Yu-jun Xiao,Wen-yuan Xu,Zhen-hua Jia,Zhuo-ran Ma,Dong-lian Qi

DOI: https://doi.org/10.1631/fitee.1601540

2017-01-01

Abstract:Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.

Yifan Jia,Jingyi Wang,Christopher M. Poskitt,Sudipta Chattopadhyay,Jun Sun,Yuqi Chen

DOI: https://doi.org/10.1016/j.ijcip.2021.100452

IF: 3.683

2021-01-01

International Journal of Critical Infrastructure Protection

Abstract:The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers (or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived. We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.

Haixiang Wang,Jiyuan Li,Tianchen Zhang,Huan Ying,Jiajia Han,Xiaoyu Ji

DOI: https://doi.org/10.1109/itnec.2019.8729232

2019-01-01

Abstract:With the continuous development of smart grids, smart meter, one of the typical embedded equipment, is also becoming more intellectualized. Smart meters nowadays are capable of not only recording power consumption, but also uploading information to the electricity supplier for monitoring and billing, which makes the electric power dispatching and usage more efficient and convenient. However, the enhanced functions and computation power of the smart meter renders it more valuable and vulnerable for the adversary to conduct a cyber attack. One of the most common and important security threats of the smart meter is the malicious code due to its widespread and the easy access for adversaries. Therefore, it is of great criticalness to detect malicious code in the smart meters to safeguard the security of smart terminals. In this paper, we propose a novel approach that detects malicious code in embedded terminals, e.g., smart meters, with a Long Short Term Memory (LSTM) network based on the power consumption of the CPU or MCU of the device. The evaluation results demonstrate that the proposed method can effectively detect the malicious code in smart meters with an accuracy as high as 92%.

Zeyu Yang,Liang He,Hua Yu,Chengcheng Zhao,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1145/3560905.3568521

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Semantic attacks have incurred increasing threats to Industrial Control Systems (ICSs), which manipulate targeted system modules by identifying the physical semantics of variables in Programmable Logic Controllers (PLCs) programs, i.e., the sensing/actuating modules represented by the variables. This is usually (and inefficiently) achieved via manual examination of system documents and long-term observation of system behavior. In this paper, we design ARES, a method that Automatically Reverse Engineers the Semantics of variables in PLC programs without requiring any domain knowledge. ARES is built on the fact that the Supervisory Control And Data Acquisition (SCADA) system monitors the behavior of PLC using a fixed mapping between the variables of program code and data log, and the data log variables are marked with physical semantics. By identifying the mapping between PLC code and SCADA data (i.e., the code-data mapping), ARES reverse engineers the physical semantics of program variables. ARES also sheds light on the preferred practices in implementing control rules that improve the resistance of PLC programs to semantic attacks. We have experimentally evaluated ARES and the recommended implementation practices on two ICS platforms.

Tao Zhao,Xiaoyu Ji,Wenyuan Xu,Aidong Xu,Yixin Jiang,Yang Cao

DOI: https://doi.org/10.1109/ei247390.2019.9061849

2019-01-01

Abstract:With the increase of power terminal devices and IoT devices which are accessed to the power grid, their security issues are becoming more and more important. While the microgrid controllers are served as the central core of the entire microgrid, the attacks on microgrid controllers and other power end devices have been launched in recent years. It's obvious that the current safety protection measures for power end devices are insufficient. However, microgrid controllers cannot be protected by traditional intrusion detection systems or anti-virus software. Motivated by these concerns, this paper proposes a non-intrusive malicious code security monitoring scheme based on a power side channel. The core idea is to measure the power consumption data of the microgrid controller, to extract the power consumption feature, and to identify the abnormality sample through CWRNN neural network to determine whether the microgrid controller is attacked or not. The advantage of this method is that it can effectively detect unknown attacks without modifying the original software system. What's more, the method is evaluated in the experimental test, and the detection accuracy can reach to 92%.

Xianjing Li,Dongqin Feng

DOI: https://doi.org/10.1109/iciscae48440.2019.221645

2019-01-01

Abstract:Currently, the industrial control systems (ICS) have faced many changeable and complexed attacks. Apart from normal attack, there are also many variations, which put ICS into a huge hidden danger. Under this circumstance, the traditional detection techniques cannot identify the special variation types of attacks, effectively, comprehensively nor accurately. Therefore, a detection method named principal component analysis (PCA) with cosine similarity and support vector machine (SVM) is proposed. Moreover, the method is applied to detect the square wave attack in ICS. The detection method is executed as follows. Firstly, the raw signals are classified, by selecting proper length. Secondly, PCA method are used to reduce the dimension. Based on the first normal signal, the cosine similarity coefficients between the first normal part and the rest are calculated. Hence, the attack-feature vectors are composed by similarity coefficients. Next, data after that is selected to serve as the SVM training sample, replenishing the attack features. As for simulation, the cascade control loop of a typical industrial control system is chosen. The results show that the method can detect the signals, timely and accurately, no matter periodic square wave attack or aperiodic. For system, the proposed method and model can judge the security state of ICS. Above all, this method provides accurate decision-making suggestions to security management personnel.

Hua Dai,Xin Sun,Jiyuan Li,Guoming Zhang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/itnec48623.2020.9084649

2020-01-01

Abstract:With the rapid development of the smart grid in recent years, more and more smart devices are applied in the smart grid. As a critical monitoring and control device, the protection relay helps improve safety, reliability, and simplify of the smarter grid. However, due to the lack of effective anomaly detection and protection methods, the relay protectors are vulnerable to different types of attacks. In order to achieve the anomaly detection of the relay protector, we propose a monitoring method based on the power consumption side channel. By collecting the power consumption of the relay protection, we can acquire the features which reflecting the running state of devices from the power consumption and train a machine learning (ML) model. Finally, the anomaly state can be detected by the ML model. The test results on the relay protection platform in the laboratory show that the accuracy of anomaly detection can be up to 99.4%.

Aidong Xu,Yixin Jiang,Yang Cao,Guoming Zhang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei247390.2019.9062014

2019-01-01

Abstract:With the rapid development of information technology and the Internet of Things, the common information technologies are being applied to the power grid. It brings about the tremendous improvement in productivity, yet breaks down the safety barrier, which makes the power grid a popular target for attacks. The Distribution Terminal Unit (DTU) is a critical part of the power grid because of the acts as access points in the substation and controls the grid equipment. However, DTUs are vulnerable to different types of attacks, which can cause significant property loss or even casualties To monitor the operation of DTU, we proposed a real-time monitoring system by analyzing the side-channel information of power consumption. To validate this idea, we design 3 types of attacks and collect the power information separately, then we choose representational power features and machine learning algorithm for detecting those attacks. We validate that it is feasible to detect attacks and achieves a detection accuracy above 99%.

Da-long LIU,Dong-qin FENG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2018.09.014

2018-01-01

Abstract:As industrial control system is threatened by sinusoidal attack, the mathematical model was established using a typical loop of the control system; the Fourier transform and wavelet analysis was used to analyze its different characteristics in the aspect of attack ability and concealment. Then, an algorithm was developed against sinusoidal attack using multi-scale principal component analysis (MSPCA) with online implementation. Simulation of sinusoidal attack on Tenessee Eastman (TE) process show that sinusoidal attack not only causes physical damage, but also conceals the damage. When the frequency of sinusoidal attack is higher, the attack can not be detected by the traditional principal component analysis (PCA) method, meanwhile, our method can detect the attack quickly and accurately.

Zhining Lv,Ziheng Hu,Baifeng Ning,Yu Sun,Gangfeng Yan,Xiasheng Shi

DOI: https://doi.org/10.1109/CAC48633.2019.8996440

2019-01-01

Abstract:Power industrial terminal is a complex system with high reliability and security. Traditional methods for detecting data anomalies of power industrial terminal fail to fully mine the data characteristics. And it has shortcomings such as complex calculation, poor flexibility and low accuracy. In order to solve the problem that it is difficult to predict the operational status of power industrial terminal accurately, a prediction method based on long-term memory (LSTM) neural network is proposed. Considering the variety of data reflecting the operating status of power industrial terminal, choose the ambient temperature system related to the operating status of power industrial terminal as a experiment object. Through experiments, the algorithm has higher prediction effect for the operating status of power industrial terminal.

Zeyu Yang,Liang He,Hua Yu,Chengcheng Zhao,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/jiot.2022.3164723

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Programmable logic controllers (PLCs), i.e., the core of control systems, are well-known to be vulnerable to a variety of cyber attacks. To mitigate this issue, we design PLC-Sleuth, a novel noninvasive intrusion detection/localization system for PLCs, which is built on a set of control invariants—i.e., the correlations between sensor readings and the concomitantly triggered PLC commands—that exist pervasively in all control systems. Specifically, taking the system's supervisory control and data acquisition log as input, PLC-Sleuth abstracts/identifies the system's control invariants as a control graph using data-driven structure learning, and then monitors the weights of graph edges to detect anomalies thereof, which is in turn, a sign of intrusion. We have implemented and evaluated PLC-Sleuth using both a platform of ethanol distillation system (EDS) and a realistically simulated Tennessee Eastman (TE) process. The results show that PLC-Sleuth can: 1) identify control invariants with 100%/98.11% accuracy for EDS/TE; 2) detect PLC intrusions with 98.33%/0.85 ‰ true/false positives (TPs/FPs) for EDS and 100%/0% TP/FP for TE; and 3) localize intrusions with 93.22%/96.76% accuracy for EDS/TE.

computer science, information systems,telecommunications,engineering, electrical & electronic

Andres Robles-Durazno,Naghmeh Moradpoor,James McWhinnie,Gordon Russell,Inaki Maneru-Marin

DOI: https://doi.org/10.1007/978-3-030-05532-5_7

2018-12-30

Abstract:Critical infrastructures such as nuclear plants and water supply systems are mainly managed through electronic control systems. Such control systems comprise of a number of elements, such as programmable logic controllers (PLC), networking devices, sensors and actuators. With the development of online and networking solutions, such control systems can be managed online. Even though network connected control systems permit users to keep up to date with system operation, it also opens the door to attackers taking advantages of such availability. In this paper, a novel attack vector for modifying PLC memory is proposed, which affects the perceived values of sensors, such as a water flow meter, or the operation of actuators, such as a pump. In addition, this attack vector can also manipulate control variables located in the PLC working memory, reprogramming decision making rules. To show the impact of the attacks in a real scenario, a model of a clean water supply system is implemented on a Festo MPA rig. The results show that the attacks on the PLC memory can have a significant detrimental effect on control system operations. Further, a mechanism of detecting such attacks on the PLC memory is proposed based on monitoring energy consumption and electrical signals using current-measurement sensors. The results show the successful implementation of the novel PLC attacks as well as the feasibility of detecting such attacks.

Bin Liu,Jingzhao Chen,Yong Hu

DOI: https://doi.org/10.1016/j.compind.2022.103609

IF: 10

2022-05-01

Computers in Industry

Abstract:Integrity and availability attacks can cause serious damage to modern industrial cyber-physical systems (ICPS). It is critical to detect and identify these attacks promptly and accurately. This paper investigates the anomaly detection for ICPS in the process industry. Three typical attacks, the Stuxnet-like, denial-of-service, and false data injection, are taken as specific defense targets. We propose to detect anomalies by quantifying the dynamic variations of generalized model implied by operating data, and present a mode division as the novel detection framework. The subspace technique and a quantization method for the amplitude-frequency characteristic deviation are employed to design the detector, which can be deployed independently in the active ICPS and does not cause any loss of control performance. An attack-defense experimental platform is developed to evaluate the detector under the attack scenarios of interest. The results show that the detector can detect any of the three attacks in a maximum of 28 s after the attack onset, and that these attacks can be distinguished by combining the state estimation residuals and system errors.

computer science, interdisciplinary applications

Joochan Lee,Hyunpyo Choi,Jiho Shin,Jung Taek Seo

DOI: https://doi.org/10.1145/3440943.3444742

2020-12-12

Abstract:In recent years, 1 a large number of studies have been conducted on cybersecurity for Programmable Logic Controllers (PLCs) to cope with cyberattacks on Industrial Control Systems(ICS). However, few studies have been conducted on ensuring cybersafety for control logics running inside PLCs. In this study, a technique for detecting an attack on PLC control logic change was proposed by analyzing the network protocol data and project file structure. Based on the analysis results for the proposed technique, a tool was implemented to detect an manipulation attack on control logic, and whether such attack was detected or not was verified through experiments.

Pol Van Aubel,Kostas Papagiannopoulos,Łukasz Chmielewski,Christian Doerr

DOI: https://doi.org/10.48550/arXiv.1712.05745

2017-12-16

Abstract:Industrial Control Systems are under increased scrutiny. Their security is historically sub-par, and although measures are being taken by the manufacturers to remedy this, the large installed base of legacy systems cannot easily be updated with state-of-the-art security measures. We propose a system that uses electromagnetic side-channel measurements to detect behavioural changes of the software running on industrial control systems. To demonstrate the feasibility of this method, we show it is possible to profile and distinguish between even small changes in programs on Siemens S7-317 PLCs, using methods from cryptographic side-channel analysis.

Cryptography and Security

Xuelei Wang,Colin Fidge,Ghavameddin Nourbakhsh,Ernest Foo,Zahra Jadidi,Calvin Li

DOI: https://doi.org/10.1109/access.2022.3142022

IF: 3.9

2022-01-01

IEEE Access

Abstract:In recent decades, cyber security issues in IEC 61850-compliant substation automation systems (SASs) have become growing concerns. Many researchers have developed various strategies to detect malicious behaviours of SASs during the system operational stage, such as anomaly-based detection. However, most existing anomaly-based detection methods identify an abnormal behaviour by checking every single network packet without any association. These traditional methods cannot effectively detect “stealthy” attacks which modify legitimate messages slightly while imitating patterns of benign behaviours. In this paper, we present feature selection and extraction methods to generalise and summarise critical features when detecting insider attacks triggering from untrusted control devices within SASs. By applying a sliding window-based sequential classification mechanism, our detection method can detect anomalies across multiple devices without the need to learn datasets collected from all devices. Firstly, to generalise critical features and summarise systems’ behaviours so that it is unnecessary to collect all datasets, we selected and extracted six critical network features from generic object-oriented substation events (GOOSE) messages and seven summarised physical features based on the general architecture of the primary plant of distribution substations. After that, to improve detection accuracy and reduce computational costs, we applied sliding window algorithms to divide datasets into different overlapped window-based snippets. Then we applied a sequential classification model based on Bidirectional Long Short-Term Memory networks to train and test those datasets. As a result, our method can detect insider attacks across multiple devices accurately with a false-negative rate of less than 1%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Emmanuel Aboah Boateng,Bruce J. W

DOI: https://doi.org/10.48550/arXiv.2302.02097

IF: 5.414

2023-02-04

Machine Learning

Abstract:Programmable logic controller (PLC) based industrial control systems (ICS) are used to monitor and control critical infrastructure. Integration of communication networks and an Internet of Things approach in ICS has increased ICS vulnerability to cyber-attacks. This work proposes novel unsupervised machine learning ensemble methods for anomaly detection in PLC-based ICS. The work presents two broad approaches to anomaly detection: a weighted voting ensemble approach with a learning algorithm based on coefficient of determination and a stacking-based ensemble approach using isolation forest meta-detector. The two ensemble methods were analyzed via an open-source PLC-based ICS subjected to multiple attack scenarios as a case study. The work considers four different learning models for the weighted voting ensemble method. Comparative performance analyses of five ensemble methods driven diverse base detectors are presented. Results show that stacking-based ensemble method using isolation forest meta-detector achieves superior performance to previous work on all performance metrics. Results also suggest that effective unsupervised ensemble methods, such as stacking-based ensemble having isolation forest meta-detector, can robustly detect anomalies in arbitrary ICS datasets. Finally, the presented results were validated by using statistical hypothesis tests.

Yanjie Li,Ruiwen He,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei247390.2019.9061783

2019-01-01

Abstract:Security threats of smart grid terminals continue to increase. In order to realize non-invasive intrusion detection of power distribution terminal devices in smart grid, we propose a novel anomaly-based intrusion detection approach that use power side-channel. The approach monitors programs running in the terminals by collecting and analyzing the power consumption data of terminal devices. We run three abnormal programs and one normal program in the distribution terminal units (DTUs), and then extract feature values of the power consumption data and lastly conducted anomaly-based intrusion detection through LSTM neural network. Our evaluation results demonstrate that a false positive rate is less than 2% and an accuracy rate is more than 90%.

Zibo Wang,Yaofang Zhang,Yilu Chen,Hongri Liu,Bailing Wang,Chonghua Wang

DOI: https://doi.org/10.3390/pr11030918

IF: 3.5

2023-03-18

Processes

Abstract:Programmable Logic Controllers (PLCs), as specialized task-oriented embedded field devices, play a vital role in current industrial control systems (ICSs), which are composed of critical infrastructure. In order to meet increasing demands on cost-effectiveness while improving production efficiency, commercial-off-the-shelf software and hardware, and external networks such as the Internet, are integrated into the PLC-based control systems. However, it also provides opportunities for adversaries to launch malicious, targeted, and sophisticated cyberattacks. To that end, there is an urgent need to summarize ongoing work in PLC-based control systems on vulnerabilities, attacks, and security detection schemes for researchers and practitioners. Although surveys on similar topics exist, they are less involved in three key aspects, as follows: First and foremost, previous work focused more on system-level vulnerability analysis than PLC itself. Subsequently, it was not clear whether their work applied to the current systems or future ones, especially for security detection schemes. Finally, the prior surveys lacked a digital forensic research review of PLC-based control systems, which was significant for security analysis at different stages. As a result, we highlight vulnerability analysis at both a core component level and a system level, as well as attack models against availability, integrity, and confidentiality. Meanwhile, reviews of security detection schemes and digital forensic research for the current PLC-based systems are provided. Finally, we discuss future work for the next-generation systems.

engineering, chemical

Zeyu Yang,Liang He,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/TDSC.2024.3384146

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Stealthy attacks manipulate the operation of Industrial Control Systems (ICSs) without being undetected, allowing persistent manipulation of system operation and thus the potential to cause destructive damage. This paper introduces a new vulnerability of ICS that can be exploited to mount stealthy attacks without requiring any domain knowledge. This vulnerability is caused by a common practice in system monitoring, i.e., the SCADA monitors ICS operation at a much lower frequency than system execution, causing a loss of precision when the SCADA tries to cross-validate the issued control commands using the collected sensory data. Exploiting this vulnerability, an attack called <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> is designed to stealthily manipulate the system operation by identifying and injecting malicious control commands that will not be concluded as abnormal by the SCADA. This paper further discusses a preferred ICS engineering practice and an attestation strategy to mitigate the above vulnerability and protect ICS from <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> . Both <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> and the proposed mitigations have been experimentally validated on two ICS platforms.