Industrial control systems (ICS) of critical infrastructure are increasingly connected to the Internet for remote site management at scale. However, cyber attacks against ICS– especially at the communication channels between human-machine interface (HMIs) and programmable logic controllers(PLCs) – are increasing at a rate which outstrips the rate of mitigation.
In this paper, we introduce a vendor-agnostic analytics frame-work which allows security researchers to analyse attacks against ICS systems, even if the researchers have zero control automation domain knowledge or are faced with a myriad of heterogenous ICS systems. Unlike existing works that require expertise in domain knowledge and specialised tool usage, our analytics framework does not require prior knowledge about ICS communication protocols, PLCs, and expertise of any network penetration testing tool.
Using ‘digital twin’ scenarios comprising industry-representative HMIs, PLCs and firewalls in our test labour framework’s steps were demonstrated to successfully implement a stealthy deception attack based on false data injection attacks (FDIA). Furthermore, our framework also demonstrated the relative ease of attack dataset collection, and the ability to leverage well-known penetration testing tools. We also introduce the concept of ‘heuristic inference attacks’, a new family of attack types on ICS which is agnostic to PLC and HMI brands/models commonly deployed in ICS.
Our experiments were also validated on a separate ICS dataset collected from a cyber-physical scenario of water utilities. Finally,we utilized time complexity theory to estimate the difficulty for the attacker to conduct the proposed packet analyses, and recommended countermeasures based on our findings.
Index Terms—Industrial control system (ICS) security, critical infrastructure, security analytics framework, Man-in-the-Middle attacks, PLC security, cybersecurity, cyber resilience, Operational Technology (OT)