Run-time Prediction and Preemption of Configuration Attacks on Embedded Process Controllers Lee W. Lerner, Mohammed M. Farag, Cameron D. Patterson Cyber@VT Bradley Department of ECE, Virginia Tech Blacksburg, VA 24061 U.S.A. {lwl, mmorsy, cdp}@vt.edu ABSTRACT Embedded electronics are widely used in cyber-physical pro- cess control systems (PCSes), which tightly integrate and co- ordinate computational and physical elements. PCSes have safety-critical applications, such as the supervisory control and data acquisition (SCADA) systems used in industrial control infrastructure, or the flight control systems used in commercial aircraft. Perimeter security and air gap ap- proaches to preventing malware infiltration of PCSes are challenged by the complexity of modern networked control systems incorporating numerous heterogeneous and updat- able components such as standard personal computing plat- forms, operating systems, and embedded configurable con- trollers. Global supply chains and third-party hardware components, tools, and software limit the reach of design verification techniques. As a consequence, attacks such as Stuxnet have demonstrated that these systems can be sur- reptitiously compromised. We present a run-time method for process control violation prediction that can be leveraged to enhance system secu- rity against configuration attacks on embedded controllers. The prediction architecture provides a short-term projec- tion of active controller actions by embedding an accelerated model of the controller and physical process interaction. To maintain convergence with the physical system, the predic- tor model state is periodically synchronized with the actual physical process state. The predictor is combined with run- time guards in a root-of-trust to detect when the predicted process state violates application specifications. Configu- rations can be screened before they are applied or moni- tored at run-time to detect subtle modifications or Trojans with complex activation triggers. Advanced notification of process control violations allows remedial actions leveraging well known, high-assurance techniques, such as temporarily switching control to a stability-preserving backup controller. Experimental simulation results are provided from a root-of- trust developed for an aircraft pitch control system. Categories and Subject Descriptors C.3 [Special-purpose and Application-based Systems]: Process control systems; C.3 [Special-purpose and Application-based Systems]: Real-time and embed- ded systems; K.6.m [Miscellaneous]: Security General Terms Design, Reliability, Security, Verification Keywords Configuration, embedded systems, process control systems, reliability, run-time protections, security, trust 1. INTRODUCTION A process control system (PCS) is an embedded computer platform used to monitor and control physical processes. PCSes are a subset of cyber-physical systems, which tightly integrate and coordinate computational and physical ele- ments. One example of a PCS is feedback control, where an embedded controller uses sensor measurements of a physical plant to compute feedback signals preserving system sta- bility. PCSes are widely used in safety-critical infrastruc- ture applications such as power grids, assembly lines, water systems, pipelines, power plants, and other industrial sys- tems [1, 5]. Recent PCS attacks such as Stuxnet, which is described as the real start of cyber warfare, have highlighted embedded system vulnerabilities and the inadequacy of ex- isting security solutions. The Stuxnet worm infects Windows computers, spreads via networks and removable storage devices, and exploits four zero-day attacks (previously unknown vulnerabilities). An- tivirus software missed the attack because programmable logic controller (PLC) rootkits hide Stuxnet modifications to the system, and two stolen certificates validate new drivers. The goal of Stuxnet is to sabotage a specific physical system by reprogramming embedded controllers to operate outside their nominal bounds by intercepting routines that read, write, and locate PLC commands and data. Many secu- rity companies state that Stuxnet is the most sophisticated attack they have ever analyzed [3], and it is estimated to have infected 50,000–100,000 computers. The primary tar- get is believed to be the Bushehr nuclear plant in Iran, and likely caused a 15% drop in production of highly enriched uranium [4]. PCSes are usually assembled from commercial-off-the-shelf (COTS) components and third-party intellectual property