Cyber Physical System Security by Splunk

Kundankumar Rameshwar Saraf * P. Malathi **

* Capgemini Technology Services India Ltd, Pune, Maharashtra, India.

** Department of Electronics and Telecommunication Engineering, D.Y. Patil College of Engineering, Pune, Maharashtra, India.

Abstract

Cyber Physical System (CPS) is an integration of sensing, monitoring and analyzing devices connected with each other and establishes communication through internet. This system is prone to many cyber-attacks such as Man-In-The-Middle Attack, Denial of Service Attack, Cross-Site Scripting Attack, SQL Injection Attack, Password Cracking Attack, etc. Present security measures to protect CPS against cyber-attacks includes use of Intrusion Detection System (IDS), Firewalls, Anti-Malware, Anti-Virus, Anti-Spyware, HTTPS/SSH Encryption, Faradays Cage, Password Policy with periodic password change, Least Privileges, Strong Code, Intrusion Prevention System (IPS), etc. All these security measures have one or more challenges in their implementation such as reduced performance, higher power consumption, high transmission delays, huge cost, etc. Also, firewall, IPS, antivirus can only prevent the known threats. Today, many threats have no fixed pattern and their pattern are adaptable. Hence, all these intrusion prevention and protection systems becomes ineffective to protect the CPS against cyber-attacks. This paper reviews how Splunk Enterprise Security (Splunk ES) can be used to secure the CPS against all known, unknown and adaptable cyber threats with minimum user efforts and cost. Operation Technology Option in Splunk ES provides real time predictive analysis of cyber-attacks. By using artificial intelligence, machine learning and behavioral analysis, Splunk can predict any cyber-threat to CPS, 30 to 45 minutes in advance. Splunk can trigger the alert to CPS administrator who can implement the precautionary measures and protect the CPS before the actual occurrence of cyber-attack. This research performs the demonstration of cyber-attack on CPS and shows the result generated by Splunk ES.

Keywords :

Cyber-Attack,
Cyber Physical System,
Operation Technology,
Splunk Enterprise Security.

Introduction

Cyber Physical Systems (CPS) plays important role in Industry 4.0 revolution. Real time and accurate working of all remotely interconnected devices is the key power of CPS. CPS is integration of cyber system with physical system for exchange of various sensitive data in real time (Poon et al., 2006). The main role of CPS in industry 4.0 revolution is to fulfil the dynamic and agile production requirement to improve the efficiency and effectiveness of entire industry (Chun et al., 2010). Effective use of CPS in Industry 4.0 increases the gross value of German business up to 267 billion Euros by 2025 (Rad et al., 2015). CPS is a network of various interconnected embedded systems. These systems can monitor, analyse and manipulate various IoT related objects and processes. Sensors, aggregators and actuators are the three main components of CPS. CPS system adapt and control the physical world by sensing surrounding environment (Haidegger et al., 2020). Using real time computations, the CPS can change the run time processes (Siddappaji & Akhilesh, 2020). Table 1 shows various applications of CPS along with description (Yaacoub et al., 2020).

Table 1. CPS Applications

CPS can be used in power transmission system, communication system, agriculture system and military system (Chen, 2010). It can also be used in drones, robotics and autonomous cars (Bou-Harb, 2016; Miller & Valasek, n.d.) Medical services can be enhanced by the use of CPS (Sklavos & Zaharakis, 2016).

1. Problem Formulation

Large scale deployment of CPS are prone to multiple cyber-attacks due to the heterogeneous nature of CPS. The main reason for these attacks is the dependency of sensitive and private data on CPS. These cyber-attacks lead to catastrophic effects on CPS which leads to offensive network overhead with unaccepted latency.

CPS are also susceptible to zero-day vulnerabilities issue which must be minimized by regularly updating its software, application and operating system.

1.1 Related Work

Several research papers explain various CPS security goals (Alguliyev et al., 2018; Humayed et al., 2017; Ye et al., 2016; Yoo & Shon, 2016). The method to maintain CPS security has been presented in Ye et al. (2016). Johnson (2010) and, Kumar and Patel (2014) explained challenges with CPS security issues. The big data security issues in CPS were explained in Kocabas et al. (2016) and Lai et al. (2019). IoT storage issues are explained in Abera et al. (2016). Operating system vulnerabilities were presented in Chen et al. (2016). The cryptographic algorithms can protect the CPS against cyber-attacks (Francillon & Castelluccia, 2008; Roemer et al., 2012). The comprehensive CPS security in terms of vulnerabilities, attacks and threats are not presented in the reviewed literature.

This paper presents the proactive CPS monitoring and threat detection using Splunk Enterprise Security platform.

1.2 Motivation

Various critical infrastructures such as smart grid, agriculture, military, healthcare, automobile sector, supply chain uses CPS. Hence, CPS is an attractive target for attackers to gain the large financial gain. The goals of CPS security attacks can be carried out by criminals and terrorists for economic and political gain. These attacks break the confidentiality, integrity and availability of CPS information. Hence, for wide spread use of CPS in all sectors, CPS security against all external, internal, active and passive attack is of prime important.

The main motivation of this work is to identify all cyberattacks on CPS using Splunk ES before their actual occurrence. Also, post attack CPS condition can be determined by Splunk ES.

2. Background of CPS

2.1 CPS Layers and Components

CPS architecture consist of various layers and components. The three layers, viz., perception, transmission and application communicate using different technologies and communication protocols. Table 2 details the components in each layer, their objectives, the target of the attach and the possible security measures.

Table 2. CPS Layers

2.1.1 Perception Layer

At this layer, CPS collects the data from physical world using sensors and other components. This data includes heat, electrical signal, location, power consumption, sound and light signal.

This layer is subjected to passive reply, eavesdropping and port scanning attack. This attack mainly threatens the confidentiality and authentication of information. To secure CPS against these attacks data protection needs to be established using trust management and source authentication.

2.1.2 Transmission Layer

This layer interchanges the data between perception and application layer. This layer uses internet, Wi-Fi, cloud and access point for data transmission. This layer is subjected to Man-in-the-middle (MitM), Denial-of-service (DoS), Distributed-Denial-of-Service (DDoS), repudiation and replay attack. This attack breaches confidentiality, integrity, availability and authentication of data. Strong password policy and strong authentication method helps CPS to secure against these attacks.

2.1.3 Application Layer

This layer processes the received information from transmission layer, analyze the data and take the decision based on received data. This layer issues appropriate commands to sensors and actuators. This layer is prone to various attacks such as Malicious Code Injection, Botnets malware, Trojans, Worms and Buffer Overflow attack. These attacks mainly breaches the confidentiality, security, safety, and authentication of data.

To overcome the attack on this layer, strong authentication and authorization must be implemented. Trust management must be implemented along with Firewall, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS).

3. Cyber Attacks on CPS

CPS is highly prone to malicious code injection attacks (Chen et al., 2016; Francillon & Castelluccia, 2008). CPS is also susceptible to code-reuse attack (Roemer et al., 2012), and false data injection attack (FDIA) (Francillon & Castelluccia, 2008), non-control data attacks (Hu et al., 2016) and Control-Flow Attestation (C-FLAT) attacks are also observed on CPS. Some other common cyber-attacks on CPS are briefly explained.

3.1 Eavesdropping

Attacker intercepts the non-secure CPS network to obtain the sensitive credentials such as username and password etc. In passive eavesdropping, attacker only listens to the transmitted message by CPS components. In active eavesdropping, attacker performs scanning, spoofing probing and message tampering to gain the sensitive information.

3.2 Cross-Site Scripting (XSS)

In this attack third-party execute the malicious code on targeted CPS related employee browsers. This script achieves session hijacking, key stroke logging, unauthorized remote victim's machine access etc.

3.3 SQL Injection (SQLi)

Attacker read and modify the SQL database of CPS. Some CPS are relying on SQL data management (Gudivada et al., 2018). Using SQLi attack, the attacker can shut down the SQL database and interrupt the CPS operation.

3.4 Password Cracking

This attack mainly targets the CPS authenticity (Davi et al., 2010; Loukas, 2015). In this attack, attacker cracks the password of engineers and managers to gain the access of CPS related to sensitive data. This attack uses brute force attack method (Owens & Matthews, 2008) and dictionary attack method (Narayanan & Shmatikov, 2005).

3.5 Phishing Attack

Attacker can perform email phishing, vishing, spear phishing attack on CPS engineers and specialists. Using this attack, the attacker can hack the complete system of these professionals.

3.6 Replay Attack

This attack affects the real-time CPS operation performance by intercepting the transmitted and received packets between Industrial Control Systems (ICSs), Remote Terminal Units (RTUs), and Programmable Logic Controllers (PLCs). This affects the availability of CPS.

3.7 DoS/DDoS

Denial-of-Service (DoS) and Distributed-Denial-of-Service (DDoS) attack floods the CPS components by multiple requests and crash the CPS operation. This attack uses blackhole (Al-Shurman et al., 2004), teardrop (Solankar et al., 2015), ping-of-death (Yihunie et al., 2018), smurf (Kumar, 2007) methods, etc., to make the CPS unavailable for its legitimate users.

3.8 TCP SYN Flood Attack

This attack exploits TCP handshake process by multiple SYN request to CPS. Attacker do not respond back to the server which results in buffer overflow error (Shrouf et al., 2014). This attack crashes the CPS.

3.9 Watering Hole Attack

In this attack, attacker scans for the weaknesses of CPS and on the identification of weakness, the selected CPS website will be manipulated watering hole attack and by backdoor, rootkits or zero-day exploit (Lemon et al., 2002).

3.10 Malware

In this, attacker steals the CPS data or harm the working of CPS devices using various malwares such as botnets, spyware, ransomware, trojan, rootkit, worm, virus, etc.

4. Introduction to Splunk Enterprise Security (Splunk ES)

Splunk is a software platform used to analyse machinegenerated data from networks, hardware devices, servers, IoT devices, etc. User can create meaningful dashboard, reports, data models and alerts by monitoring the real time logs generated from these devices. Splunk Enterprise Security and Splunk IT Service Intelligence are two add-on of Splunk which are used to proactively monitor various cyber threats on all Splunk connected devices.

This paper uses Splunk Enterprise Security to monitor the cyber-attacks on CPS. The logs from various sensors and actuators located at perception layer are collected by using intermediate forwarder. These logs are then transmitted to heavy forwarder. This forwarder transfers the logs to indexer. Indexer stores these logs in the form of indexes. From search head one can search the required data over the CPS.

4.1 Data Transmission from CPS to Splunk ES

Figure 1 shows the data transmission from CPS to Splunk ES. The present system implements indexer clustering architecture with three indexers forming a cluster and they can index maximum up to 100 GB of data from forwarders. Forwarders takes the logs from all perception layer components using 514 UDP port and send these logs to indexers using 9997 TCP port. Indexer creates the indexes. Search head can read these indexed data using 8089 TCP port. The indexers used by Splunk Enterprise or Splunk IT Service Intelligence (ITSI) can index up to 350 GB of data. But the indexers used by Splunk Enterprise security can index maximum up to 150 GB of data.

Figure 1. CPS to Splunk Enterprise Security Data Transmission

4.2 Splunk Add-On for OT Security

To improve the security visibility in Operational Technology (OT) environment, this research uses Splunk Add-on for OT Security. This add-on expands the capacity of Splunk Enterprise Security. The Figure 2 shows OT security posture dashboard. Relative risk of CPS of over time is shown by Risk Score. As shown in the Figure 2, totally 238 devices are connected with Splunk Enterprise Security out of which every device has medium risk with 66.9 score. Currently 35 devices are facing a security threat. The alerts are created by pre-configured correlation searches, i.e., notable events are generated in the occurrence of any security threat or unexpected CPS behaviour. Currently 9 notable events are created by Splunk ES which can predict that in next 30 to 45 minutes 9 types of cyber-attacks or any other threats will be injected to CPS. By this prior intimation the user can drill down the details of all these 9 notable events and secure the CPS from these 9 predictable situations.

Figure 2. OT Security Posture Dashboard

After predicting the anticipated threat on 9 devices, user can perform the detailed investigation of each and every device in OT Asset Investigator dashboard as shown in Figure 3. In this investigation by OT Asset Information, user can understand the model of device, its location, risk priority, etc. By observing OT Asset Behavioral Indicator panel user can analyse the risk score change in last 48 hours, total number of devices connected with the risky device, total number of network ports accessed by risky device and total number of sessions created by risky device.

Figure 3. OT Security Investigator Dashboard

Using these two dashboards, user can estimate and identify the priority of the critical devices. Based on the analysis, the user can make a decision to secure the critical and high priority devices. After securing the high priority devises, the user can secure low priority devices. In this way, the entire CPS can be proactively monitored and secured with Splunk ES.

Conclusion

This paper explains the architecture of Cyber Physical System. Various attacks on each layer of this architecture are explained in detail. These attacks degrade the performance of CPS. Hence, it is essential to secure the CPS against all these cyber-attacks. After the cyber-attack, the working of CPS is already disturbed and mitigation efforts are unproductive. Hence, it is essential to proactively monitor the cyber-attack in CPS and remove the critical and high priority threats from CPS. This can be done using Splunk Enterprise Security platform. This platform uses OT Security add-on by which one can monitor the risk of all CPS components. The details of the OT Security add-on dashboards are explained in this paper.

Finally, it can be concluded that the Splunk ES is a good solution to proactively monitor all cyber-attacks on the entire enterprise CPS.

References

[1]. Abera, T., Asokan, N., Davi, L., Ekberg, J. E., Nyman, T., Paverd, A., ... & Tsudik, G. (2016, October). C-FLAT: Control flow attestation for embedded systems software. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 743-754). https://doi.org/10.1145/2976749.2978358

[2]. Alguliyev, R., Imamverdiyev, Y., & Sukhostat, L. (2018). Cyber-physical systems and their security issues. Computers in Industry, 100, 212-223. https://doi.org/10.10 16/j.compind.2018.04.017

[3]. Al-Shurman, M., Yoo, S. M., & Park, S. (2004, April). Black hole attack in mobile ad hoc networks. In Proceedings of the 42^nd Annual Southeast Regional Conference (pp. 96- 97). https://doi.org/10.1145/986537.986560

[4]. Bou-Harb, E. (2016, November). A brief survey of security approaches for cyber-physical systems. In 2016, 8^th IFIP International Conference on New Technologies, Mobility and Security (NTMS) (pp. 1-5). IEEE. https://doi.org/ 10.1109/NTMS.2016.7792424

[5]. Chen, D. D., Woo, M., Brumley, D., & Egele, M. (2016, February). Towards automated dynamic analysis for Linuxbased embedded firmware. In The Network and Distributed System Security Symposium. https://doi.org/ 10.14722/ndss.2016.23415

[6]. Chen, T. M. (2010, April). Survey of cyber security issues in smart grids. In Cyber Security, Situation Management, and Impact Assessment II; and Visual Analytics for Homeland Defense and Security II (Vol. 7709). International Society for Optics and Photonics. https://doi.org/10.1117/ 12.862698

[7]. Chun, I., Park, J., Kim, W., Kang, W., Lee, H., & Park, S. (2010, February). Autonomic computing technologies for cyber-physical systems. In 2010, The 12th International Conference on Advanced Communication Technology (ICACT) (Vol. 2, pp. 1009-1014). IEEE.

[8]. Davi, L., Dmitrienko, A., Sadeghi, A. R., & Winandy, M. (2010). Privilege escalation attacks on android. In International Conference on Information Security (pp. 346–360). Springer.

[9]. Francillon, A., & Castelluccia, C. (2008, October). Code injection attacks on harvard-architecture devices. In Proceedings of the 15^th ACM conference on Computer and Communications Security (pp. 15-26). https://doi.org/ 10.1145/1455770.1455775

[10]. Gudivada, V. N., Ramaswamy, S., & Srinivasan, S. (2018). Data management issues in cyber-physical systems. In Transportation Cyber-Physical Systems (pp. 173- 200). Elsevier. https://doi.org/10.1016/B978-0-12-814295- 0.00007-1

[11]. Haidegger, T., Virk, G. S., Herman, C., Bostelman, R., Galambos, P., Györök, G., & Rudas, I. J. (2020). Industrial and medical cyber-physical systems: Tackling user requirements and challenges in robotics. In Recent Advances in Intelligent Engineering (pp. 253-277). Cham: Springer. https://doi.org/10.1007/978-3-030-143 50-3_13

[12]. Hu, H., Shinde, S., Adrian, S., Chua, Z. L., Saxena, P., & Liang, Z. (2016, May). Data-oriented programming: On the expressiveness of non-control data attacks. In 2016, IEEE Symposium on Security and Privacy (SP) (pp. 969-986). IEEE. https://doi.org/10.1109/SP.2016.62

[13]. Humayed, A., Lin, J., Li, F., & Luo, B. (2017). Cyberphysical systems security—A survey. IEEE Internet of Things Journal, 4(6), 1802-1831. https://doi.org/10.1109/JIOT.201 7.2703172

[14]. Johnson, R. E. (2010, November). Survey of SCADA security challenges and potential attack vectors. In 2010, International Conference for Internet Technology and Secured Transactions (pp. 1-5). IEEE.

[15]. Kocabas, O., Soyata, T., & Aktas, M. K. (2016). Emerging security mechanisms for medical cyber physical systems. IEEE/ACM Transactions on Computational Biology and Bioinformatics, 13(3), 401-416. https://doi.org/10.11 09/TCBB.2016.2520933

[16]. Kumar, J. S., & Patel, D. R. (2014). A survey on internet of things: Security and privacy issues. International Journal of Computer Applications, 90(11), 20-26.

[17]. Kumar, S. (2007, July). Smurf-based distributed denial of service (DDoS) attack amplification in internet. In Second International Conference on Internet Monitoring and Protection (ICIMP 2007) (pp. 25-25). IEEE. https://doi.org/ 10.1109/ICIMP.2007.42

[18]. Lai, C., Cordeiro, P., Hasandka, A., Jacobs, N., Hossain-McKenzie, S., Jose, D., ... & Martin, M. (2019). Cryptography considerations for distributed energy resource systems. In 2019, IEEE Power and Energy Conference at Illinois (PECI) (pp. 1-7). IEEE. https://doi.org/ 10.1109/PECI.2019.8698907

[19]. Lemon, J. (2002, February). Resisting SYN flood DoS attacks with a SYN cache. In BSD Conference (Vol. 2002, pp. 89-98).

[20]. Loukas, G. (2015). Cyber-physical attacks: A growing invisible threat. Butterworth-Heinemann.

[21]. Miller, C., & Valasek, C. (n.d.). A survey of remote automotive attack surfaces. Retrieved from https://dl. packetstormsecurity.net/papers/attack/remote-attacksurfaces. pdf

[22]. Narayanan, A., & Shmatikov, V. (2005, November). Fast dictionary attacks on passwords using time-space tradeoff. In Proceedings of the 12th ACM Conference on Computer and Communications Security (pp. 364-372). https://doi.org/10.1145/1102120.1102168

[23]. Owens, J., & Matthews, J. (2008, April). A study of passwords and methods used in brute-force SSH attacks. In First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET).

[24]. Poon, P. M. S., Dillon, T. S., Chang, E., & Feng, L. (2006). XML descriptor based approach for real time data messaging. In S. Lee, U. Brinkschulte, B. Thuraisingham, R. G. Pettit (Eds.). 9th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing. https://doi.org/10.1109/ISORC.2006.77

[25]. Rad, C. R., Hancu, O., Takacs, I. A., & Olteanu, G. (2015). Smart monitoring of potato crop: A cyber-physical system architecture model in the field of precision agriculture. Agriculture and Agricultural Science Procedia, 6, 73-79. https://doi.org/10.1016/j.aaspro.2015.08.041

[26]. Roemer, R., Buchanan, E., Shacham, H., & Savage, S. (2012). Return-oriented programming: Systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC), 15(1), 1-34. https://doi.org/10.11 45/2133375.2133377

[27]. Shrouf, F., Ordieres, J., & Miragliotta, G. (2014, December). Smart factories in Industry 4.0: A review of the concept and of energy management approached in production based on the Internet of Things paradigm. In 2014, IEEE International Conference on Industrial Engineering and Engineering Management (pp. 697- 701). IEEE. https://doi.org/10.1109/IEEM.2014.7058728

[28]. Siddappaji, B., & Akhilesh, K. B. (2020). Role of cyber security in drone technology. In Smart Technologies (pp. 169-178). Singapore: Springer. https://doi.org/10.1007/97 8-981-13-7139-4_13

[29]. Sklavos, N., & Zaharakis, I. D. (2016, November). Cryptography and security in internet of things (IoTs): Models, schemes, and implementations. In 2016, 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS) (pp. 1-2). IEEE. https://doi.org/10.1109/ NTMS.2016.7792443

[30]. Solankar, P., Pingale, S., & Parihar, R. (2015). Denial of service attack and classification techniques for attack detection. International Journal of Computer Science and Information Technologies, 6(2), 1096-1099.

[31]. Yaacoub, J. P. A., Noura, M., Noura, H. N., Salman, O., Yaacoub, E., Couturier, R., & Chehab, A. (2020). Securing internet of medical things systems: Limitations, issues and recommendations. Future Generation Computer Systems, 105, 581-606. https://doi.org/10.1016/j.future.2019.12.028

[32]. Ye, H., Cheng, X., Yuan, M., Xu, L., Gao, J., & Cheng, C. (2016, September). A survey of security and privacy in big data. In 2016, 16th International Symposium on Communications and Information Technologies (ISCIT) (pp. 268-272). IEEE. https://doi.org/10.1109/ISCIT.2016.775 1634

[33]. Yihunie, F., Abdelfattah, E., & Odeh, A. (2018, May). Analysis of ping of death DoS and DDoS attacks. In 2018, IEEE Long Island Systems, Applications and Technology Conference (LISAT) (pp. 1-4). IEEE. https://doi.org/10.1109/ LISAT.2018.8378010

[34]. Yoo, H., & Shon, T. (2016). Challenges and research directions for heterogeneous cyber–physical system based on IEC 61850: Vulnerabilities, security requirements, and security architecture. Future Generation Computer Systems, 61, 128-136. https://doi.org/10.1016/j.future. 2015.09.026