Stealthy Attack Against Redundant Controller Architecture of Industrial Cyber-Physical System

In an industrial cyber-physical system (iCPS), the controller plays a critical role in guaranteeing reliability and stability. Therefore, redundant controller architecture is a well-adopted approach by distributed control systems (DCS), supervisory control and data acquisition (SCADA), and other typical iCPSs. They monitor and control the critical industrial process, such as power generation, chemical industry, water treatment plant, etc. Redundant controller architecture has been designed and largely implemented in response to unpredictable mechanical failures. However, this structure initially proposed for guaranteeing reliability and safety may expand the cyber-attack surface, posing the risk that an attacker may take advantage of this architecture for stealthy attacks. In this article, we analyze the vulnerability arising from the redundant controller architecture and propose a combined attack methodology against these redundant controller architecture systems in a stealthy manner. We find several 0-day vulnerabilities of the real-world devices from three manufacturers and further implement the combined attack over these devices. Our experimental results over various types of real-world devices show that the redundant controller architecture can be exploited to compromise all tested systems stealthily. We also present guidelines for mitigating this risk.