Stealthy Rootkits in Smart Grid Controllers

This paper presents a stealthy and persistent attack on a Cyber-Physical System (CPS), namely the smart grid and a multi-layer approach to detect such an attack. The attack on the CPS controller uses a rootkit-based malware. When activated, the rootkit overwrites operator commands to the smart grid relays while evading detection by the operator control station. The rootkit sends valid replies to the operator while corrupting the controller operation through a dynamically loaded library, which is hidden by the rootkit. The attack persists even when the controller stops and restarts since the rootkit automatically restarts the process with the malicious library by using a background daemon, which the rootkit hides from user-space tools. Using a high-fidelity simulation of the smart grid CPS, we show that the attack drastically impacts the CPS, especially when the adversary strategically chooses the target relays to attack. We design an ensemble of detectors to detect the attack and uncover its persistence and insertion mechanisms. The detector uses measures such as hardware performance counters (HPCs), change detection in binary signatures, change detection in system calls, and detection of hidden processes and file system entries.