Intrusion detection for resource-constrained embedded control systems in the power grid

Abstract The power grid depends on embedded control systems or SCADA systems to function properly. Securing these systems presents unique challenges—in addition to the resource restrictions inherent to embedded devices, SCADA systems must accommodate strict timing requirements that are non-negotiable, and their massive scale greatly amplifies costs such as power consumption. Together, these constraints make the conventional approach to host intrusion detection–using a hypervisor to create a safe environment from which a monitoring entity can operate–too costly or impractical for embedded control systems in the critical infrastructure. This paper discusses the design and implementation of Autoscopy, an experimental host-based intrusion detection mechanism that operates from within the kernel and leverages its built-in tracing framework to identify control-flow anomalies, which are most often caused by rootkits that hijack kernel hooks. The paper presents the concepts underlying the original Autoscopy prototype, highlights some of the issues that arose from it, and introduces the new system, dubbed Autoscopy Jr., which addresses the issues. Tests on non-embedded systems demonstrated that the monitoring scope could be managed to limit Autoscopy Jr.’s performance impact on its host to under 5%. The paper also describes the use of an optimized probe framework to reduce overhead and the test results obtained for a hardened kernel. The results demonstrate that Autoscopy Jr.’s design and effectiveness render it uniquely suited to intrusion detection for SCADA systems.