Sensor and Process Fingerprinting in Industrial Control Systems

The presentation discusses the use of sensor noise as a fingerprint to authenticate sensors in ICS critical infrastructures without using cryptography. The fingerprint, together with process data, results in a more robust authentication method.

• Sensor noise can be used as a fingerprint to authenticate sensors in ICS critical infrastructures without using cryptography
• The fingerprint, together with process data, results in a more robust authentication method
• The technique has been tested on up to ten sensor types and up to sixty different sensors bridge types
• The physical fingerprint authentication technique is not perfect, but it can complement cryptography
• The technique can detect many attackers who are unaware of this method
• The technique can be used to authenticate sensor readings
• The technique can be used to detect some advanced attacks
• The temperature does not impact the fingerprint
• The fingerprint is stable even when the backup generator power source is used
• The technique requires a model of the system to build the fingerprint

The ultrasonic sensor sends a sound signal that bounces to measure distance. However, due to the construction of the sensors and physical conditions, not every bounce will result in the same measurement. This characteristic is present in all sensors, and it generates the noise that can be used as a fingerprint.

Critical infrastructure, such as electricity and water distribution, is heavily dependent on automated control. The security of these cyber-physical systems is vital for the normal functioning of modern societies; attacks to those infrastructures can result in damage to the physical world and potentially harm human lives. In this talk we revisit some common cyber and cyber-physical attack vectors to critical infrastructure and defense strategies. We demonstrate how noise in industrial sensors and their inherent processes can be used to detect both cyber and physical attacks. We will show videos of attacks and defenses taken in a realistic and state-of-the-art water treatment testbed (SWaT) hosted by the Singapore University of Technology and Design. In particular, we will show how man-in-the-middle attacks can tamper with critical sensor data and cause unwanted behavior in the plant, as well as how physically tampering with sensors results in attacks. We will briefly review defense strategies against such attacks, including the use of physical invariants and process models. Next, we will illustrate how building a model based on the noise profile of both sensors and process can effectively detect the attacks illustrated. Sensors (such as ultrasonic distance sensors) have microscopic differences that make them produce slightly different noise patterns. Using noise for identification has been explored in other fields (predominantly in mobile phones) but has yet to be investigated in the context of CPS. We show that sensor noise can be a powerful sensor data authentication tool, especially in combination with model-based defenses.