The new techniques will help detect hidden attacks that can paralyze automated production, fire safety, or medical monitoring systems. A paper describing the researchers’ findings has been published in the International Journal of Computers and Applications.edit: shutterstock.com
Many people, including those who aren’t very familiar with computer technologies, have heard the term “denial-of-service (DoS) attack”. DoS attacks allow malefactors to disrupt the availability of websites that belong to stores and media or government organizations. In order to perform such an attack, all they need to do is to infect a sufficient number of computers with a virus and make them request the given web resource simultaneously. As a result, the server becomes overloaded and the site no longer accessible to other users.
The same approach can be used to disrupt the functionality of not only websites, but production facilities, too. The thing is, facilities equipped with cutting-edge technologies – such as large Internet of Things (IoS) networks and cyber-physical systems that connect thousands of sensors monitor conveyors, machine tools, and quality of final products – also use data transmission networks.
A similar principle is being implemented in modern hospitals, too. Operator terminals receive information about the condition of all patients in a department at once. Malefactors can use such automated systems in order to organize a DoS attack inside a facility.
“As of now, the most common pattern for IoS networks is called “client–server”. It means that you visit a site (server) using your device (client) and search for information, make purchases, watch movies, or use maps,” explains Dmitrii Dikii, a PhD student at the ITMO University’s Faculty of Secure Information Technologies. “However, another pattern is often more convenient when it comes to the Internet of Things. It’s called “publish-subscribe”.It’s somewhat similar to Instagram. You subscribe to a topic, and when anyone posts something with the corresponding hashtag, you receive a notification about it. The main idea behind it is reducing outgoing traffic from the device. A sensor publishes information once, and then a special gateway retransmits it to all users. This principle lies at the foundation of the Internet of Things: data is published once in a while, and a specified group of users receives it. Such a system is very convenient, but it can be easily disrupted by a DoS attack.”
How to break a factory
Attacking the IoT network of a factory or a hospital is similar to attacking a website. The main goal here is to overload the system so that it wouldn’t be able to process all the data. However, there are differences. Here, we are talking about attacking a closed network, which isn’t typically accessible from the outside.
The architecture of an IoT network is similar to a telephone switchboard. Imagine that there are 10,000 sensors at a facility. One in ten sensors transmits information about the speed of a conveyor. The chief engineer, head of production, and operator of the quality department receive this data, but workers at the supply department don’t. Another 10% of sensors monitor the level of oil in machines and send information about it to the service department and the on-duty repairman, but don’t send it to the quality department.
All sensors at the facility transmit data labeled with the name of its recipient. The messages reach a gateway where the program decides who needs to receive this or that message according to the label. It is here, in the most “narrow” place of the system, that a malefactor can strike.
That can be done using several methods. For example, they can hack the system itself by infecting the sensors so that they would send messages not only to labeled recipients, but also to all the computers in the system at once: from the conveyor operator on duty to head of the facility. It’s not that hard to do, as there may be several thousands of sensors, and often even a password isn’t necessary to connect to the network.
Even if it is secured by a login and password, then they are usually very simple and present no obstacle to an experienced hacker. At the same time, it’s important to understand that even two or three infected devices can disrupt the entire system – if each of them transmits 100 MB of data, it will be sent to hundreds of computers overall. This way, the gateway will generate several dozen gigabytes of data.
Another attack technique doesn’t even require sensors to be hacked. A malefactor can simply try to connect another monitoring device to the system. It might work even if the system hasn’t ever accepted an unknown device.
“We just send out many requests to join the network and although the response is negative, it still wastes the gateway’s process time causing it to no longer cope with the load,” says Dmitrii Dikii. “It happens due to the fact that authentication happens via a secured connection that uses cryptographic transformations. Since the sensors don’t have a lot of computing power, it happens relatively slowly. A connection request is sent out, then the server “invites” them to connect, but in order to do so the sensors need to perform certain calculations and give a response, on the basis of which the server decides whether everything is alright. Even if the response is negative, the CPU time has already been spent on evaluation of the response, and the connection channel has been open all this time. Such actions can overload the system to such an extent that legitimate devices won’t be able to connect, or the time of processing their messages will significantly increase.”
The importance of mere seconds
Even though this algorithm seems simple, it’s hard to detect it being used in a facility. A regular DoS attack is obvious to cybersecurity experts, as thousands of users send requests simultaneously. It’s not as clear when someone’s hacking an IoT network. The workload isn’t so extreme, and the attack usually doesn’t lead to a complete shutdown.
“Such attacks can slow down the transmission of data from sensors,” explains Dmitrii Dikii. “It usually takes up to 60 milliseconds to transfer data from the device to a user on our test stand, but this interval can increase for up to 3-30 seconds during an attack. Sometimes, data may even be lost completely.”
It may seem that half a minute is not such a long time, but it can be crucial in a well-established automated system. It’s hard to imagine what might happen if, say, the fire safety system is paralyzed for half a minute at a paint and varnish facility.
The consequences may be far more tragic if the operator doesn’t receive information about the condition of patients in the intensive care unit for half a minute. Mere seconds may lead to a lot of damage.
At the same time, it’s important not to confuse an attack with a real emergency, during which the sensors transmit information about a critical error in the production process. Finally, the difficulty lies in the fact that external security systems don’t have access to the gateway’s core – to information on how many users receive this or that information.
“The majority of scientists who work in cybersecurity develop standalone means of information security. Gateways are executable software components that don’t allow others ‘inside’ themselves. For example, in order to access the list of subscribers, in our project it was necessary to modify their source code. This significantly complicates the development and integration of security tools,” adds Dmitrii Dikii.
How to locate an intrusion
Scientists from ITMO University attempted to solve the problem of detecting such attacks by getting inside the protocol used to process signals from sensors and transmit them to users. They created a system that analyzes the traffic coming from sensors to users through the gateway and checks whether the amount of information, its content, and the number of its recipients have changed dramatically.
“We analyze the behavior of the sensor before and during the attack: to whom, how, and how many messages are sent,” says Dmitrii Dikii. “If the number of subscribers increases drastically, then this is a sure sign that the system is being attacked. The main thing is to distinguish between legitimate and illegitimate data growth quickly. So, if the amount of data in a message has increased, for example, by 2-3 times, but the number of subscribers and the frequency of messages didn’t grow, then there is likely an attempt to disrupt our system.”
To solve this problem, the scientists used machine learning methods: artificial neural networks, support vector machines, etc. They managed to achieve the correct classification of legitimate and illegitimate traffic with a probability of about 98%.
Another interesting task, in addition to detecting the attack, is identifying its source. In the developed model, the researchers were able to create an algorithm that determines what exactly appears as the source of an attack: a separate device, a hacked account or a node of the network.
So far, production systems based on the Internet of Things are only developing, but in the future there will be more and more such enterprises, medical institutions, and power plants. There is now a specific term – Industry 4.0 – that describes the widespread transition to automated facilities and operations. Therefore, it’s crucial to research the potential vulnerabilities of automated systems and develop effective means of protecting them from malefactors.
The research was carried out within the framework of grants from the Russian Foundation for Basic Research (no. 19-37-90051), the Ministry of Education and Science (information security, no. 11/2020), and ITMO R&D grant no. 620164.