Identifying Near-Optimal Single-Shot Attacks on ICSs with Limited Process Knowledge

TL;DR

This paper presents a method for attackers with limited knowledge to identify near-optimal single-shot attacks on Industrial Control Systems, achieving results comparable to those with detailed system information.

Contribution

The work introduces a novel approach enabling near-optimal attack identification with minimal system knowledge, reducing the need for detailed models or simulations.

Findings

Achieves near-optimal attacks with limited system knowledge

Validates approach on two use cases with comparable results to detailed methods

Demonstrates effectiveness of abstract information flow in attack planning

Abstract

Industrial Control Systems (ICSs) rely on insecure protocols and devices to monitor and operate critical infrastructure. Prior work has demonstrated that powerful attackers with detailed system knowledge can manipulate exchanged sensor data to deteriorate performance of the process, even leading to full shutdowns of plants. Identifying those attacks requires iterating over all possible sensor values, and running detailed system simulation or analysis to identify optimal attacks. That setup allows adversaries to identify attacks that are most impactful when applied on the system for the first time, before the system operators become aware of the manipulations. In this work, we investigate if constrained attackers without detailed system knowledge and simulators can identify comparable attacks. In particular, the attacker only requires abstract knowledge on general information flow in the plant, instead of precise algorithms, operating parameters, process models, or simulators. We propose an approach that allows single-shot attacks, i.e., near-optimal attacks that are reliably shutting down a system on the first try. The approach is applied and validated on two use cases, and demonstrated to achieve comparable results to prior work, which relied on detailed system information and simulations.