The Process Matters: Cyber Security in Industrial Control Systems The Process Matters: Cyber Security in Industrial Control Systems

An industrial control system (ICS) is a computer system that controls industrial processes such as power plants, water and gas distribution, food production, etc. Since cyber-attacks on an ICS may have devastating consequences on human lives and safety in general, the security of ICS is important. In this context, the most valuable asset is the process that is under the control of the ICS. As a result of attacks on the process, the behaviour of the process (i.e., the program output in a computer program) changes due to modifications in: (i) the automation logic (i.e., program instruction set) or (ii) the process input parameters (i.e., the program input). The detection of process manipulations through attacks is challenging as it requires the understanding of complex process dependencies in sensitive and often proprietary environments. Due to these conditions, the problem of process manipulations has not been thoroughly studied by security researchers. This thesis tackles this challenge by performing pioneering work in exploring suitable techniques for detecting process attacks in ICS. The main focus of the thesis is the problem of malicious manipulations in process input. To decompose the problem, we distinguish three attack vectors used for accomplishing an input manipulation: (i) user application (e.g., issue legitimate but malicious user commands to the plant automation), (ii) network (e.g., issue network messages to divert the process by exploiting access vulnerabilities of the network infrastructure) or (iii) field devices (e.g., trigger inappropriate automation reaction by sending false data from the field). In this thesis we analyse the first two types of input manipulations (i.e., threats carried through user application and network infrastructure) as they describe common cyber attacks (i.e., an exploitation of vulnerabilities in software through remote access). The third attack vector remains out of our scope as it typically includes hardware device tampering (e.g., on a measurement sensor). For the selected attack vectors we (i) investigate the problem and (ii) present and validate