Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Ming Wan,Minglei Hao,Yang Li,Jianming Zhao,Ying Li

DOI: https://doi.org/10.1145/3586102.3586127

2022-01-01

Abstract:Due to the rapid development of industrial automation, ICSs (Industrial Control Systems) gradually expose their potential security vulnerabilities, and are facing more and more serious security risks. Although different industrial security technologies have been developed to strengthen industrial security protection, they always struggle for their own because of their standalone and non-related functions, and their actual defense effects are not encouraging. This paper first summarizes some intrinsic security vulnerabilities in ICSs, and analyzes the main causes to generate each class of vulnerabilities. Furthermore, five popular security technologies which have been successfully applied in today's ICSs are introduced, and their advantages and shortages are also compared by explaining each working mechanism. In order to take full advantage of various industrial security technologies, this paper proposes one novel cooperative defense model based P2DR (Policy, Protection, Detection and Response), which establishes the dynamical defense process to integrate five different industrial security technologies. Under the guidance of security policies, this model can comprehensively utilize the resources of various industrial security technologies to learn and judge current security status of the whole system, and effectively adjust the optimum deployment to provide the strongest protection with the lowest risk. Finally, one applicable case based on the proposed model is designed to verify the feasibility of cooperative defense in ICSs.

Nils Müller,Charalampos Ziras,Kai Heussen

DOI: https://doi.org/10.48550/arXiv.2202.09352

2022-02-18

Cryptography and Security

Abstract:The increasing interaction of industrial control systems (ICSs) with public networks and digital devices introduces new cyber threats to power systems and other critical infrastructure. Recent cyber-physical attacks such as Stuxnet and Irongate revealed unexpected ICS vulnerabilities and a need for improved security measures. Intrusion detection systems constitute a key security technology, which typically monitors cyber network data for detecting malicious activities. However, a central characteristic of modern ICSs is the increasing interdependency of physical and cyber network processes. Thus, the integration of network and physical process data is seen as a promising approach to improve predictability in real-time intrusion detection for ICSs by accounting for physical constraints and underlying process patterns. This work systematically assesses machine learning-based cyber-physical intrusion detection and multi-class classification through a comparison to its purely network data-based counterpart and evaluation of misclassifications and detection delay. Multiple supervised detection and classification pipelines are applied on a recent cyber-physical dataset, which describes various cyber attacks and physical faults on a generic ICS. A key finding is that the integration of physical process data improves detection and classification of all considered attack types. In addition, it enables simultaneous processing of attacks and faults, paving the way for holistic cross-domain root cause identification.

Riccardo Colelli,Filippo Magri,Stefano Panzieri,Federica Pascucci

DOI: https://doi.org/10.48550/arXiv.2110.12963

2021-10-25

Cryptography and Security

Abstract:Over the past decade, industrial control systems have experienced a massive integration with information technologies. Industrial networks have undergone numerous technical transformations to protect operational and production processes, leading today to a new industrial revolution. Information Technology tools are not able to guarantee confidentiality, integrity and availability in the industrial domain, therefore it is of paramount importance to understand the interaction of the physical components with the networks. For this reason, usually, the industrial control systems are an example of Cyber-Physical Systems (CPS). This paper aims to provide a tool for the detection of cyber attacks in cyber-physical systems. This method is based on Machine Learning to increase the security of the system. Through the analysis of the values assumed by Machine Learning it is possible to evaluate the classification performance of the three models. The model obtained using the training set, allows to classify a sample of anomalous behavior and a sample that is related to normal behavior. The attack identification is implemented in water tank system, and the identification approach using Machine Learning aims to avoid dangerous states, such as the overflow of a tank. The results are promising, demonstrating its effectiveness.

Dan Zhang,Qing-Guo Wang,Gang Feng,Yang Shi,Athanasios V Vasilakos,Athanasios V. Vasilakos

DOI: https://doi.org/10.1016/j.isatra.2021.01.036

IF: 7.3

2021-01-01

ISA Transactions

Abstract:This paper provides a comprehensive survey on attack detection, secure estimation, and control of ICPSs from the control science perspective, the main content are much more broader than existing survey papers.Classifications of current studies are analyzed and summarized based on different system modeling and analysis methods. In addition, advantages and disadvantage of various methodologies are also discussed. Readers can find out appropriate methods for further research problems quickly from existing results.Cyber-physical systems (CPSs) are complex systems that involve technologies such as control, communication, and computing. Nowadays, CPSs have a wide range of applications in smart cities, smart grids, smart manufacturing and intelligent transportation. However, with integration of industrial control systems with modern communication technologies, CPSs would be inevitably exposed to increasing security threats, which could lead to severe degradation of the system performance and even destruction of CPSs. This paper presents a survey on recent advances on security issues of industrial cyber-physical systems (ICPSs). We specifically discuss two typical kinds of attacks, i.e., Denial-of-Service (DoS) attack and Deception attack, and present recent results in terms of attack detection, estimation, and control of ICPSs. Classifications of current studies are analyzed and summarized based on different system modeling and analysis methods. In addition, advantages and disadvantage of various methodologies are also discussed. Finally, the paper concludes with some potential future research directions on secure ICPSs.

automation & control systems,instruments & instrumentation,engineering, multidisciplinary

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Jianghai Li,Xiaojin Huang

DOI: https://doi.org/10.1299/jsmeicone.2019.27.1813

2019-01-01

The Proceedings of the International Conference on Nuclear Engineering (ICONE)

Abstract:The cyber security problem is posing new challenges to the current safety analysis of nuclear power plants. Historically, analogue control systems in the absence of interactive communications are immune to cyber-attacks; however, digital control systems with extensive interconnection of reprogrammable components are intensely vulnerable to cyber-attacks which shed light on the significance and urgency of the cyber security. The current cyber security approaches, which merely focus on information networks, have not given multi-faceted considerations to instrumentation and control (I&C) systems. The cyber-attack on I&C systems may lead to more severe consequences, including the abnormal change of parameters, the malfunction of equipment, and even the accident condition. The existing cyber security approaches for information networks, such as firewalls, encryption, can enhance the cyber security of I&C systems, but are often insufficient in addressing challenges associate with the I&C systems which link cyber space and physical systems. The defense approach based on physical information should be developed to meet the emerging challenges. In this paper, we propose the cyber-physical security (CPS) approach based on the physical process data for the cyber defense. This approach does not intend to replace current cyber defense mechanisms. It could be served as the last barrier for security defense. The goal of the CPS defense approach is to detect attacks at the beginning of the occurrence of physical process anomalies cause by cyber-attacks. A practical implementation of the CPS approach is proposed and its influence on the existing infrastructure is discussed. The statistical analysis techniques are utilized on physical process data for attack detection. The method of dynamic principal component analysis (dynamic PCA) is employed to characterize the correlation of multiple variables in the normal operational condition. In the abnormal operational occurrence, the chi-square detector is able to distinguish adversarial cyber-attacks from ordinary random failures.

Weijie Hao,Pengchao Yao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/jiot.2021.3088337

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:An industrial cyber–physical system (ICPS) tightly integrating both physical processes and information and communication technologies (ICTs) leads to increasing cyberspace threats and attacks for the critical electrical infrastructure. With the limited defense resources availability, the efficient threat perception and mitigation of potential impacts of cyber attacks are essential to enhance the ICPS operational security. This article proposes an optimal defense resource allocation solution to prioritize the ICPS asset protection based on the distributed network traffic anomaly detection. The traffic anomalies and attack paths can be timely detected simultaneously over multiple security zones of the electrical infrastructure through local computing devices. The defense resource allocation is formulated as a multiobjective optimization (MOO) problem considering the tradeoff among the asset vulnerability, cost, and criticality, and solved by the Pareto optimal solution generation approach. The proposed solution is extensively evaluated using a realistic electrical CPS (ECPS) testbed for a range of cyber-attack scenarios. The numerical results confirm the effectiveness of the proposed distributed anomaly detection model and defense resource allocation strategy for varying defense resource availabilities.

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

Robert Mitchell,Ing-Ray Chen

DOI: https://doi.org/10.1145/2542049

IF: 16.6

2014-04-01

ACM Computing Surveys

Abstract:Pervasive healthcare systems, smart grids, and unmanned aircraft systems are examples of Cyber-Physical Systems (CPSs) that have become highly integrated in the modern world. As this integration deepens, the importance of securing these systems increases. In order to identify gaps and propose research directions in CPS intrusion detection research, we survey the literature of this area. Our approach is to classify modern CPS Intrusion Detection System (IDS) techniques based on two design dimensions: detection technique and audit material. We summarize advantages and drawbacks of each dimension’s options. We also summarize the most and least studied CPS IDS techniques in the literature and provide insight on the effectiveness of IDS techniques as they apply to CPSs. Finally, we identify gaps in CPS IDS research and suggest future research areas.

computer science, theory & methods

Chuan Sheng,Yu Yao,Qiang Fu,Wei Yang

DOI: https://doi.org/10.1016/j.comnet.2020.107677

IF: 5.493

2021-02-01

Computer Networks

Abstract:<p>Supervisory Control and Data Acquisition (SCADA) systems are becoming increasingly susceptible to the sophisticated and targeted cyber attacks which are typically carried out by exploiting the vulnerabilities of industrial control devices or protocols. However, most of the existing network intrusion detection methods only focus on detecting and characterizing cyber attacks against the SCADA system, but cannot fully describe their real impact on the system. In this paper, we propose a cyber-physical model for the SCADA system to detect intrusions from the SCADA network and evaluate their risk levels against the industrial process. The model aims at characterizing the network structure and industrial process of the SCADA system through extracting and correlating the communication patterns and states of ICS devices. And any violation of the model is considered abnormal behavior, which can be caused by false operation or network attacks. Through associating network intrusions with the status of the SCADA system, a risk assessment method is proposed to estimate the potential damage degree of the attack on the system, which provides network administrators with richer information about network attacks. Moreover, the comprehensive performance evaluation conducted on public SCADA network data sets shows that the proposed method outperforms the existing methods in detecting and analyzing various cyber attacks against the SCADA system.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Lingzi Zhu,Bo Zhao,Weidong Li,Yixuan Wang,Yang An

DOI: https://doi.org/10.1016/j.adhoc.2024.103517

IF: 4.816

2024-04-23

Ad Hoc Networks

Abstract:The networking of industrial cyber–physical systems (CPS) introduces increased security vulnerabilities, necessitating advanced intrusion detection systems (IDS). Many current studies aiming to enhance IDS capabilities leverage Federated Learning (FL) technology for collaborative intrusion detection. However, devices deployed in an industrial setting in a distributed manner are vulnerable to cyber and poisoning attacks. Compromised clients can create malicious parameters to disrupt intrusion detection models, making them ineffective in identifying attacks. Nevertheless, existing FL-based intrusion detection methods exhibit suboptimal performance in detecting malicious clients and resisting poisoning attacks. To address these issues, we propose TICPS, a collaborative intrusion detection framework based on a trustworthy model update strategy to detect cyber threats from industrial CPS. The framework enables multiple industrial CPS to collaboratively construct an intrusion detection model and evaluate the security of each industrial CPS node using an update evaluation mechanism, ensuring effective intrusion detection even in the presence of poisoning. Extensive experiments on real-world industrial CPS datasets demonstrate that TICPS can effectively detect various types of cyber threats targeting industrial CPS. In particular, the framework achieves an intrusion detection accuracy of 94% even when the proportion of malicious agents reaches 80% under three typical poisoning attacks.

computer science, information systems,telecommunications

Bin Liu,Jingzhao Chen,Yong Hu

DOI: https://doi.org/10.1016/j.compind.2022.103609

IF: 10

2022-05-01

Computers in Industry

Abstract:Integrity and availability attacks can cause serious damage to modern industrial cyber-physical systems (ICPS). It is critical to detect and identify these attacks promptly and accurately. This paper investigates the anomaly detection for ICPS in the process industry. Three typical attacks, the Stuxnet-like, denial-of-service, and false data injection, are taken as specific defense targets. We propose to detect anomalies by quantifying the dynamic variations of generalized model implied by operating data, and present a mode division as the novel detection framework. The subspace technique and a quantization method for the amplitude-frequency characteristic deviation are employed to design the detector, which can be deployed independently in the active ICPS and does not cause any loss of control performance. An attack-defense experimental platform is developed to evaluate the detector under the attack scenarios of interest. The results show that the detector can detect any of the three attacks in a maximum of 28 s after the attack onset, and that these attacks can be distinguished by combining the state estimation residuals and system errors.

computer science, interdisciplinary applications

Estelle Hotellier,Franck Sicard,Julien Francq,Stéphane Mocanu

DOI: https://doi.org/10.1016/j.ins.2024.120102

IF: 8.1

2024-01-12

Information Sciences

Abstract:In this paper, we develop a specification-based, process-aware, Intrusion Detection System (IDS) for complex Industrial Control Systems (ICSs). Complex ICSs are distributed and hierarchical control systems built on top of local control loops which are the system's elementary building blocks. Process-aware attacks are sophisticated cyberattacks that aim to compromise the safety of the controlled physical process. Our approach aims to link safety specifications and security properties. Thus, we use international and industry standards specifications concerning local safety, global safety and networks of the industrial process, in order to obtain security properties. The obtained security properties are cybersecurity related requirements. They are translated into security patterns in order to be runtime monitored by our network IDS. This latter relies on a distributed monitoring framework, capturing network traffic between the local loops and the distributed control level, as well as between distributed control and supervisory control. We implemented and evaluated our IDS on a real ICS. We experimentally show that our IDS detects a large spectrum of attacks. We also show that our distributed IDS is scalable since its detection response time as a function of the number of monitored security patterns, is linear. A demonstrator comprising code extracts is made available.

computer science, information systems

Simon D. Duque Antón,Hans Dieter Schotten

DOI: https://doi.org/10.48550/arXiv.1905.11701

2019-05-28

Cryptography and Security

Abstract:Besides the advantages derived from the ever present communication properties, it increases the attack surface of a network as well. As industrial protocols and systems were not designed with security in mind, spectacular attacks on industrial systems occurred over the last years. Most industrial communication protocols do not provide means to ensure authentication or encryption. This means attackers with access to a network can read and write information. Originally not meant to be connected to public networks, the use cases of Industry 4.0 require interconnectivity, often through insecure public networks. This lead to an increasing interest in information security products for industrial applications. In this work, the concept for holistic intrusion detection methods in an industrial context is presented. It is based on different works considering several aspects of industrial environments and their capabilities to identify intrusions as an anomaly in network or process data. These capabilities are based on preceding experiments on real and synthetic data. In order to justify the concept, an overview of potential and actual attack vectors and attacks on industrial systems is provided. It is shown that different aspects of industrial facilities, e.g. office IT, shop floor OT, firewalled connections to customers and partners are analysed as well as the different layers of the automation pyramid require different methods to detect attacks. Additionally, the singular steps of an attack on industrial applications are characterised. Finally, a resulting concept for integration of these methods is proposed, providing the means to detect the different stages of an attack by different means.

A. Chavez,N. Jacobs,C. B. Jones,J. Johnson,A. Summers,S. Hossain‐McKenzie,C. Lai

DOI: https://doi.org/10.1109/CyberPELS.2019.8925064

2019-04-01

Abstract:The integration of communication-enabled grid-support functions in distributed energy resources (DER) and other smart grid features will increase the U.S. power grid's exposure to cyber-physical attacks. Unwanted changes in DER system data and control signals can damage electrical infrastructure and lead to outages. To protect against these threats, intrusion detection systems (IDSs) can be deployed, but their implementation presents a unique set of challenges in industrial control systems (ICSs), New approaches need to be developed that not only sense cyber anomalies, but also detect undesired physical system behaviors. For DER systems, a combination of cyber security data and power system and control information should be collected by the IDS to provide insight into the nature of an anomalous event. This allows joint forensic analysis to be conducted to reveal any relationships between the observed cyber and physical events. In this paper, we propose a hybrid IDS approach that monitors and evaluates both physical and cyber network data in DER systems, and present a series of scenarios to demonstrate how our approach enables the cyber-physical IDS to achieve more robust identification and mitigation of malicious events on the DER system.

Environmental Science,Engineering,Computer Science

Younan Zhao,Peng Gu,Fanglai Zhu,Tianyi Liu,Runjie Shen

DOI: https://doi.org/10.1016/j.amc.2023.127908

IF: 4.397

2023-01-01

Applied Mathematics and Computation

Abstract:In this paper, based on finite-frequency domain H 00 control techniques, security control issues are investigated for a cyber-physical system (CPS) suffering from false data injection (FDI) attacks on sensors and actuators, where the real system in the physical layer is a complex network system . First, for each subsystem of the complex network system, an H 00 proportion integral (PI) observer is designed to estimate the system states and attack signals on the sensors and actuators simultaneously. Second, a state feedback controller with attack compensation is proposed using the estimates of the attack signals and the states. Thus, an observer-based security control strategy against FDI attack is set up and the stability analysis is accomplished by frequency domain H 00 control techniques. Finally, a simulation example is given to illustrate the better performance of the proposed methods compared with the traditional H 00 method.(c) 2023 Elsevier Inc. All rights reserved.

Shan Gao,Junjie Chen,Bingsheng Zhang,Kui Ren

DOI: https://doi.org/10.1155/2023/7010155

IF: 1.968

2023-01-01

Security and Communication Networks

Abstract:With the development of IT technologies, an increasing number of industrial control systems (ICSs) can be accessed from the public Internet (with authentication). In such an open environment, cyberattacks become a serious threat to both ICS system integrity and data privacy. As a countermeasure, anomaly detection systems are often deployed to analyze the network traffic. However, due to privacy regulation, the network packages cannot be directly processed in plaintext in many countries. In this work, we present a privacy-preserving anomaly detection platform for ICS. The platform consists of three nodes running low-latency MPC protocols to evaluate the live network packages using decision trees on the fly with privacy assurance. Our benchmark result shows that the platform can process thousands of packages every ten seconds.

Jian Ding,Chunyi Lu,Bo Li

DOI: https://doi.org/10.1007/s11265-022-01741-y

2022-03-08

Journal of Signal Processing Systems

Abstract:Power systems are playing an unsubstitutable role in industrial production and inhabitant life. With the deepening of integration process over industrialization and informatization in the field of power systems, an increasing number of industrial control devices (e.g., PLC, SCADA) are exposing in the Internet, which are attracting more and more attention from attackers and malicious communities as the great values. It is crucial for organizations to monitor and evaluate the security situation of power systems. In this paper, we propose a data-driven based security situation awareness towards power systems, which can monitor and evaluate the security situations in power systems and send warnings to organizations when the system encounters suspicious threats. Specifically, the proposed framework continuously collects public data related to electric safety and scan for the power control devices exposed on the Internet to grasp the security landscape of power systems around the world. We then deploy an extensible honeypot system in the real environment to real-time perceive the internal security situation of power systems. Finally, we leverage a graph structure to fuse the cyber threats inside and outside the power system for capturing a comprehensive security awareness of power systems. Experimental results show that our framework can detect system threats in real time and protect it from penetration and intrusion effectively.

Mariam Elnour,Mohammad Noorizadeh,Mohammad Shakerpour,Nader Meskin,Khaled Khan,Raj Jain

DOI: https://doi.org/10.1109/access.2023.3303015

IF: 3.9

2023-08-22

IEEE Access

Abstract:In light of the advancement of the technologies used in industrial control systems, securing their operation has become crucial, primarily since their activity is consistently associated with integral elements related to the environment, the safety and health of people, the economy, and many others. This work presents a distributed, machine learning based attack detection and mitigation framework for sensor false data injection cyber-physical attacks in industrial control systems. It is developed using the system's standard operational data and validated using a hybrid testbed of a reverse osmosis plant. A MATLAB/Simulink-based simulation model of the process validated with actual data from a local plant is used. The control system is implemented using Siemens S7-1200 programmable logic controllers with 200SP Distributed Input/Output modules. The proposed solution can be adopted in the existing industrial control systems and demonstrated effective performance in real-time detection and mitigation of actual cyber-physical attacks launched by compromising the communication links between the process and the programmable logic controllers.

computer science, information systems,telecommunications,engineering, electrical & electronic