SCAPHY: Detecting Modern ICS Attacks by Correlating Behaviors in SCADA and PHYsical

TL;DR

SCAPHY is a novel detection system that leverages the unique execution phases of SCADA to identify and differentiate legitimate control behaviors from malicious activities in ICS environments, enhancing attack detection accuracy.

Contribution

SCAPHY introduces a new method combining physical process dependency graphs and phase-aware dynamic analysis to detect sophisticated ICS attacks that blend with normal operations.

Findings

Achieved 95% detection accuracy with 3.5% false positives in testbed environments.

Outperformed existing methods with significantly higher accuracy and lower false positive rates.

Demonstrated robustness against attackers aware of the detection approach.

Abstract

Modern Industrial Control Systems (ICS) attacks evade existing tools by using knowledge of ICS processes to blend their activities with benign Supervisory Control and Data Acquisition (SCADA) operation, causing physical world damages. We present SCAPHY to detect ICS attacks in SCADA by leveraging the unique execution phases of SCADA to identify the limited set of legitimate behaviors to control the physical world in different phases, which differentiates from attackers activities. For example, it is typical for SCADA to setup ICS device objects during initialization, but anomalous during processcontrol. To extract unique behaviors of SCADA execution phases, SCAPHY first leverages open ICS conventions to generate a novel physical process dependency and impact graph (PDIG) to identify disruptive physical states. SCAPHY then uses PDIG to inform a physical process-aware dynamic analysis, whereby code paths of SCADA process-control execution is induced to reveal API call behaviors unique to legitimate process-control phases. Using this established behavior, SCAPHY selectively monitors attackers physical world-targeted activities that violates legitimate processcontrol behaviors. We evaluated SCAPHY at a U.S. national lab ICS testbed environment. Using diverse ICS deployment scenarios and attacks across 4 ICS industries, SCAPHY achieved 95% accuracy & 3.5% false positives (FP), compared to 47.5% accuracy and 25% FP of existing work. We analyze SCAPHYs resilience to futuristic attacks where attacker knows our approach.