The process matters: cyber security in industrial control systems

An industrial control system (ICS) is a computer system that controls industrial processes such as power plants, water and gas distribution, food production, etc. Since cyber-attacks on an ICS may have devastating consequences on human lives and safety in general, the security of ICS is important. In this context, the most valuable asset is the process that is under the control of the ICS. As a result of attacks on the process, the behaviour of the process (i.e., the program output in a computer program) changes due to modifications in: a) the automation logic (i.e., program instruction set) or b) the process input parameters (i.e., the program input). The detection of process manipulations through attacks is challenging as it requires the understanding of complex process dependencies in sensitive and often proprietary environments. Due to these conditions, the problem of process manipulations has not been thoroughly studied by security researchers. This thesis tackles this challenge by performing pioneering work in exploring suitable techniques for detecting process attacks in ICS. The main focus of the thesis is the problem of malicious manipulations in process input. We consider input manipulations carried through a) user application and b) network infrastructure. Our work shows that relevant information describing process operation can be extracted and analysed from common system traces (i.e., network traffic and system logs) to improve the awareness of the detector about the process that is under the control of the ICS. By doing this, we lay the ground for detecting critical process attacks that cannot be addressed by the existing solutions.