Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Time Constant: Actuator Fingerprinting using Transient Response of Device and Process in ICS

Chuadhry Mujeeb Ahmed, Matthew Calder, Sean Gunawan, Jay Prakash, Shishir Nagaraja, Jianying Zhou

TL;DR

Time Constant introduces a joint actuator and process transient fingerprint that uniquely identifies actuators and their states in ICS by exploiting transient dynamics observable in sensor data. The authors couple offline system identification with an online fingerprinting pipeline and augment security with a PLC-internal watermark to counter replay attacks, validated on SWaT and lab setups. Key contributions include (i) a new Time Constant fingerprint from device and process transients, (ii) a watermarking scheme with randomness validated by NIST tests, (iii) CUSUM-based attack detection, and (iv) information-theoretic evidence of fingerprint uniqueness. The approach offers a practical defense against insider command-injection and replay threats, leveraging physical-process timing and secure, in-system watermarking with real-world deployment feasibility in SWaT.

Abstract

Command injection and replay attacks are key threats in Cyber Physical Systems (CPS). We develop a novel actuator fingerprinting technique named Time Constant. Time Constant captures the transient dynamics of an actuator and physical process. The transient behavior is device-specific. We combine process and device transient characteristics to develop a copy-resistant actuator fingerprint that resists command injection and replay attacks in the face of insider adversaries. We validated the proposed scheme on data from a real water treatment testbed, as well as through real-time attack detection in the live plant. Our results show that we can uniquely distinguish between process states and actuators based on their Time Constant.

Time Constant: Actuator Fingerprinting using Transient Response of Device and Process in ICS

TL;DR

Time Constant introduces a joint actuator and process transient fingerprint that uniquely identifies actuators and their states in ICS by exploiting transient dynamics observable in sensor data. The authors couple offline system identification with an online fingerprinting pipeline and augment security with a PLC-internal watermark to counter replay attacks, validated on SWaT and lab setups. Key contributions include (i) a new Time Constant fingerprint from device and process transients, (ii) a watermarking scheme with randomness validated by NIST tests, (iii) CUSUM-based attack detection, and (iv) information-theoretic evidence of fingerprint uniqueness. The approach offers a practical defense against insider command-injection and replay threats, leveraging physical-process timing and secure, in-system watermarking with real-world deployment feasibility in SWaT.

Abstract

Command injection and replay attacks are key threats in Cyber Physical Systems (CPS). We develop a novel actuator fingerprinting technique named Time Constant. Time Constant captures the transient dynamics of an actuator and physical process. The transient behavior is device-specific. We combine process and device transient characteristics to develop a copy-resistant actuator fingerprint that resists command injection and replay attacks in the face of insider adversaries. We validated the proposed scheme on data from a real water treatment testbed, as well as through real-time attack detection in the live plant. Our results show that we can uniquely distinguish between process states and actuators based on their Time Constant.
Paper Structure (36 sections, 20 equations, 16 figures, 7 tables)

This paper contains 36 sections, 20 equations, 16 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Ideation and Threat Model
  3. Idea and Intuition
  4. Threat Model
  5. Design of Time Constant
  6. Motivating Example
  7. Sources of Fingerprints
  8. Process Dynamics
  9. Feature Extraction
  10. Watermark Technique
  11. Watermark Design
  12. Preliminary Analysis
  13. Evaluation
  14. Experimental Setup: SWaT Testbed
  15. Actuator Identification (RQ1)
  16. ...and 21 more sections

Figures (16)

  • Figure 1: The idea: Fingerprint is based on the temporal characteristics of device movement and process transients.
  • Figure 2: (a) Stage 1 of SWaT as a running example. MV:motorized valve, FIT: flow sensor, LIT: level sensor and P:pump. (b) Attack on the control command channel between a PLC and an actuator. Control commands and actuator responses are vulnerable to MITM, motivating the need to validate control plane.
  • Figure 3: Design Overview: Offline phase extracts data composed of control commands and sensor outputs from the physical plane. Online phase computes Time Constant fingerprints, whilst continually refreshing for actuators and processes profiles using fresh data.
  • Figure 4: Closed-loop control (MV-101) based on level sensor (LIT-101). Flow sensor (FIT-101) directly captures the transients when MV-101 opens and LIT-101 reflect that transient due to the change in the water level from the low set-point.
  • Figure 5: Using two different models obtained via system identification can predict the sensor measurements, capturing the closed loop feedback control and transients, those are robust to small inaccuracies of a system model.
  • ...and 11 more figures