Seba Anna Varghese,Alireza Dehlaghi Ghadim,Ali Balador,Zahra Alimadadi,Panos Papadimitratos

DOI: https://doi.org/10.48550/arXiv.2207.09999

2022-07-20

Cryptography and Security

Abstract:Digital twins have recently gained significant interest in simulation, optimization, and predictive maintenance of Industrial Control Systems (ICS). Recent studies discuss the possibility of using digital twins for intrusion detection in industrial systems. Accordingly, this study contributes to a digital twin-based security framework for industrial control systems, extending its capabilities for simulation of attacks and defense mechanisms. Four types of process-aware attack scenarios are implemented on a standalone open-source digital twin of an industrial filling plant: command injection, network Denial of Service (DoS), calculated measurement modification, and naive measurement modification. A stacked ensemble classifier is proposed as the real-time intrusion detection, based on the offline evaluation of eight supervised machine learning algorithms. The designed stacked model outperforms previous methods in terms of F1-Score and accuracy, by combining the predictions of various algorithms, while it can detect and classify intrusions in near real-time (0.1 seconds). This study also discusses the practicality and benefits of the proposed digital twin-based security framework.

S. Krishnaveni,Thomas M. Chen,Mithileysh Sathiyanarayanan,B. Amutha

DOI: https://doi.org/10.1007/s10586-024-04320-x

2024-03-21

Cluster Computing

Abstract:The rise of digital twin-based operational improvements poses a challenge to protecting industrial cyber-physical systems. It is crucial to safeguard digital twins while disclosing internals, which can create an increased attack surface. However, leveraging digital twins to simulate attacks on physical infrastructure becomes essential for enhancing ICPS cybersecurity resilience. This paper introduces an integrated intelligent defense framework called CyberDefender to study various attacks on digital twin-based ICPS from a four-layer perspective (i.e., digital twin-based industrial cyber-physical systems infrastructure layer, honeynet and software-defined industrial network layer, intelligent security platform layer, and smart industrial application layer). To demonstrate its feasibility, we implemented a proof-of-concept (PoC) solution using open-source tools, including AWS for cloud infrastructure, T-Pot for Honeynet, Mininet for SDN support, ELK tools for data management, and Docker for containerization. This framework utilizes an integrated intelligent approach to enhance intrusion detection and classification capabilities for digital twin-based industrial cyber-physical systems (DT-ICPS). The proposed intrusion detection system (IDS) combines two strategies to improve security. First, we present an innovative approach to identifying essential features using explainable AI and ensemble-based filter feature selection (XAI-EFFS). By using Shapley Additive Explanations (SHAP), we analyze the impact of different variables on predictive outcomes. Secondly, we propose a hybrid GRU-LSTM deep-learning model for detecting and classifying intrusions. We optimize the hyperparameters of the GRU-LSTM model by using a Bayesian optimization algorithm. The proposed method demonstrates excellent performance, outperforming conventional state-of-the-art techniques with an accuracy rate of 98.96%, which is a remarkable improvement. Additionally, it effectively detects zero-day attacks, contributing to digital twin-based ICPS cybersecurity resilience.

computer science, information systems, theory & methods

Mohammed El-Hajj

DOI: https://doi.org/10.3390/electronics13193941

IF: 2.9

2024-10-06

Electronics

Abstract:In this research, we investigate the integration of an Intrusion Detection System (IDS) with a Digital Twin (DT) to enhance the cybersecurity of physical devices in cyber–physical systems. Using Eclipse Ditto as the DT platform and Snort as the IDS, we developed a near-realistic test environment that included a Raspberry Pi as the physical device and a Kali Linux virtual machine to perform common cyberattacks such as Hping3 flood attacks and NMAP reconnaissance scans. The results demonstrated that the IDS effectively detected Hping3-based flood attacks but showed limitations in identifying NMAP scans, suggesting areas for IDS configuration improvements. Furthermore, the study uncovered significant system resource impacts, including high Central Processing Unit (CPU) usage during SYN and ACK flood attacks and persistent memory usage after Network Mapper (NMAP) scans, highlighting the need for enhanced recovery mechanisms. This research presents a novel approach by coupling a Digital Twin with an IDS, enabling real-time monitoring and providing a dual perspective on both system performance and security. The integration offers a holistic method for identifying vulnerabilities and understanding resource impacts during cyberattacks. The work contributes new insights into the use of Digital Twins for cybersecurity and paves the way for further research into automated defense mechanisms, real-world validation of the proposed model, and the incorporation of additional attack scenarios. The results suggest that this combined approach holds significant promise for enhancing the security and resilience of IoT devices and other cyber–physical systems.

engineering, electrical & electronic,computer science, information systems,physics, applied

Adamu Hussaini,Cheng Qian,Weixian Liao,Wei Yu

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics55523.2022.00112

2022-01-01

Abstract:The (IoT) paradigm’s fundamental goal is to massively connect the “smart things” through standardized interfaces, providing a variety of smart services. Cyber-Physical Systems (CPS) include both physical and cyber components and can apply to various application domains (smart grid, smart transportation, smart manufacturing, etc.). The Digital Twin (DT) is a cyber clone of physical objects (things), which will be an essential component in CPS. This paper designs a systematic taxonomy to explore different attacks on DT-based CPS and how they affect the system from a four-layer architecture perspective. We present an attack space for DT-based CPS on four layers (i.e., object layer, communication layer, DT layer, and application layer), three attack objects (i.e., confidentiality, integrity, and availability), and attack types combined with strength and knowledge. Furthermore, some selected case studies are conducted to examine attacks on representative DT-based CPS (smart grid, smart transportation, and smart manufacturing). Finally, we propose a defense mechanism called Secured DT Development Life Cycle (SDTDLC) and point out the importance of leveraging other enabling techniques (intrusion detection, blockchain, modeling, simulation, and emulation) to secure DT-based CPS.

Efe C. Balta,Michael Pease,James Moyne,Kira Barton,Dawn M. Tilbury

DOI: https://doi.org/10.1109/tase.2023.3243147

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Smart manufacturing (SM) systems utilize run-time data to improve productivity via intelligent decision-making and analysis mechanisms on both machine and system levels. The increased adoption of cyber-physical systems in SM leads to the comprehensive framework of cyber-physical manufacturing systems (CPMS) where data-enabled decision-making mechanisms are coupled with cyber-physical resources on the plant floor. Due to their cyber-physical nature, CPMS are susceptible to cyber-attacks that may cause harm to the manufacturing system, products, or even the human workers involved in this context. Therefore, detecting cyber-attacks efficiently and timely is a crucial step toward implementing and securing high-performance CPMS in practice. This paper addresses two key challenges to CPMS cyber-attack detection. The first challenge is distinguishing expected anomalies in the system from cyber-attacks. The second challenge is the identification of cyber-attacks during the transient response of CPMS due to closed-loop controllers. Digital twin (DT) technology emerges as a promising solution for providing additional insights into the physical process (twin) by leveraging run-time data, models, and analytics. In this work, we propose a DT framework for detecting cyber-attacks in CPMS during controlled transient behavior as well as expected anomalies of the physical process. We present a DT framework and provide details on structuring the architecture to support cyber-attack detection. Additionally, we present an experimental case study on off-the-shelf 3D printers to detect cyber-attacks utilizing the proposed DT framework to illustrate the effectiveness of our proposed approach. Note to Practitioners—This work is motivated by developing a general-purpose and extensible digital twin-enabled cyber-attack detection framework for manufacturing systems. Existing works in the field consider specialized attack scenarios and models that may not be extensible in practical manufacturing scenarios. We utilize digital twin (DT) technology as a key enabler to develop a systematic and extensible framework where we identify the abnormality of a resource and detect if the abnormality is due to an attack or an expected anomaly. We provide several remarks on how our proposed framework can extend existing industrial control systems (ICS) and can accommodate further extensions. The presented DTs utilize data-driven machine learning models, physics-based models, and subject matter expert knowledge to perform detection and differentiation tasks in the context of expected anomalies and model-based controllers that control the manufacturing process between multiple setpoints. We utilize a model predictive controller on an off-the-shelf 3D printer to run the process, and stage anomalies and cyber-attacks that are successfully detected by the proposed framework.

automation & control systems

Hani Alshahrani,Attiya Khan,Muhammad Rizwan,Mana Saleh Al Reshan,Adel Sulaiman,Asadullah Shaikh

DOI: https://doi.org/10.3390/su15119001

IF: 3.9

2023-06-03

Sustainability

Abstract:The Industrial Internet of Things (IIoT) refers to the employment of the Internet of Things in industrial management, where a substantial number of machines and devices are linked and synchronized with the help of software programs and third platforms to improve the overall productivity. The acquisition of the industrial IoT provides benefits that range from automation and optimization to eliminating manual processes and improving overall efficiencies, but security remains to be forethought. The absence of reliable security mechanisms and the magnitude of security features are significant obstacles to enhancing IIoT security. Over the last few years, alarming attacks have been witnessed utilizing the vulnerabilities of the IIoT network devices. Moreover, the attackers can also sink deep into the network by using the relationships amidst the vulnerabilities. Such network security threats cause industries and businesses to suffer financial losses, reputational damage, and theft of important information. This paper proposes an SDN-based framework using machine learning techniques for intrusion detection in an industrial IoT environment. SDN is an approach that enables the network to be centrally and intelligently controlled through software applications. In our framework, the SDN controller employs a machine-learning algorithm to monitor the behavior of industrial IoT devices and networks by analyzing traffic flow data and ultimately determining the flow rules for SDN switches. We use SVM and Decision Tree classification models to analyze our framework's network intrusion and attack detection performance. The results indicate that the proposed framework can detect attacks in industrial IoT networks and devices with an accuracy of 99.7%.

environmental sciences,environmental studies,green & sustainable science & technology

S Krishnaveni,S. Sivamohan,B. Jothi,Thomas M. Chen,Mithileysh Sathiyanarayanan

DOI: https://doi.org/10.1002/cpe.8334

2024-12-12

Concurrency and Computation Practice and Experience

Abstract:The increasing complexity and interconnectivity of industrial cyber‐physical systems (ICPSs), while enhancing operational security and reliability, have also introduced significant cybersecurity challenges. Software‐defined networking (SDN), a transformative technology for centralized and dynamic resource management, is particularly vulnerable as centralized control planes can become single points of failure. The integration of Digital Twin technology, which creates virtual replicas of physical systems for real‐time monitoring and prediction, further exacerbates security risks. To address these issues, we present TwinSec‐IDS, an advanced intrusion detection framework designed for SDN‐Digital‐Twin‐based ICPS. TwinSec‐IDS provides comprehensive and proactive intrusion detection, thereby enhancing the resilience of industrial networks. This paper introduces an ensemble approach, leveraging hybrid deep learning models—such as Bi‐GRU‐CNN, Bi‐GRU‐LSTM, and Bi‐GRU‐LSTM‐CNN—integrated with ensemble‐based feature selection techniques. The system employs weighted majority voting to combine predictions from multiple models, improving detection accuracy. To ensure optimal feature selection, the framework incorporates explainable AI and multiple filter methods, including mutual information, chi‐square tests, and correlation coefficients, aggregated through a voting mechanism. TwinSec‐IDS demonstrates high accuracy in detecting and categorizing anomalies and effectively responds to potential threats. Extensive evaluations show that TwinSec‐IDS significantly improves the security and resilience of SDN‐Digital‐Twin‐based ICPS, addressing critical cybersecurity concerns and making industrial processes safer and more reliable.

computer science, theory & methods, software engineering

Tianyu Zhao,Ernest Foo,Hui Tian

DOI: https://doi.org/10.48550/arXiv.2204.13859

2022-04-29

Abstract:Currently, most of the research in digital twins focuses on simulation and optimization. Digital twins are especially useful for critical systems. However, digital twins can also be used for safety and cyber security. The idea of this paper is motivated by the limitations of cyber security in Cyber-Physical Systems (CPSs). We introduce an efficient synchronization approach to maintain the state between the virtual environment and the physical environment. In this case, we can receive prompt feedback by conducting security analysis in the virtual domain. Thus, helping to enhance the cyber security of CPSs, we propose a digital twin-based framework. Based on the approach, the security of the CPSs can be protected by the digital twin system. Moreover, the proposed architecture has also been optimized to meet the security requirements and maintain less network burden for CPSs

Cryptography and Security

Masi, Massimiliano,Sellitto, Giovanni Paolo,Aranha, Helder

DOI: https://doi.org/10.1007/s10270-022-01075-0

2023-01-03

Abstract:With the diffusion of integrated design environments and tools for visual threat modeling for critical infrastructures, the concept of Digital Twin (DT) is gaining momentum in the field of cybersecurity. Its main use is for enabling attack simulations and evaluation of countermeasures, without causing outage of the physical system. However, the use of a DT is considered foremost as a facilitator of system operation rather than an integral part of its architecture design. In this work, we introduce a specific architecture view in the system representation, called Cybersecurity View. From it, we derive a cybersecurity Digital Twin as part of the security-by-design practice for Industrial Automation and Control Systems used in Critical Infrastructures. Not only this digital twin serves the purpose of simulating cyber-attacks and devising countermeasures, but its design and function are also directly tied to the architecture model of the system for which the cybersecurity requirements are posed. Moreover, this holds regardless of whether the model is generated as part of the development cycle or through an empirical observation of the system as-is. With this, we enable the identification of adequate cybersecurity measures for the system, while improving the overall system design. To demonstrate the practical usefulness of the proposed methodology, its application is illustrated through two real-world use cases: the Cooperative Intelligent Transport System (C-ITS) and the Road tunnel scenario.

computer science, software engineering

Mariam Elnour,Mohammad Noorizadeh,Mohammad Shakerpour,Nader Meskin,Khaled Khan,Raj Jain

DOI: https://doi.org/10.1109/access.2023.3303015

IF: 3.9

2023-08-22

IEEE Access

Abstract:In light of the advancement of the technologies used in industrial control systems, securing their operation has become crucial, primarily since their activity is consistently associated with integral elements related to the environment, the safety and health of people, the economy, and many others. This work presents a distributed, machine learning based attack detection and mitigation framework for sensor false data injection cyber-physical attacks in industrial control systems. It is developed using the system's standard operational data and validated using a hybrid testbed of a reverse osmosis plant. A MATLAB/Simulink-based simulation model of the process validated with actual data from a local plant is used. The control system is implemented using Siemens S7-1200 programmable logic controllers with 200SP Distributed Input/Output modules. The proposed solution can be adopted in the existing industrial control systems and demonstrated effective performance in real-time detection and mitigation of actual cyber-physical attacks launched by compromising the communication links between the process and the programmable logic controllers.

computer science, information systems,telecommunications,engineering, electrical & electronic

Navid Aftabi,Dan Li,Ph.D.,Thomas Sharkey,Ph.D

2024-01-31

Abstract:Industrial Control Systems (ICSs) are widely used in critical infrastructures that face various cyberattacks causing physical damage. With the increasing integration of the ICSs and information technology (IT), ensuring the security of ICSs is of paramount importance. In an ICS, cyberattacks exploit vulnerabilities to compromise sensors and controllers, aiming to cause physical damage. Maliciously accessing different components poses varying risks, highlighting the importance of identifying high-risk cyberattacks. This aids in designing effective detection schemes and mitigation strategies. This paper proposes an optimization-based cyber-risk assessment framework that integrates cyber and physical systems of ICSs. The framework models cyberattacks with varying expertise and knowledge by 1) maximizing physical impact in terms of failure time of the physical system, 2) quickly accessing the sensors and controllers in the cyber system while exploiting limited vulnerabilities, 3) avoiding detection in the physical system, and 4) complying with the cyber and physical restrictions. These objectives enable us to jointly model the interactions between the cyber and physical systems and study the critical cyberattacks that cause the highest impact on the physical system under certain resource constraints. Our framework serves as a tool to understand the vulnerabilities of an ICS with a holistic consideration of cyber and physical systems and their interactions and assess the risk of existing detection schemes by generating the worst-case attack strategies. We illustrate and verify the effectiveness of our proposed method in a numerical and a case study. The results show that a worst-case strategic attacker causes almost 19% further acceleration in the failure time of the physical system while remaining undetected compared to a random attacker.

Optimization and Control,Systems and Control

Taejun Choi,Guangdong Bai,Ryan K L Ko,Naipeng Dong,Wenlu Zhang,Shunyao Wang

DOI: https://doi.org/10.48550/arXiv.2101.11866

2021-01-28

Abstract:Industrial control systems (ICS) of critical infrastructure are increasingly connected to the Internet for remote site management at scale. However, cyber attacks against ICS - especially at the communication channels between humanmachine interface (HMIs) and programmable logic controllers (PLCs) - are increasing at a rate which outstrips the rate of mitigation. In this paper, we introduce a vendor-agnostic analytics framework which allows security researchers to analyse attacks against ICS systems, even if the researchers have zero control automation domain knowledge or are faced with a myriad of heterogenous ICS systems. Unlike existing works that require expertise in domain knowledge and specialised tool usage, our analytics framework does not require prior knowledge about ICS communication protocols, PLCs, and expertise of any network penetration testing tool. Using `digital twin' scenarios comprising industry-representative HMIs, PLCs and firewalls in our test lab, our framework's steps were demonstrated to successfully implement a stealthy deception attack based on false data injection attacks (FDIA). Furthermore, our framework also demonstrated the relative ease of attack dataset collection, and the ability to leverage well-known penetration testing tools. We also introduce the concept of `heuristic inference attacks', a new family of attack types on ICS which is agnostic to PLC and HMI brands/models commonly deployed in ICS. Our experiments were also validated on a separate ICS dataset collected from a cyber-physical scenario of water utilities. Finally, we utilized time complexity theory to estimate the difficulty for the attacker to conduct the proposed packet analyses, and recommended countermeasures based on our findings.

Cryptography and Security

Cheng Feng,Tingting Li,Zhanxing Zhu,Deeph Chana

DOI: https://doi.org/10.48550/arXiv.1709.06397

2017-09-19

Cryptography and Security

Abstract:Industrial control systems (ICS), which in many cases are components of critical national infrastructure, are increasingly being connected to other networks and the wider internet motivated by factors such as enhanced operational functionality and improved efficiency. However, set in this context, it is easy to see that the cyber attack surface of these systems is expanding, making it more important than ever that innovative solutions for securing ICS be developed and that the limitations of these solutions are well understood. The development of anomaly based intrusion detection techniques has provided capability for protecting ICS from the serious physical damage that cyber breaches are capable of delivering to them by monitoring sensor and control signals for abnormal activity. Recently, the use of so-called stealthy attacks has been demonstrated where the injection of false sensor measurements can be used to mimic normal control system signals, thereby defeating anomaly detectors whilst still delivering attack objectives. In this paper we define a deep learning-based framework which allows an attacker to conduct stealthy attacks with minimal a-priori knowledge of the target ICS. Specifically, we show that by intercepting the sensor and/or control signals in an ICS for a period of time, a malicious program is able to automatically learn to generate high-quality stealthy attacks which can achieve specific attack goals whilst bypassing a black box anomaly detector. Furthermore, we demonstrate the effectiveness of our framework for conducting stealthy attacks using two real-world ICS case studies. We contend that our results motivate greater attention on this area by the security community as we demonstrate that currently assumed barriers for the successful execution of such attacks are relaxed.

Zahra Jadidi,Yi Lu

DOI: https://doi.org/10.1109/access.2021.3133260

IF: 3.9

2021-01-01

IEEE Access

Abstract:An Industrial Control System (ICS) adversary often takes different actions to exploit vulnerabilities, pass the border between Information Technology (IT) and Operational Technology (OT) networks, and launch a targeted attack against OT networks. Detecting these threat actions in early phases before the final stage of the attacks can be executed against industrial endpoints can help prevent adversaries from achieving their goals. Threat hunting in IT networks has been previously studied, and several hunting methods have been proposed. However, these methods are not sufficient for ICSs, as the integration of industrial legacy systems with advanced IT networks has introduced new types of vulnerabilities and changed the behaviour of attacks. The lack of a unified hunting solution for integrated IT and OT networks is the gap that is considered in our paper. The contribution of this paper is an ICS Threat Hunting Framework (ICS-THF) which focuses on detecting cyber threats against ICS devices in the earliest phases of the attack lifecycle. ICS-THF consists of three stages, threat hunting triggers, threat hunting, and cyber threat intelligence. The threat hunting trigger stage identifies events or external resources that can trigger the hunting stage. The hunting stage uses a combination of the MITRE ATT&CK Matrix and a Diamond model of intrusion analysis to generate a hunting hypothesis and to predict the future behaviour of the adversary. This hypothesis will be validated by analysing Diamond models of threat actions. Finally, the cyber threat intelligence stage is responsible for generating Indicators of Compromise (IoCs) to be used for future threat hunting. The Black Energy 3 malware, PLC-Blaster malware, and SWaT dataset are used in this paper to evaluate the efficiency of the proposed framework.

Nils Müller,Charalampos Ziras,Kai Heussen

DOI: https://doi.org/10.48550/arXiv.2202.09352

2022-02-18

Cryptography and Security

Abstract:The increasing interaction of industrial control systems (ICSs) with public networks and digital devices introduces new cyber threats to power systems and other critical infrastructure. Recent cyber-physical attacks such as Stuxnet and Irongate revealed unexpected ICS vulnerabilities and a need for improved security measures. Intrusion detection systems constitute a key security technology, which typically monitors cyber network data for detecting malicious activities. However, a central characteristic of modern ICSs is the increasing interdependency of physical and cyber network processes. Thus, the integration of network and physical process data is seen as a promising approach to improve predictability in real-time intrusion detection for ICSs by accounting for physical constraints and underlying process patterns. This work systematically assesses machine learning-based cyber-physical intrusion detection and multi-class classification through a comparison to its purely network data-based counterpart and evaluation of misclassifications and detection delay. Multiple supervised detection and classification pipelines are applied on a recent cyber-physical dataset, which describes various cyber attacks and physical faults on a generic ICS. A key finding is that the integration of physical process data improves detection and classification of all considered attack types. In addition, it enables simultaneous processing of attacks and faults, paving the way for holistic cross-domain root cause identification.

Javier López,Cristina Alcaraz

DOI: https://doi.org/10.1109/COMST.2022.3171465

Abstract:Industry 4.0 is having an increasingly positive impact on the value chain by modernizing and optimizing the production and distribution processes. In this streamline, the digital twin (DT) is one of the most cutting-edge technologies of Industry 4.0, providing simulation capabilities to forecast, optimize and estimate states and configurations. In turn, these technological capabilities are encouraging industrial stakeholders to invest in the new paradigm, though an increased focus on the risks involved is really needed. More precisely, the deployment of a DT is based on the composition of technologies such as cyber-physical systems, the Industrial Internet of Things, edge computing, virtualization infrastructures, artificial intelligence and big data. However, the confluence of all these technologies and the implicit interaction with the physical counterpart of the DT in the real world generate multiple security threats that have not yet been sufficiently studied. In that context, this paper analyzes the current state of the DT paradigm and classifies the potential threats associated with it, taking into consideration its functionality layers and the operational requirements in order to achieve a more complete and useful classification. We also provide a preliminary set of security recommendations and approaches that can help to ensure the appropriate and trustworthy use of a DT.

Engineering,Computer Science

Simon D. Duque Antón,Hans Dieter Schotten

DOI: https://doi.org/10.48550/arXiv.1905.11701

2019-05-28

Cryptography and Security

Abstract:Besides the advantages derived from the ever present communication properties, it increases the attack surface of a network as well. As industrial protocols and systems were not designed with security in mind, spectacular attacks on industrial systems occurred over the last years. Most industrial communication protocols do not provide means to ensure authentication or encryption. This means attackers with access to a network can read and write information. Originally not meant to be connected to public networks, the use cases of Industry 4.0 require interconnectivity, often through insecure public networks. This lead to an increasing interest in information security products for industrial applications. In this work, the concept for holistic intrusion detection methods in an industrial context is presented. It is based on different works considering several aspects of industrial environments and their capabilities to identify intrusions as an anomaly in network or process data. These capabilities are based on preceding experiments on real and synthetic data. In order to justify the concept, an overview of potential and actual attack vectors and attacks on industrial systems is provided. It is shown that different aspects of industrial facilities, e.g. office IT, shop floor OT, firewalled connections to customers and partners are analysed as well as the different layers of the automation pyramid require different methods to detect attacks. Additionally, the singular steps of an attack on industrial applications are characterised. Finally, a resulting concept for integration of these methods is proposed, providing the means to detect the different stages of an attack by different means.

Alireza Dehlaghi-Ghadim,Ali Balador,Mahshid Helali Moghadam,Hans Hansson,Mauro Conti

DOI: https://doi.org/10.48550/arXiv.2210.13325

2022-10-24

Cryptography and Security

Abstract:With the advent of smart industry, Industrial Control Systems (ICS) are increasingly using Cloud, IoT, and other services to meet Industry 4.0 targets. The connectivity inherent in these services exposes such systems to increased cybersecurity risks. To protect ICSs against cyberattacks, intrusion detection systems and intrusion prevention systems empowered by machine learning are used to detect abnormal behavior of the systems. Operational ICSs are not safe environments to research intrusion detection systems due to the possibility of catastrophic risks. Therefore, realistic ICS testbeds enable researchers to analyze and validate their intrusion detection algorithms in a controlled environment. Although various ICS testbeds have been developed, researchers' access to a low-cost, adaptable, and customizable testbed that can accurately simulate industrial control systems and suits security research is still an important issue. In this paper, we present ICSSIM, a framework for building customized virtual ICS security testbeds, in which various types of cyber threats and attacks can be effectively and efficiently investigated. This framework contains base classes to simulate control system components and communications. ICSSIM aims to produce extendable, versatile, reproducible, low-cost, and comprehensive ICS testbeds with realistic details and high fidelity. ICSSIM is built on top of the Docker container technology, which provides realistic network emulation and runs ICS components on isolated private operating system kernels. ICSSIM reduces the time for developing ICS components and offers physical process modelling using software and hardware in the loop simulation. We demonstrated ICSSIM by creating a testbed and validating its functionality by showing how different cyberattacks can be applied.

Azidine Guezzaz,Mourade Azrour,Said Benkirane,Mouaad Mohy-Eddine,Hanaa Attou,Maryam Douiba

DOI: https://doi.org/10.34028/iajit/19/5/14

2022-01-01

The International Arab Journal of Information Technology

Abstract:Due to the development of cloud computing and Internet of Things (IoT) environments, such as healthcare systems, telecommunications and Industry 4.0 or Industrial IoT (IIoT) many daily services are transformed. Therefore, Security issues become useful to better protect these novel technologies. IIoT security represents a real challenge for industry actors and academic research. A set of security approaches, such as intrusion detection are integrated to improve IIoT environments security. Hence, an Intrusion Detection System (IDS) aims to monitor, detect an intrusion in real time and then make reliable decisions. Many recent IDS incorporate Machine Learning (ML) techniques to improve their Accuracy (ACC), precision and Detection Rate (DR). This paper presents a hybrid IDS for Edge-Based IIoT Security using ML techniques. This new hybrid framework is based on misuse and anomaly detection using K-Nearest Neighbor (K-NN) and Principal Component Analysis (PCA) techniques. Specifically, the K-NN classifier has been incorporated to improve detection accuracy and make effective decision and the PCA is used for an enhanced feature engineering and training process. The obtained results have proven that our proposed Framework presents many advantages compared with other recent models. It gives good results with 99.10% ACC, 98.4% DR 2.7% False Alarm Rate (FAR) on NSL-KDD dataset and 98.2% ACC, 97.6% DR, 2.9% FAR on Bot-IoT dataset.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.20944/preprints201912.0174.v1

2019-01-01

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.