Yifan Jia,Jingyi Wang,Christopher M. Poskitt,Sudipta Chattopadhyay,Jun Sun,Yuqi Chen

DOI: https://doi.org/10.1016/j.ijcip.2021.100452

IF: 3.683

2021-01-01

International Journal of Critical Infrastructure Protection

Abstract:The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers (or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived. We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/jsyst.2022.3150576

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:In this article, we study how to resist malware attacks in cyber-physical power systems (CPPSs) through cyber protection. A model that incorporates the power flow analysis, the cyber monitoring and control, and the factor of cyber protection is proposed to simulate malware attacks in CPPSs. Meanwhile, an evaluation method is also developed to estimate the effectiveness of different cyber protection strategies. Through simulations, we conduct case studies in a test CPPS generated by coupling the IEEE 118 Bus System with a scale-free communication network. The protection effects of three heuristic cyber protection strategies, namely, target protection, random protection, and acquaintance protection are compared and analyzed. Simulation results reveal that compared with the other two strategies, target protection can suppress malware propagation and resist malware attacks more effectively. Moreover, we also investigate the optimal cyber protection problem in CPPSs and formulate it as a zero-one integer programming problem. We solve the problem by genetic algorithm and find that some low-degree cyber nodes also play a significant role in resisting malware attacks in CPPSs, especially when the protection budget is tight.

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/tcsii.2020.2999875

2020-01-01

Abstract:In this brief, we analyze the damage caused by malware-induced cyber attacks in Cyber-Physical Power Systems (CPPSs). Incubation period and detection probability of the malware are considered in our analytical framework. From attacker's perspective, the trade-off between attack effectiveness and detection risk is studied to help choose the best attack timing and obtain the maximum payoff. Moreover, we conduct case studies in CPPSs formed by coupling IEEE 118-Bus System with scale-free communication networks. Simulation results reveal that the maximum expected payoff for the attacker is affected by the coupling pattern and the structure of communication network in CPPSs.

Andrew Prout,Albert Reuther,Michael Houle,Michael Jones,Peter Michaleas,LaToya Anderson,William Arcand,Bill Bergeron,David Bestor,Alex Bonn,Daniel Burrill,Chansup Byun,Vijay Gadepally,Matthew Hubbell,Hayden Jananthan,Piotr Luszczek,Lauren Milechin,Guillermo Morales,Julie Mullen,Antonio Rosa,Charles Yee,Jeremy Kepner

2024-09-17

Abstract:HPC systems used for research run a wide variety of software and workflows. This software is often written or modified by users to meet the needs of their research projects, and rarely is built with security in mind. In this paper we explore several of the key techniques that MIT Lincoln Laboratory Supercomputing Center has deployed on its systems to manage the security implications of these workflows by providing enforced separation for processes, filesystem access, network traffic, and accelerators to make every user feel like they are running on a personal HPC.

Distributed, Parallel, and Cluster Computing

Mengxiang Liu,Zexuan Jin,Jinhui Xia,Mingyang Sun,Ruilong Deng,Peng Cheng

DOI: https://doi.org/10.1109/infocomwkshps51825.2021.9484453

2021-01-01

Abstract:In DC microgrids (DCmGs), distributed control is becoming a promising framework due to prominent scalability and efficiency. To transmit essential data and information for system control, various communication network topologies and protocols have been employed in modern DCmGs. However, such communication also exposes the DCmG to unexpected cyber attacks. In this demo, a scalable cyber security testbed is established for conducting hardware-in-the-loop (HIL) exper-iments and comprehensively investigating the security impact on DCmGs. Specifically, the testbed employs a Typhoon HIL 602+ emulator, which is professional in power electronics system emulation, to demonstrate four (12 at most) distributed energy resources (DERs). The communication network is implemented through the self-loop RS-232 interface. Based on the testbed, we systematically investigate the impact of two kinds of typical cyber attacks (i.e., false data injection and replay attacks). Experimental results show that both attacks will deteriorate the point-of-common coupling (PCC) voltages of the DERs and jeopardize the stability of the whole DCmG.

Andrew Prout,William Arcand,David Bestor,Bill Bergeron,Chansup Byun,Vijay Gadepally,Matthew Hubbell,Michael Houle,Michael Jones,Peter Michaleas,Lauren Milechin,Julie Mullen,Antonio Rosa,Siddharth Samsi,Albert Reuther,Jeremy Kepner

DOI: https://doi.org/10.1109/HPEC.2016.7761641

2016-07-11

Abstract:HPC systems traditionally allow their users unrestricted use of their internal network. While this network is normally controlled enough to guarantee privacy without the need for encryption, it does not provide a method to authenticate peer connections. Protocols built upon this internal network must provide their own authentication. Many methods have been employed to perform this authentication. However, support for all of these methods requires the HPC application developer to include support and the user to configure and enable these services. The user-based firewall capability we have prototyped enables a set of rules governing connections across the HPC internal network to be put into place using Linux netfilter. By using an operating system-level capability, the system is not reliant on any developer or user actions to enable security. The rules we have chosen and implemented are crafted to not impact the vast majority of users and be completely invisible to them.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

Fan Zhang,Qianmei Wu,Bohan Xuan,Yuqi Chen,Wei Lin,Christopher M. Poskitt,Jun Sun,Binbin Chen

DOI: https://doi.org/10.1109/tse.2023.3309330

2020-01-01

Abstract:Cyber-physical systems (CPSs) automating critical public infrastructure face a pervasive threat of attack, motivating research into different types of countermeasures. Assessing the effectiveness of these countermeasures is challenging, however, as benchmarks are difficult to construct manually, existing automated testing solutions often make unrealistic assumptions, and blindly fuzzing is ineffective at finding attacks due to the enormous search spaces and resource requirements. In this work, we propose active sensor fuzzing , a fully automated approach for building test suites without requiring any a prior knowledge about a CPS. Our approach employs active learning techniques. Applied to a real-world water treatment system, our approach manages to find attacks that drive the system into 15 different unsafe states involving water flow, pressure, and tank levels, including nine that were not covered by an established attack benchmark. Furthermore, we successfully generate targeted multi-point attacks which have been long suspected to be possible. We reveal that active sensor fuzzing successfully extends the attack benchmarks generated by our previous work, an ML-guided fuzzing tool, with two more kinds of attacks. Finally, we investigate the impact of active learning on models and the reason that the model trained with active learning is able to discover more attacks.

Denys Mishchenko,Irina Oleinikova,László Erdődi,Basanta Raj Pokhrel

DOI: https://doi.org/10.1109/access.2024.3375401

IF: 3.9

2024-03-19

IEEE Access

Abstract:The rapid digitalization of power systems involves enhanced interconnectivity, intelligence, and cost-efficiency across all components. In the era of Industry 5.0, the criticality of energy supply makes power systems prime targets for attacks, highlighting the need for the creation and evaluation of solutions against cyber-physical threats. Testbeds have emerged as essential tools for these purposes by representing real-world power systems in controlled environments and simulating cyber-physical attack-defense experiments. This paper introduces a Cyber-Physical Security (CPS) testbed rooted in the Smart Grid Architecture Model (SGAM) and developed adversary setup within the National Smart Grid Laboratory at the Norwegian University of Science and Technology. By adhering to the SGAM framework, this study delves into the classification and assessment of threats within the structure of the CPS testbed, examining vulnerabilities at distinct structural levels. Significantly, the strategic placement of the adversary setup within these levels enables a comprehensive evaluation of cyber-physical vulnerabilities in simulated systems, thereby facilitating the assessment of protective measures. Furthermore, this research presents case studies using three data sources as an aggregated dynamic power system model simulated in the real-time digital simulator OPAL-RT, real power grid, and playback of previously recorded data frames using virtual phasor measurement units functionality. The focus of this work is on the analysis of the five most common cyberattacks on power systems, such as passive and active reconnaissance, interruption in communication, TCP packet injection, and men-in-the-middle attacks utilizing the C37.118.2-2011 protocol. The results of the case studies illustrate the framework for the adversary setup and provide proof-of-concept attack scenarios for evaluation purposes. As part of future work, we intend to expand upon this research with a defender setup and implement more sophisticated, stealthy attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ayush Kumar,David K. Yau

2023-07-06

Abstract:In this work, we propose a testbed environment to capture the attack strategies of an adversary carrying out a cyber-attack on an enterprise network. The testbed contains nodes with known security vulnerabilities which can be exploited by hackers. Participants can be invited to play the role of a hacker (e.g., black-hat, hacktivist) and attack the testbed. The testbed is designed such that there are multiple attack pathways available to hackers. We describe the working of the testbed components and discuss its implementation on a VMware ESXi server. Finally, we subject our testbed implementation to a few well-known cyber-attack strategies, collect data during the process and present our analysis of the data.

Cryptography and Security

Yuqi Chen,Bohan Xuan,Christopher M. Poskitt,Jun Sun,Fan Zhang

DOI: https://doi.org/10.1145/3395363.3397376

2020-07-16

Abstract:Cyber-physical systems (CPSs) in critical infrastructure face a pervasive threat from attackers, motivating research into a variety of countermeasures for securing them. Assessing the effectiveness of these countermeasures is challenging, however, as realistic benchmarks of attacks are difficult to manually construct, blindly testing is ineffective due to the enormous search spaces and resource requirements, and intelligent fuzzing approaches require impractical amounts of data and network access. In this work, we propose active fuzzing, an automatic approach for finding test suites of packet-level CPS network attacks, targeting scenarios in which attackers can observe sensors and manipulate packets, but have no existing knowledge about the payload encodings. Our approach learns regression models for predicting sensor values that will result from sampled network packets, and uses these predictions to guide a search for payload manipulations (i.e. bit flips) most likely to drive the CPS into an unsafe state. Key to our solution is the use of online active learning, which iteratively updates the models by sampling payloads that are estimated to maximally improve them. We evaluate the efficacy of active fuzzing by implementing it for a water purification plant testbed, finding it can automatically discover a test suite of flow, pressure, and over/underflow attacks, all with substantially less time, data, and network access than the most comparable approach. Finally, we demonstrate that our prediction models can also be utilised as countermeasures themselves, implementing them as anomaly detectors and early warning systems.

Software Engineering,Cryptography and Security,Machine Learning

Junho Hong,Ying Chen,Chen-Ching Liu,Manimaran Govindarasu

DOI: https://doi.org/10.1007/978-3-662-45928-7_10

2015-01-01

Abstract:The physical system of the power grids relies on the cyber system for monitoring, control, and operation. As a result, the reliable operation of power grids is highly dependent on the associated cyber infrastructures. The integrated cyber and physical system of power grids creates a large and complex infrastructure. Due to the high penetration of Information and Communications Technology (ICT), Supervisory Control And Data Acquisition (SCADA) systems are highly interconnected with one another, resulting in higher vulnerability with respect to cyber intrusions. Recent reports indicate that cyber-attacks are increasingly likely for the critical infrastructures, e.g., control centers, nuclear power plants, and substations. These attacks may cause significant damages on the power grid. Cyber security research for the power grid is a high priority subject for the emerging smart grid environment.Substations in the power grid are critical as they are installed with power system components such as transformers, busbars, circuit breakers, and Intelligent Electronic Devices (IEDs). Measurements from substations are used as input to Energy Management System (EMS) software applications, including state estimation and optimal power flow. These cyber and physical devices can be physically or electrically connected. For example, a protection and control unit of a transformer is connected to the user-interface via the substation local area network.Remote access to substation networks is a common way for maintenance of substation facilities. However, there are many potential cyber security issues including remote access connection. Simultaneous cyber intrusions to important substations may trigger multiple, cascaded sequences of events, leading to a blackout. As a result, it is crucial to enhance the cyber security of substations and analyze cyber and physical security as one integrated structure in order to enhance the resilience of power grids. The mitigation strategy is vital to cyber-physical security of substations in order to stop the attack, disconnect the intruder, and restore the power system to a normal state. Mitigation methods can be taken on the cyber (ICT) side and physical (power system) side. The key to cyber mitigation is to find anomaly activities or malicious behaviors, and disconnect or stop the intrusion.A cyber-physical testbed is critical for the study of cyber-physical security of power systems. For reason of security by power companies, real measurements (e.g., voltages, currents and binary status) and ICT data (e.g., communication protocols, system logs, and security logs) are not available. A testbed is a good alternative to acquire realistic cyber (i.e., ICT data) and physical (i.e., power system measurements) system data for research and demonstration purposes. The cyber-physical testbed provides a realistic environment to study the interactions between a complex power system and the ICT system. It is important to study the cause-effect relationships of cyber intrusions, vulnerability and resilience of power systems, as well as the performance and reliability of applications in a realistic environment provided by a testbed.

Shishir Kumar Shandilya,Saket Upadhyay,Ajit Kumar,Atulya K. Nagar

DOI: https://doi.org/10.1016/j.future.2021.09.018

IF: 7.307

2022-02-01

Future Generation Computer Systems

Abstract:In the current ever-changing cybersecurity scenario, active cyber defense strategies are imperative. In this work, we present a standard testbed to measure the efficacy and efficiency of customized networks while analyzing various parameters during the active attack. The presented testbed can be used for analyzing the network behavior in presence of various types of attacks and can help in fine-tuning the proposed algorithm under observation. The proposed testbed will allow users to design, implement, and evaluate the active cyber defense mechanisms with good library support of nature-inspired and AI-based techniques. Network loads, number of clusters, types of home networks, and number of nodes in each cluster and network can be customized. While using the presented testbed and incorporating active-defense strategies on existing network architectures, users can also design and propose new network architectures for effective and safe operation. In this paper, we propose a unified and standard testbed for cyber defense strategy simulation and bench-marking, which would allow the users to investigate current approaches and compare them with others, while ultimately aiding in the selection of the best approach for a given network security situation. We have compared the network performance in difference scenarios namely, normal, under attack and under attack in presence of NICS-based adaptive defense mechanism and achieved stable experimental results. The experimental results clearly show that the proposed testbed is able to simulate the network conditions effectively with minimum efforts in network configuration. The simulation results of defense mechanisms verified on the proposed testbed got the improvement on almost 80 percent while increasing the turnaround time to 1–2 percent. The applicability of proposed testbed in modern technologies like Fog Computing and Edge Computing is also discussed in this paper.

Talaya Farasat,JongWon Kim,Joachim Posegga

2024-10-24

Abstract:This paper introduces a Testbed designed for generating network traffic, leveraging the capabilities of containers, Kubernetes, and eBPF/XDP technologies. Our Testbed serves as an advanced platform for producing network traffic for machine learning based network experiments. By utilizing this Testbed, we offer small malicious network traffic dataset publically that satisfy ground truth property completely.

Cryptography and Security,Networking and Internet Architecture

Fan Zhang,Jamie B. Coble

DOI: https://doi.org/10.1016/j.pnucene.2020.103446

IF: 2.461

2020-10-01

Progress in Nuclear Energy

Abstract:Most nuclear power plants (NPPs) are looking deploying digital instrumentation and control (I&C) systems, which allow for more precise control and more economical operation. However, both the quantity and capability of industrial control system (ICS)-targeted cyber-attacks have grown dramatically over recent years. Therefore, one of the most significant challenges that digital I&C systems bring is the issue of cybersecurity, which should be enhanced before their deployment.Several different types of cyber-attacks can be introduced to NPPs; a false data injection attack on key equipment is the focus of this research due to the potential severe consequences associated with such an attack. In false data injection, the attackers may alter the reading of control sensors or commands to change the operation of an NPP. Current cybersecurity efforts focus on intrusion prevention by firewalls or data-flow direction control and use commercial intrusion detection systems, which usually focus on monitoring Internet Protocol (IP) addresses, ports, and payload length. However, attention should be given to conditions where these approaches can fail, such as an insider attack. Previous research based on process data shows the potential of a last defenseâ, line using online monitoring of the process data in concern with cyber data analysis. However, existing models involve different subsystems across the whole NPP, which has a wide attack surface and may require high computing cost. This holistic approach may not meet the time-sensitive requirements imposed upon I&C systems. This paper proposes a localized kit for key equipment in a process as a complementary detection method to improve the robustness of key equipment under cyber-attacks. Compared to existing models, this reduces the number of variables used in the model and significantly improves the computational speed. It also reduces the attack surface by limiting the data acquisition locally. This localized kit includes a cyber-attack detection model to detect anomalies within key components, such as the control system actuator, and an inference model to potentially reconstruct a compromised signal to allow the safe shut down.To develop and demonstrate the localized cybersecurity kit, a hardware-in-the-loop (HIL) testbed was built with a pressurized water reactor (PWR) simulator and a programmable logical controller (PLC). The PLC was programmed to control the steam generator (SG) water level at a specified set point, and the PWR simulator was utilized to simulate the nuclear system and response for parameters outside of the SG. Three false data injection attacks were conducted towards the testbed to generate the data needed for the localized kit development and evaluation. The results show the cyber-attack detection model is effective under false data injection scenarios and the inference model is promising as a signal reconstruction method.

nuclear science & technology

A. Gomez Ramirez,M. Martinez Pedreira,C. Grigoras,L. Betev,C. Lara,U. Kebschull

DOI: https://doi.org/10.1088/1742-6596/898/10/102004

2017-04-16

Abstract:High Energy Physics (HEP) distributed computing infrastructures require automatic tools to monitor, analyze and react to potential security incidents. These tools should collect and inspect data such as resource consumption, logs and sequence of system calls for detecting anomalies that indicate the presence of a malicious agent. They should also be able to perform automated reactions to attacks without administrator intervention. We describe a novel framework that accomplishes these requirements, with a proof of concept implementation for the ALICE experiment at CERN. We show how we achieve a fully virtualized environment that improves the security by isolating services and Jobs without a significant performance impact. We also describe a collected dataset for Machine Learning based Intrusion Prevention and Detection Systems on Grid computing. This dataset is composed of resource consumption measurements (such as CPU, RAM and network traffic), logfiles from operating system services, and system call data collected from production Jobs running in an ALICE Grid test site and a big set of malware. This malware was collected from security research sites. Based on this dataset, we will proceed to develop Machine Learning algorithms able to detect malicious Jobs.

Distributed, Parallel, and Cluster Computing,Artificial Intelligence,Cryptography and Security,High Energy Physics - Experiment

Sibin Mohan,Stanley Bak,Emiliano Betti,Heechul Yun,Lui Sha,Marco Caccamo

DOI: https://doi.org/10.48550/arXiv.1202.5722

2012-02-26

Cryptography and Security

Abstract:Until recently, cyber-physical systems, especially those with safety-critical properties that manage critical infrastructure (e.g. power generation plants, water treatment facilities, etc.) were considered to be invulnerable against software security breaches. The recently discovered 'W32.Stuxnet' worm has drastically changed this perception by demonstrating that such systems are susceptible to external attacks. Here we present an architecture that enhances the security of safety-critical cyber-physical systems despite the presence of such malware. Our architecture uses the property that control systems have deterministic execution behavior, to detect an intrusion within 0.6 {\mu}s while still guaranteeing the safety of the plant. We also show that even if an attack is successful, the overall state of the physical system will still remain safe. Even if the operating system's administrative privileges have been compromised, our architecture will still be able to protect the physical system from coming to harm.

Zhigang Chu,Andrea Pinceti,Ramin Kaviani,Roozbeh Khodadadeh,Xingpeng Li,Jiazi Zhang,Karthik Saikumar,Mostafa Sahraei-Ardakani,Christopher Mosier,Robin Podmore,Kory Hedman,Oliver Kosut,Lalitha Sankar

DOI: https://doi.org/10.48550/arXiv.2104.13908

2021-04-29

Abstract:In this paper, we investigate the feasibility and physical consequences of cyber attacks against energy management systems (EMS). Within this framework, we have designed a complete simulation platform to emulate realistic EMS operations: it includes state estimation (SE), real-time contingency analysis (RTCA), and security constrained economic dispatch (SCED). This software platform allowed us to achieve two main objectives: 1) to study the cyber vulnerabilities of an EMS and understand their consequences on the system, and 2) to formulate and implement countermeasures against cyber-attacks exploiting these vulnerabilities. Our results show that the false data injection attacks against state estimation described in the literature do not easily cause base-case overflows because of the conservatism introduced by RTCA. For a successful attack, a more sophisticated model that includes all of the EMS blocks is needed; even in this scenario, only post-contingency violations can be achieved. Nonetheless, we propose several countermeasures that can detect changes due to cyber-attacks and limit their impact on the system.

Systems and Control

Bo Mei,Zhengbin Zhu,Peijie Li,Bo Zhao

DOI: https://doi.org/10.1049/2024/2023349

2024-04-12

IET Information Security

Abstract:System on Wafer (SoW) based on chiplets may be implanted with hardware Trojans (HTs) by untrustworthy third-party chiplet vendors. However, traditional HTs protection techniques cannot guarantee complete protection against HTs, which poses a great challenge to the hardware security of SoW. In this paper, we propose a computing architecture based on endogenous security theory—dynamic heterogeneous redundant computing architecture (DHRCA) that can tolerate and detect HTs at runtime. The security of our approach is analyzed by building a generalized stochastic coloring petri net (GSCPN) model of DHRCA. The simulation results based on the GSCPN model show that our method can improve the system security probability to 0.8690 and the system availability probability to 0.9750 in the steady state compared with typical triple-mode redundancy and runtime monitoring methods. Furthermore, the impact of different attack and defense strategies on system security of different methods is simulated and analyzed in this paper.

computer science, information systems, theory & methods

Md Nahid Hossain,Sadegh M Milajerdi,Junao Wang,Birhanu Eshete,Rigel Gjomemo,R Sekar,Scott Stoller,VN Venkatakrishnan

DOI: https://doi.org/10.48550/arXiv.1801.02062

2018-01-06

Cryptography and Security

Abstract:We present an approach and system for real-time reconstruction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, dependency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack detection and reconstruction, including source identification and impact analysis. We also develop methods to reveal the big picture of attacks by construction of compact, visual graphs of attack steps. Our system participated in a red team evaluation organized by DARPA and was able to successfully detect and reconstruct the details of the red team's attacks on hosts running Windows, FreeBSD and Linux.

Shuvangkar Chandra Das,Tuyen Vu

DOI: https://doi.org/10.48550/arXiv.2207.12610

2022-07-26

Abstract:This paper presents a real-time cyber-physical (CPS) testbed for power systems with different real attack scenarios on the synchrophasors-phasor measurement units (PMU). The testbed focuses on real-time cyber-security emulation with components including a digital real-time simulator, virtual machines (VM), a communication network emulator, and a package manipulation tool. The script-based VM deployment and the software-defined network emulation facilitate a highly-scalable cyber-physical testbed, which enables emulations of a real power system under different attack scenarios such as Address Resolution Protocol (ARP) poisoning attack, Man In The Middle (MITM) attack, False Data Injection Attack (FDIA), and Eavesdropping Attack. The common synchrophasor, IEEE C37.118.2 named pySynphasor has been implemented and analyzed for its security vulnerabilities. The paper also presented an interactive framework for injecting false data into a realistic system utilizing the pySynphasor module. The framework can dissect and reconstruct the C37.118.2 packets, which expands the potential of testing and developing PMU-based systems and their security in detail and benefits the power industry and academia. A case for the demonstration of the FDIA attack on the linear state estimation together with the bad-data detection procedure are presented as an example of the testbed capability.

Cryptography and Security,Optimization and Control