Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Lilian Kawakami Carvalho,Yi-Chin Wu,Raymond Kwong,Stéphane Lafortune

DOI: https://doi.org/10.48550/arXiv.1807.04889

2018-07-13

Abstract:The deployment of control systems with network-connected components has made feedback control systems vulnerable to attacks over the network. This paper considers the problem of intrusion detection and mitigation in supervisory control systems, where the attacker has the ability to enable or disable vulnerable actuator commands and erase or insert vulnerable sensor readings. We present a mathematical model for the system under certain classes of actuator enablement attacks, sensor erasure attacks, or sensor insertion attacks. We then propose a defense strategy that aims to detect such attacks online and disables all controllable events after an attack is detected. We develop an algorithmic procedure for verifying whether the system can prevent damage from the attacks considered with the proposed defense strategy, where damage is modeled as the reachability of a pre-defined set of unsafe system <a class="link-external link-http" href="http://states.The" rel="external noopener nofollow">this http URL</a> technical condition of interest that is necessary and sufficient in this context, termed "GF-safe controllability", is characterized. We show that the verification of GF-safe controllability can be performed using diagnoser or verifier automata. Finally, we illustrate the methodology with a traffic control system example.

Formal Languages and Automata Theory,Systems and Control

Lei Zhang,Lun Xie,Bo Hu,Zhi-liang Wang,Fuji Ren

DOI: https://doi.org/10.1109/robio.2017.8324820

2017-01-01

Abstract:With wide application of Robot Arm in industrial control system, its security demands are increasing day by day. The paper deals with intrusion detection of Robot Arm control system based on EtherCAT fleldbus protocol, which is simulated by developed driver and data obtained from PSIM. By studying three-dimensional linked list of Snort, an intrusion detection system is designed to detect protocol and motor model. Protocol detection rules are derived from protocol characteristics and mutual restriction relations between different fields. Rules of Robot Arm control system aim at detecting core variables of speed control, torque control and position control. Users can compile rules flexibly to adapt to variety attacks. Intrusion behaviors from upper computer or storage device are simulated by user mode program. At last, intrusion detection of Robot Arm control system based on EtherCAT is tested. The results show that the designed system is able to recognize intrusions concentrate on EtherCAT and Robot Arm control system and achieved expected purpose.

Qian Wang,Yiming Qian,Zhaojun Lu,Yasser Shoukry,Gang Qu

DOI: https://doi.org/10.1109/asianhost.2018.8607178

2018-01-01

Abstract:The recent developments in the automobile industry and the self-driving technology necessitated an increase in the traditional automobile features to guarantee the drivers safety, improve the driving convenience and realize the autonomous driving. To support these necessary functions and features, a significant amount of the hardware equipment, i.e., Electronic Control Unit (ECU), is integrated into the car system. However, these ECUs also bring security vulnerabilities because their communication follows the Controller Area Network (CAN) protocol that was designed without supporting message origin authentication. Several methods to resolve this problem have been proposed in the literature, but most of them would require heavy communications and calculations to support the cryptography algorithms. In this paper, we propose a delay-based Intrusion Detection System (IDS) to protect the CAN network by identifying the location of the compromised ECU for the in-vehicle network. We develop and implement our detection method on CAN bus prototype, and our results show that our method is capable of an overall detection accuracy above 97%. The proposed scheme is demonstrated to protect the integrity of the messages on CAN bus leading to a further improve the security and safety of autonomous vehicles.

Faezeh Farivar,Mohammad Sayad Haghighi,Alireza Jolfaei,Sheng Wen

DOI: https://doi.org/10.48550/arXiv.2008.00414

2020-08-04

Abstract:With the benefits of Internet of Vehicles (IoV) paradigm, come along unprecedented security challenges. Among many applications of inter-connected systems, vehicular networks and smart cars are examples that are already rolled out. Smart vehicles not only have networks connecting their internal components e.g. via Controller Area Network (CAN) bus, but also are connected to the outside world through road side units and other vehicles. In some cases, the internal and external network packets pass through the same hardware and are merely isolated by software defined rules. Any misconfiguration opens a window for the hackers to intrude into vehicles' internal components e.g. central lock system, Engine Control Unit (ECU), Anti-lock Braking System (ABS) or Adaptive Cruise Control (ACC) system. Compromise of any of these can lead to disastrous outcomes. In this paper, we study the security of smart vehicles' adaptive cruise control systems in the presence of covert attacks. We define two covert/stealth attacks in the context of cruise control and propose a novel intrusion detection and compensation method to disclose and respond to such attacks. More precisely, we focus on the covert cyber attacks that compromise the integrity of cruise controller and employ a neural network identifier in the IDS engine to estimate the system output dynamically and compare it against the ACC output. If any anomaly is detected, an embedded substitute controller kicks in and takes over the control. We conducted extensive experiments in MATLAB to evaluate the effectiveness of the proposed scheme in a simulated environment.

Cryptography and Security,Systems and Control

Mariam Elnour,Mohammad Noorizadeh,Mohammad Shakerpour,Nader Meskin,Khaled Khan,Raj Jain

DOI: https://doi.org/10.1109/access.2023.3303015

IF: 3.9

2023-08-22

IEEE Access

Abstract:In light of the advancement of the technologies used in industrial control systems, securing their operation has become crucial, primarily since their activity is consistently associated with integral elements related to the environment, the safety and health of people, the economy, and many others. This work presents a distributed, machine learning based attack detection and mitigation framework for sensor false data injection cyber-physical attacks in industrial control systems. It is developed using the system's standard operational data and validated using a hybrid testbed of a reverse osmosis plant. A MATLAB/Simulink-based simulation model of the process validated with actual data from a local plant is used. The control system is implemented using Siemens S7-1200 programmable logic controllers with 200SP Distributed Input/Output modules. The proposed solution can be adopted in the existing industrial control systems and demonstrated effective performance in real-time detection and mitigation of actual cyber-physical attacks launched by compromising the communication links between the process and the programmable logic controllers.

computer science, information systems,telecommunications,engineering, electrical & electronic

Steven X. Ding,Linlin Li,Dong Zhao,Chris Louen,Tianyu Liu

DOI: https://doi.org/10.48550/arXiv.2103.00210

2021-06-05

Abstract:This draft addresses issues of detecting stealthy integrity cyber-attacks on automatic control systems in the unified control and detection framework. A general form of integrity cyber-attacks that cannot be detected using the well-established observer-based technique is first introduced as kernel attacks. The well-known replay, zero dynamics and covert attacks are special forms of the kernel attacks. Existence conditions for the kernel attacks are presented. It is demonstrated, in the unified framework of control and detection, that all kernel attacks can be structurally detected when not only the observer-based residual, but also the control signal based residual signals are generated and used for the detection purpose. Based on the analytical results, two schemes for detecting the kernel attacks are then proposed, which allow reliable attack detection without loss of control performance. While the first scheme is similar to the well-established moving target method and auxiliary system aided detection scheme, the second detector is realised with encrypted transmissions of control and monitoring signals in the feedback control system that prevents adversary to gain system knowledge by means of eavesdropping attacks. Both schemes are illustrated by examples of detecting replay, zero dynamics and covert attacks and an experimental study on a three-tank control system.

Systems and Control

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.20944/preprints201912.0174.v1

2019-01-01

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.

Nils Müller,Charalampos Ziras,Kai Heussen

DOI: https://doi.org/10.48550/arXiv.2202.09352

2022-02-18

Cryptography and Security

Abstract:The increasing interaction of industrial control systems (ICSs) with public networks and digital devices introduces new cyber threats to power systems and other critical infrastructure. Recent cyber-physical attacks such as Stuxnet and Irongate revealed unexpected ICS vulnerabilities and a need for improved security measures. Intrusion detection systems constitute a key security technology, which typically monitors cyber network data for detecting malicious activities. However, a central characteristic of modern ICSs is the increasing interdependency of physical and cyber network processes. Thus, the integration of network and physical process data is seen as a promising approach to improve predictability in real-time intrusion detection for ICSs by accounting for physical constraints and underlying process patterns. This work systematically assesses machine learning-based cyber-physical intrusion detection and multi-class classification through a comparison to its purely network data-based counterpart and evaluation of misclassifications and detection delay. Multiple supervised detection and classification pipelines are applied on a recent cyber-physical dataset, which describes various cyber attacks and physical faults on a generic ICS. A key finding is that the integration of physical process data improves detection and classification of all considered attack types. In addition, it enables simultaneous processing of attacks and faults, paving the way for holistic cross-domain root cause identification.

Sean Weerakkody,Bruno Sinopoli

DOI: https://doi.org/10.48550/arXiv.1706.08182

2017-06-26

Abstract:Maintaining the security of control systems in the presence of integrity attacks is a significant challenge. In literature, several possible attacks against control systems have been formulated including replay, false data injection, and zero dynamics attacks. The detection and prevention of these attacks may require the defender to possess a particular subset of trusted communication channels. Alternatively, these attacks can be prevented by keeping the system model secret from the adversary. In this paper, we consider an adversary who has the ability to modify and read all sensor and actuator channels. To thwart this adversary, we introduce external states dependent on the state of the control system, with linear time-varying dynamics unknown to the adversary. We also include sensors to measure these states. The presence of unknown time-varying dynamics is leveraged to detect an adversary who simultaneously aims to identify the system and inject stealthy outputs. Potential attack strategies and bounds on the attacker's performance are provided.

Systems and Control

Manikanta Reddy Dornala

DOI: https://doi.org/10.48550/arXiv.1812.03409

2018-12-09

Computers and Society

Abstract:Cyber attacks have become serious threats to Industrial Control systems as well. It becomes important to develop a serious threat defense system against such vulnerabilities. For such process control systems, safety should also be assured apart from security. As unearthing vulnerabilities and patching them is not a feasible solution, these critical infrastructures need safeguards to prevent accidents, both natural and artificial, that could potentially be hazardous. Morita proposed an effective Zone division, capable of evaluating remote and concealed attacks on the system, coupled with Principal Component Analysis. But the need to analyze the node that has been compromised and stopping any further damages, requires an automated technique. Illustrating the basic ideas we'll simulate a simple Water plant. We propose a new automated approach based on Long Short Term Memory networks capable of detecting attacks and pin point the location of the breach.

Zhangwei Yu,Yan Liu,Guoqi Xie,Renfa Li,Siming Liu,Laurence T. Yang

DOI: https://doi.org/10.1109/tii.2022.3202539

IF: 12.3

2022-12-17

IEEE Transactions on Industrial Informatics

Abstract:Intelligent connected vehicle is rapidly growing with the 5-G technology; the diversity of functional interfaces has significantly expanded the avenues of attack, making automotive controller area network (CAN) more vulnerable to cyberthreats. Automotive CAN network attacks are a direct threat to traffic safety, and in this study, we explore the use of intrusion detection techniques for mitigating cyberattacks. However, most automotive CAN network intrusion detection technologies are not capable of defending against sophisticated attacks, making it extremely challenging for detecting intrusions in practice. In this article, we propose a novel time interval conditional entropy method for detecting intrusions in automotive CAN networks. The time interval conditional entropy intrusion detection method is not susceptible to interference and is capable of detecting a variety of attacks. In our experiments, the conditional entropy values of regular communication messages are collected and utilized to distinguish and detect the attacks. The time interval conditional entropy detection method is implemented and evaluated in our controller area net-work bus (CAN-BUS) network platform. The experiments show that our method has higher detection accuracy and is easier to deploy compared to existing automotive CAN network intrusion detection methods.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Zhouyan Deng,Yijie Xun,Jiajia Liu,Shouqing Li,Yilin Zhao

DOI: https://doi.org/10.1109/globecom48099.2022.10000766

2022-01-01

Abstract:As emerging technologies such as mobile communication, vehicle to everything, and artificial intelligence are widely used in intelligent connected vehicles, drivers can gain a convenient and colorful driving experience. While these technologies enrich the driving experience, they also bring a series of vulnerable interfaces to the vehicle. These interfaces can be used by hackers to attack other nodes of in-vehicle network that lack authentication and encryption. For this, researchers design scheme to encrypt and authenticate messages to protect in-vehicle networks, but this scheme would occupy the bandwidth resources of in-vehicle network. Therefore, researchers propose parameter monitoring-based intrusion detection system (IDS), information theory-based IDS, and fingerprint-based IDS, which do not occupy bandwidth. However, most IDSs either cannot locate the source of the attack, cannot detect aperiodic frames, or need to know the non-public mapping between electronic control units (ECUs) and identifiers (IDs) of in-vehicle network. To solve these weaknesses, we propose a novel IDS that establishes voltage fingerprints for each ID. This system can detect period and aperiodic malicious frames and locate the source of attack without knowing the mapping between ECUs and IDs. The experimental results on actual vehicles demonstrate that our scheme is robust against real scenarios.

Sridhar Adepu,Ferdinand Brasser,Luis Garcia,Michael Rodler,Lucas Davi,Ahmad-Reza Sadeghi,Saman Zonouz

DOI: https://doi.org/10.1109/iccps48487.2020.00011

2020-04-01

Abstract:Cyber-physical control systems, such as industrial control systems (ICS), are increasingly targeted by cyberattacks. Such attacks can potentially cause tremendous damage, affect critical infrastructure or even jeopardize human life when the system does not behave as intended. Cyberattacks, however, are not new and decades of security research have developed plenty of solutions to thwart them. Unfortunately, many of these solutions cannot be easily applied to safety-critical cyber-physical systems. Further, the attack surface of ICS is quite different from what can be commonly assumed in classical IT systems. We present Scadman, a novel control-logic aware anomaly detection system for distributed cyber-physical systems. By observing the system-wide behavior, the correctness of individual controllers (like programmable logic controllers–PLCs) in ICS can be verified. This allows Scadman to detect a wide range of attacks, including malware attacks, code-reuse and dataonly attacks, as well as sensor attacks. We implemented and evaluated Scadman based on a real-world water treatment testbed for ICS security research and training. Our results show that we can detect a wide range of attacks–including attacks that have previously been undetectable by typical state estimation techniques–while causing no false-positive warning for nominal threshold values.

Li Yang,Abdallah Moubayed,Abdallah Shami

DOI: https://doi.org/10.1109/JIOT.2021.3084796

2021-05-27

Abstract:Modern vehicles, including connected vehicles and autonomous vehicles, nowadays involve many electronic control units connected through intra-vehicle networks to implement various functionalities and perform actions. Modern vehicles are also connected to external networks through vehicle-to-everything technologies, enabling their communications with other vehicles, infrastructures, and smart devices. However, the improving functionality and connectivity of modern vehicles also increase their vulnerabilities to cyber-attacks targeting both intra-vehicle and external networks due to the large attack surfaces. To secure vehicular networks, many researchers have focused on developing intrusion detection systems (IDSs) that capitalize on machine learning methods to detect malicious cyber-attacks. In this paper, the vulnerabilities of intra-vehicle and external networks are discussed, and a multi-tiered hybrid IDS that incorporates a signature-based IDS and an anomaly-based IDS is proposed to detect both known and unknown attacks on vehicular networks. Experimental results illustrate that the proposed system can detect various types of known attacks with 99.99% accuracy on the CAN-intrusion-dataset representing the intra-vehicle network data and 99.88% accuracy on the CICIDS2017 dataset illustrating the external vehicular network data. For the zero-day attack detection, the proposed system achieves high F1-scores of 0.963 and 0.800 on the above two datasets, respectively. The average processing time of each data packet on a vehicle-level machine is less than 0.6 ms, which shows the feasibility of implementing the proposed system in real-time vehicle systems. This emphasizes the effectiveness and efficiency of the proposed IDS.

Cryptography and Security,Artificial Intelligence,Machine Learning,Networking and Internet Architecture

Mehran Attar,Walter Lucia

2024-10-01

Abstract:This paper proposes a worst-case data-driven control architecture capable of ensuring the safety of constrained Cyber-Physical Systems under cyber-attacks while minimizing, whenever possible, potential degradation in tracking performance. To this end, a data-driven robust anomaly detector is designed to detect cyber-attack occurrences. Moreover, an add-on tracking supervisor module allows safe open-loop tracking control operations in case of unreliable measurements. On the plant side, a safety verification module and a local emergency controller are designed to manage severe attack scenarios that cannot be handled on the controller's side. These two modules resort to worst-case reachability and controllability data-driven arguments to detect potential unsafe scenarios and replace, whenever strictly needed, the tracking controller with emergency actions whose objective is to steer the plant's state trajectory in a predefined set of admissible and safe robust control invariant region until an attack-free scenario is restored. The effectiveness of the proposed solution has been shown through a simulation example.

Systems and Control,Optimization and Control

Linlin Li,Steven X. Ding,Liutao Zhou,Maiying Zhong,Kaixiang Peng

2024-09-20

Abstract:This paper is concerned with the detection, resilient and fault-tolerant control issues for cyber-physical systems. To this end, the impairment of system dynamics caused by the defined types of cyber-attacks and process faults is analyzed. Then, the relation of the system input and output signals with the residual subspaces spanned by both the process and the controller is studied. Considering the limit capacity of standard observer-based detection and feedback control schemes in detecting and handling the cyber-attacks, a modified configuration for cyber-physical systems is developed by transmitting the combinations of the input and output residuals instead of the input and output signals, which is facile for dealing with both the process faults and cyber-attacks. It is followed by the integrated design of fault and attack detection, resilient and fault-tolerant control schemes. To enhance the detectability of cyber-attacks, the potential stealthy attack mechanisms on deteriorating the tracking behavior and feedback control performance are developed from the attackers' point of view, and the associated detection schemes for such stealthy attacks are proposed from the defenders' point of view. A case study on the robotino system is utilized to demonstrate the proposed resilient cyber-physical configuration.

Systems and Control

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.3390/electronics8121545

IF: 2.9

2019-01-01

Electronics

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanisms. An improved intrusion detection system (IDS), which is strongly correlated to specific industrial scenarios, is necessary for modern ICS. On one hand, this paper outlines three kinds of attack models, including infiltration attacks, creative forging attacks, and false data injection attacks. On the other hand, a two stage IDS is proposed, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on the autoregressive integrated moving average (ARIMA), can forecast the traffic of the ICS network in the short term and detect infiltration attacks precisely according to the abnormal changes in traffic patterns. Furthermore, the anomaly detection model, using a one class support vector machine (OCSVM), is able to detect malicious control instructions by analyzing the key field in Ethernet/IP packets. The confusion matrix is selected to testify to the effectiveness of the proposed method, and two other innovative IDSs are used for comparison. The experiment results show that the proposed two stage IDS in this paper has an outstanding performance in detecting infiltration attacks, forging attacks, and false data injection attacks compared with other IDSs.

Mehran Attar,Walter Lucia

2024-02-21

Abstract:In this paper, we propose a data-driven networked control architecture for unknown and constrained cyber-physical systems capable of detecting networked false-data-injection attacks and ensuring plant's safety. In particular, on the controller's side, we design a novel robust anomaly detector that can discover the presence of network attacks using a data-driven outer approximation of the expected robust one-step reachable set. On the other hand, on the plant's side, we design a data-driven safety verification module, which resorts to worst-case arguments to determine if the received control input is safe for the plant's evolution. Whenever necessary, the same module is in charge of replacing the networked controller with a local data-driven set-theoretic model predictive controller, whose objective is to keep the plant's trajectory in a pre-established safe configuration until an attack-free condition is recovered. Numerical simulations involving a two-tank water system illustrate the features and capabilities of the proposed control architecture.

Systems and Control

Yi Yang,Hai-Qing Xu,Lei Gao,Y.B. Yuan,Kieran McLaughlin,Sakir Sezer

DOI: https://doi.org/10.1109/TPWRD.2016.2603339

IF: 4.825

2017-01-01

IEEE Transactions on Power Delivery

Abstract:Emerging cybersecurity vulnerabilities in supervisory control and data acquisition (SCADA) systems are becoming urgent engineering issues for modern substations. This paper proposes a novel intrusion detection system (IDS) tailored for cybersecurity of IEC 61850 based substations. The proposed IDS integrates physical knowledge, protocol specifications, and logical behaviors to provide a comprehens...