can specify when to proactively collect potential evidence of a stealthy attack. Instead of relying on attack detection, we propose a framework for physics-based Early Warning Systems (EWS) that relies on predictive safety checks to warn about potential damage from a stealthy attack. We trigger data collection activities whenever a potential stealthy attack could cause damage; but the likelihood of such damage, as computed by the EWS, is too low to warrant a potentially expensive fail-safe. To the best of our knowledge, there is limited work on warning about stealthy attacks well before they are able to cause damage. 

2. Second, we propose an approach to identify which data is relevant to forensic investigations of stealthy attacks on ICS. We consider data present in control devices at risk of being damaged to be relevant in our context. Such data may explain how the attacks that we are concerned with may have occurred. We identify this data using the safety checks performed by the EWS. Then, we propose a framework that decides on a subset of relevant data to collect by achieving a trade-off between the expected impact of an attack and the potential data collection overhead. 

To evaluate our approach, we employ a virtual testbed based on the widely-used benchmark Tennessee-Eastman Process (TEP). We use extensive simulations of the testbed under attacks and with randomised parameters to demonstrate the accuracy and real-time performance of our EWS. In 90.8% of simulations, our technique correctly predicts damage from a stealthy attack with an execution time smaller than the system’s sampling time. We also show that our EWS predicts such damage in situations where existing monitoring techniques fail to do so. Furthermore, simulations of the TEP under attacks demonstrate that our approach rarely (only in 5.8% of cases) misses any data that may be lost to physical damage. Moreover, we showcase a 35% reduction in control performance overhead as a result of the reduced amount of collected data when compared with an “all-data” collection approach. Finally, we show a use case of our approach whereby it improved the efficiency of an existing live ICS forensic log analysis tool by an order of magnitude.