| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | June 20, 2013 |
| Latest Amendment Date: | June 20, 2013 |
| Award Number: | 1314891 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Nina Amla
namla@nsf.gov (703)292-7991 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | September 1, 2013 |
| End Date: | May 31, 2018 (Estimated) |
| Total Intended Award Amount: | $898,299.00 |
| Total Awarded Amount to Date: | $898,299.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
506 S WRIGHT ST URBANA IL US 61801-3620 (217)333-2187 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
506 S. Wright Street Urbana IL US 61801-3620 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Industrial control systems differ significantly from standard, general-purpose computing environments, and they face quite different security challenges. With physical "air gaps" now the exception, our critical infrastructure has become vulnerable to a broad range of potential attackers. In this project we develop novel network monitoring approaches that can detect sophisticated semantic attacks: malicious actions that drive a process into an unsafe state without however exhibiting any obvious protocol-level red flags. In one thrust, we conduct a measurement-centric study of ICS network activity, aimed at developing a deep understanding of operational semantics in terms of actors, workloads, dependencies, and state changes over time. In a second thrust, we develop domain-specific behavior models that abstract from low-level protocol activity to their semantic meaning according to the current state of the processes under control. Our goal is to integrate these models into operationally viable, real-time network monitoring that reports unexpected deviations as indicators of attacks or malfunction. A separate "Transition to Practice" phase advances our research results into deployment-ready technology by integrating it into the open-source Bro network monitor. Overall, our work will improve security and safety of today's critical infrastructure by providing effective, unobtrusive security monitoring tailored to their specific semantics. In addition, we tie a number of educational activities to the research and involve students at all levels.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Industrial Control Systems are the special computer systems and hardware that regulate and control physical systems in the real world. Whether it is the computer in your car that detects and responds to lane drifting, the system that controls the HVAC in your office building, or the devices that control the flow of electricity across your city, these computer systems are everywhere around us.
While ICSs have been an important part of our critical infrastructure and manufacturing for decades, it is only in more recent times that these devices are becoming interconnected around the world through the Internet. In the past you could count on on physical locks, gates, and fences to keep adversaries away, but in the modern world these same devices can be attacked from around the globe. And because we have built our critical infrastructure on these systems it is vitally important to protect them.
Traditional security tools form security companies have focused on your desktops, phones and commodity devices that often run Windows, Android, Mac OS, etc. These devices are not the same though as your typical computer or mobile phone, and most tools for intrusion detection don’t translate reasily to protect the networks these devices are on.
With this work we sought to better understand these systems and how they communicate to build new network intrusion detection tools that exploit some of the differences between these tools and the commodity devices you might find in your home or office. For example, these devices have very special communication protocols and patterns as they aren’t used for general purpose activities like web browsing, and we can use that predictability. And because they interact with the real world, we can look to see where they are misbehaving by comparing actual things like power readings across the grid to what reality should be if these ICS are not tampered with.
Our approach to address these challenges took three thrusts. First, we had to get real traffic data from different utility companies to start analyzing how these devices act in the real world and not just rely in engineering specifications. Simultaneously, we had to build tools to parse and understand the traffic at a deep level. With that semantic understanding in hand and the real world data, we were finally able to start developing methods to detect new kinds of attacks in novel ways.
This led to many concrete accomplishments over the life of the project. By building many of these capabilities into the Bro IDS, we released several new versions with traffic analyzers for ICS protocols such as modbus, DNP3 and Bacnet. Further, we were able to improve a new tool called Spicy that helps create protocol analyzers, making it easier for people to add other protocols to Bro in the future.
We also both discovered new types of attacks against ICS, and we developed new defenses. Using live power analysis we created a way to detect malicious or compromised computer systems in the power grid. Working with Cray and the Blue Waters project ant NCSA we developed a new proof-of-concept attack against Power Distribution Units (PDUs) that could take down a supercomputer. In collaboration with Argonne National Lab we developed something called RAINCOAT, a Moving Target Defense (MTD) using Software Defined Networking (SDN) to make it more difficult for intruders to map your network. And out of all this work we developed a new cyber-physical testbed with the international GENI project that can be used by other researchers to run experiments to defend these networks.
The impact of this work will continue for many years beyond the reach of this project. We supported the PH. D. of a new faculty now working at UN Reno, and built a research testbed that others are still using. We have actively deployed tools from this work monitoring the power plan at the University of Illinois at Urbana-Champaign. And finally, by incorporating much of this work into the Bro IDS, many contractors, security analysts and utility companies are enjoying the benefits of this work.
Last Modified: 08/28/2018
Modified by: Adam J Slagell
Please report errors in award information by writing to: awardsearch@nsf.gov.
