Rapid Attack Detection, Isolation and Characterization (RADICS)
J. Reeves, S. Bratus, S.W. Smith, P. Anantharaman, M. Millian (students) with SRI, NYU, NARF, EPRI
Objectives
- Recover from attacks against critical infrastructure
- Identify the methods and behaviors of malware present in a compromised substation
- Reconfigure and harden the substation against future attacks
Key Science Methods & Advances
- Defined secure subsets of popular ICS protocols (DNP3, Modbus, IEC 61850, etc.) using our LangSec principles
- Implemented specialized input parsers based on these subsets to protect devices from malformed and/or malicious packets
- Identified and cataloged data/configuration changes made by compromised devices
- Investigated ways to modify packets to signify when devices are clean and detect if they are re-compromised.
- Incorporated our design into TIGR, a custom-built appliance that can be plugged into a compromised substation to gather info and begin recovery efforts.
Results & Impacts
- In sponsor exercises, TIGR was able to identify the devices, protocols, and malware found inside an example substation.
- Standalone TIGR prototypes are currently under construction.