An Enhanced Multi-Stage Semantic Attack Against Industrial Control Systems

Industrial Control Systems (ICS) play a very important role in national critical infrastructures. However, the growing interaction between the modern ICS and the Internet has made ICS more vulnerable to cyber attacks. In order to protect ICS from malicious attacks, intrusion detection technology emerges. By analyzing the network meta data or the industrial process data, Intrusion Detection Systems (IDS) can identify attacks that violate communication protocols or system specifications. However, the existing intrusion detection technology is not omnipotent, which opens up a back door for some more advanced attacks. In this work, we design an enhanced multi-stage semantic attack against ICS, which is undetectable by existing IDS. By hijacking the communication channels between the Human Machine Interface (HMI) and the remote Programmable Logic Controllers (PLCs), the attacker can manipulate the measurement data and control instructions simultaneously. The fake measurement data deceives the human operator into making wrong decisions. Furthermore, the attacker can strategically manipulate the semantic meaning of control instructions according to system state transition rules. In the meanwhile, a fake view of measurement data is presented to the HMI to conceal the on-going malicious attack. This attack is totally stealthy since the message sizes and timing, the command sequences, and the system state values are all legitimate. Consequently, this attack can secretly bring the system into critical states. Experimental results have verified the strong attack ability of the proposed attack.