Remotely inferring device manipulation of industrial control systems via network behavior

This paper presents preliminary findings on a novel method to remotely fingerprint a network of Cyber Physical Systems and demonstrates the ability to remotely infer the functionality of an Industrial Control System device. A monitoring node measures the target device´s response to network requests and statistically analyzes the collected data to build and classify a profile of the device´s functionality via machine learning. As ICSs are used to control critical infrastructure processes such as power generation and distribution, it is vital to develop methods to detect tampering. A system employing our measurement technique could discover if an insider has made unauthorized changes to a device´s logic. Our architecture also has advantages because the monitoring node is separate from the measured device. Our results indicate the ability to accurately infer (i.e., using a tunable threshold value) discrete ranges of task cycle periods (i.e., CPU loads) that could correspond to different functions.