A Cyber-Physical System (CPS) infrastructure includes various CPS equipment, such as RTUs, PLCs, and IEDs, that collect data from the infrastructure and monitor the health of the operations in real time. However, attackers can compromise CPS devices or they can use fake equipment to mimic real CPS devices in order to get access to critical resources within a CPS infrastructure. Similarly, CPS device manufactures can use unauthorized or untrusted hardware components during the device fabrication, resulting in compromised CPS devices that can be serious threat to the integrity of the CPS infrastructure. Such devices, which can be already part of an authorized CPS infrastructure, can poison the measurements, steal or leak important and sensitive information to outsiders, etc. Traditional security mechanisms may not be sufficient to prevent such attacks stemming from these CPS devices.
In general, device fingerprinting has been following two main paths: device host and device class fingerprinting. A great variety of techniques have been proposed to perform device host fingerprinting. For example, large scale host fingerprinting via motion sensors or microscopic deviations on clock skews to uniquely identify the devices.
In general, results from different works agree that clock skews based fingerprinting is especially vulnerable to simple countermeasures and also requires the analysis of several network packets for accurate results. It can be demonstrated that clock skews cannot be used as a unique fingerprinting method. Embedded acoustic devices (microphone and speakers) on smartphones can be used to uniquely fingerprint individual devices. Although accuracy values are reported in the range of 98% for this method, these results were obtained only in close range distances (0.1 meters). For distances between 1-2 meters the accuracy values decrease to a range between 92% and 88%. This further diminishes up to 65% for distances in the range of 5 meters. In other approaches, the frequency responses of devices' speakers were used to identify individual devices. As in the previous case, different types of acoustic interferences limit the application of the methods.
Certain device fingerprinting approaches characterize the devices' behavior as a response to specific network packets (a stimulant sent to the device also known as active fingerprinting) or simply by observing the device's traffic under regular network operations (passive fingerprinting). In spite of the positive results, these types of fingerprinting techniques also come with some limitations. In some cases, the proposed techniques only apply for specific types of network protocols (e.g., transport layer protocols like UDP, TCP, etc.). In other cases, the methods are vulnerable to system updates and/or the value of network dynamics such as WiFi channel characteristics, delay, etc.
As for the identification of different classes of devices, a passive blackbox based technique for determining the type of access point (AP) connected to a network can be applied. Although it is possible to fingerprint different device classes even for different types of APs, the technique can be limited to specific types of devices connected to the network. Another approach uses time as a baseline for device type fingerprinting. In this case, fingerprinting methods are based on two approaches (1) response time to network based interactions (cross layer fingerprinting) and (2) response time to physical operations (physical fingerprinting) can be used. However, this method can depend on the interaction of an unknown to be identified devices with others devices in the network, making the first approach dependent on network attributes like level of priority of TCP messages and ACK implementation. Further, the second approach proposed also depends on the SCADA system configuration. Since these methods take advantage of unique characteristics of ICS networks, their practical implementation is limited to only certain networks. Another approach for passive device class fingerprinting uses the timing distributions between the packets. However, implementation is limited to only local area networks (LAN) since the delay introduced by switches and routers can significantly impact the accuracy of the approach.
As discussed herein, a host based solution does not require the use of external stimulant (special network packets, audio tones, etc.) to achieve results, and can analyze the behavior of devices instead of the users. This technique does not require traffic monitoring or study the interaction of the devices with other network equipment and is lightweight. This technique can study device behavior while the devices perform normal device functionalities and operations. As more resource limited (e.g., CPS, IoT, and IIoT) devices are introduced in the market, an easy and simple device and class/type identification technique based on device fingerprinting presented in this work will be very beneficial.