Geng-hong LU,Dong-qin FENG

DOI: https://doi.org/10.13195/j.kzyjc.2016.0551

2017-01-01

Abstract:The attacks against the industrial control network have different types and various attack intensity. Under this circumstance, the traditional detection techniques cannot identify the multiple types of attacks effectively, and can not assess the security situations of the industrial control network comprehensively and accurately. Therefore, the industrial control network security situation awareness model is proposed. Firstly, the rule extraction can be done by applying the improved C-SVC algorithm to the multi-sensor data. Then with the application of decision fusion algorithm, the decision-level fusion is completed and the results of situation awareness are procured. The simulation experiment results show that the proposed model and algorithms can distinguish multiple types of attacks effectively, identify the attacks that are launched against the industrial control system accurately, and generate the results of situation awareness.

Ömer Sen,Chijioke Eze,Andreas Ulbig,Antonello Monti

DOI: https://doi.org/10.48550/arXiv.2211.10971

2022-11-20

Abstract:While digitization of distribution grids through information and communications technology brings numerous benefits, it also increases the grid's vulnerability to serious cyber attacks. Unlike conventional systems, attacks on many industrial control systems such as power grids often occur in multiple stages, with the attacker taking several steps at once to achieve its goal. Detection mechanisms with situational awareness are needed to detect orchestrated attack steps as part of a coherent attack campaign. To provide a foundation for detection and prevention of such attacks, this paper addresses the detection of multi-stage cyber attacks with the aid of a graph-based cyber intelligence database and alert correlation approach. Specifically, we propose an approach to detect multi-stage attacks by leveraging heterogeneous data to form a knowledge base and employ a model-based correlation approach on the generated alerts to identify multi-stage cyber attack sequences taking place in the network. We investigate the detection quality of the proposed approach by using a case study of a multi-stage cyber attack campaign in a future-orientated power grid pilot.

Cryptography and Security

Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Ming Wan,Minglei Hao,Yang Li,Jianming Zhao,Ying Li

DOI: https://doi.org/10.1145/3586102.3586127

2022-01-01

Abstract:Due to the rapid development of industrial automation, ICSs (Industrial Control Systems) gradually expose their potential security vulnerabilities, and are facing more and more serious security risks. Although different industrial security technologies have been developed to strengthen industrial security protection, they always struggle for their own because of their standalone and non-related functions, and their actual defense effects are not encouraging. This paper first summarizes some intrinsic security vulnerabilities in ICSs, and analyzes the main causes to generate each class of vulnerabilities. Furthermore, five popular security technologies which have been successfully applied in today's ICSs are introduced, and their advantages and shortages are also compared by explaining each working mechanism. In order to take full advantage of various industrial security technologies, this paper proposes one novel cooperative defense model based P2DR (Policy, Protection, Detection and Response), which establishes the dynamical defense process to integrate five different industrial security technologies. Under the guidance of security policies, this model can comprehensively utilize the resources of various industrial security technologies to learn and judge current security status of the whole system, and effectively adjust the optimum deployment to provide the strongest protection with the lowest risk. Finally, one applicable case based on the proposed model is designed to verify the feasibility of cooperative defense in ICSs.

Sepideh Bahadoripour,Ethan MacDonald,Hadis Karimipour

2023-04-04

Abstract:The growing number of cyber-attacks against Industrial Control Systems (ICS) in recent years has elevated security concerns due to the potential catastrophic impact. Considering the complex nature of ICS, detecting a cyber-attack in them is extremely challenging and requires advanced methods that can harness multiple data modalities. This research utilizes network and sensor modality data from ICS processed with a deep multi-modal cyber-attack detection model for ICS. Results using the Secure Water Treatment (SWaT) system show that the proposed model can outperform existing single modality models and recent works in the literature by achieving 0.99 precision, 0.98 recall, and 0.98 f-measure, which shows the effectiveness of using both modalities in a combined model for detecting cyber-attacks.

Cryptography and Security,Machine Learning

Nils Müller,Charalampos Ziras,Kai Heussen

DOI: https://doi.org/10.48550/arXiv.2202.09352

2022-02-18

Cryptography and Security

Abstract:The increasing interaction of industrial control systems (ICSs) with public networks and digital devices introduces new cyber threats to power systems and other critical infrastructure. Recent cyber-physical attacks such as Stuxnet and Irongate revealed unexpected ICS vulnerabilities and a need for improved security measures. Intrusion detection systems constitute a key security technology, which typically monitors cyber network data for detecting malicious activities. However, a central characteristic of modern ICSs is the increasing interdependency of physical and cyber network processes. Thus, the integration of network and physical process data is seen as a promising approach to improve predictability in real-time intrusion detection for ICSs by accounting for physical constraints and underlying process patterns. This work systematically assesses machine learning-based cyber-physical intrusion detection and multi-class classification through a comparison to its purely network data-based counterpart and evaluation of misclassifications and detection delay. Multiple supervised detection and classification pipelines are applied on a recent cyber-physical dataset, which describes various cyber attacks and physical faults on a generic ICS. A key finding is that the integration of physical process data improves detection and classification of all considered attack types. In addition, it enables simultaneous processing of attacks and faults, paving the way for holistic cross-domain root cause identification.

Manikanta Reddy Dornala

DOI: https://doi.org/10.48550/arXiv.1812.03409

2018-12-09

Computers and Society

Abstract:Cyber attacks have become serious threats to Industrial Control systems as well. It becomes important to develop a serious threat defense system against such vulnerabilities. For such process control systems, safety should also be assured apart from security. As unearthing vulnerabilities and patching them is not a feasible solution, these critical infrastructures need safeguards to prevent accidents, both natural and artificial, that could potentially be hazardous. Morita proposed an effective Zone division, capable of evaluating remote and concealed attacks on the system, coupled with Principal Component Analysis. But the need to analyze the node that has been compromised and stopping any further damages, requires an automated technique. Illustrating the basic ideas we'll simulate a simple Water plant. We propose a new automated approach based on Long Short Term Memory networks capable of detecting attacks and pin point the location of the breach.

Ömer Sen,Dennis van der Velde,Katharina A. Wehrmeister,Immanuel Hacker,Martin Henze,Michael Andres

DOI: https://doi.org/10.1109/SEST50973.2021.9543359

2021-09-06

Abstract:Electric power grids are at risk of being compromised by high-impact cyber-security threats such as coordinated, timed attacks. Navigating this new threat landscape requires a deep understanding of the potential risks and complex attack processes in energy information systems, which in turn demands an unmanageable manual effort to timely process a large amount of cross-domain information. To provide an adequate basis to contextually assess and understand the situation of smart grids in case of coordinated cyber-attacks, we need a systematic and coherent approach to identify cyber incidents. In this paper, we present an approach that collects and correlates cross-domain cyber threat information to detect multi-stage cyber-attacks in energy information systems. We investigate the applicability and performance of the presented correlation approach and discuss the results to highlight challenges in domain-specific detection mechanisms.

Cryptography and Security,Networking and Internet Architecture,Systems and Control

Jinping Liu,Wuxia Zhang,Tianyu Ma,Zhaohui Tang,Yongfang Xie,Weihua Gui,Jean Paul Niyoyita

DOI: https://doi.org/10.1016/j.eswa.2020.113578

IF: 8.5

2020-11-01

Expert Systems with Applications

Abstract:<p>Industrial Cyber-physical systems (ICPSs), integrating communication, computation and control of industrial processes are referred to as a core technology to approach the <em>Industry 4.0</em>. Ensuring the ICPS security is of paramount importance in smart manufacturing. Considering the characteristics of large-scale, geographically-dispersed and multi-dimensional heterogeneous, federated and life-critical natures of ICPSs, this paper investigates a hierarchically distributed intrusion detection scheme that seeks to achieve the all-round safety protection of ICPSs according to the system structure and attacking types of each ICPS layer. For physical system-relevant perceptual executive layer, potential and covert attacks are detected by the clustered sensory system state residual anomaly monitoring based on a process noise and measurement noise-adaptive Kalman filter (PNMN-AKF). PNMN-AKF can perform a joint recursive estimation of dynamic system states, time-varying process and measurement noise covariance matrices by the variational Bayes approximation framework. In cyberspace, potential cyber-attacks are detected by the anomaly monitoring of the statistical distribution of the network transmission characteristics of data transmission layer by introducing a forgetting factor-induced recursive Gaussian mixture model (FF-RGMM). In the application control layer, a regularized sparse deep belief network model is introduced to characterize the misuse behavior for detecting potential attacks. Extensive validation and comparative experiments have been conducted on a numerical simulation system and a comprehensive ICPS simulation platform by using OPNET and a commonly-used benchmark simplified Tennessee Eastman process (STEP) based on Matlab/Simulink. Experimental results demonstrate that the proposed hierarchically distributed intrusion detection method can efficiently recognize potential and covert cyber-attacks in each ICPSs link with low false alarm rate and missing detection rate, which lays a foundation for the overall security monitoring of ICPSs.</p>

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Dusan Nedeljkovic,Zivana Jakovljevic

DOI: https://doi.org/10.1016/j.cose.2021.102585

2022-03-01

Abstract:Extensive communication between smart devices in contemporary Industrial Control Systems (ICS) opens up a vast area for different cyber-attacks and malicious threats. The negative effects of these attacks can not only disrupt or completely disable the system functioning, but also they can have serious safety related consequences. Therefore, cybersecurity in ICS becomes one of the most important issues. In this paper we propose a method for the design of algorithms for the detection of cyber-attacks on communication links between smart devices. The method belongs to the class of semi-supervised data driven approaches and it is based on Convolutional Neural Networks (CNN). Starting from a predefined range of network hyperparameters and data obtained from system operation without attacks, the proposed method autonomously selects suitable CNN architecture and thresholds for online intrusion detection. Following the characteristics of ICS, the proposed intrusion detection is host based, and in our research we consider the structure of ICS and the feasibility of the attack detection algorithm implementation on control system devices. The method is experimentally verified using two case studies. In the first case study that refers to the publicly available dataset obtained from Secure Water Treatment (SWaT) testbed, we present a comparative analysis of the developed method with alternative approaches. The second case study considers a custom developed electro-pneumatic positioning system; in this system we carry out the real-world implementation and validation of the intrusion detection algorithm developed using the proposed method.

computer science, information systems

Simon D. Duque Antón,Hans Dieter Schotten

DOI: https://doi.org/10.48550/arXiv.1905.11701

2019-05-28

Cryptography and Security

Abstract:Besides the advantages derived from the ever present communication properties, it increases the attack surface of a network as well. As industrial protocols and systems were not designed with security in mind, spectacular attacks on industrial systems occurred over the last years. Most industrial communication protocols do not provide means to ensure authentication or encryption. This means attackers with access to a network can read and write information. Originally not meant to be connected to public networks, the use cases of Industry 4.0 require interconnectivity, often through insecure public networks. This lead to an increasing interest in information security products for industrial applications. In this work, the concept for holistic intrusion detection methods in an industrial context is presented. It is based on different works considering several aspects of industrial environments and their capabilities to identify intrusions as an anomaly in network or process data. These capabilities are based on preceding experiments on real and synthetic data. In order to justify the concept, an overview of potential and actual attack vectors and attacks on industrial systems is provided. It is shown that different aspects of industrial facilities, e.g. office IT, shop floor OT, firewalled connections to customers and partners are analysed as well as the different layers of the automation pyramid require different methods to detect attacks. Additionally, the singular steps of an attack on industrial applications are characterised. Finally, a resulting concept for integration of these methods is proposed, providing the means to detect the different stages of an attack by different means.

Bruno Paes Leao,Jagannadh Vempati,Siddharth Bhela,Tobias Ahlgrim,Daniel Arnold

2024-05-31

Abstract:Modern industrial systems face a growing threat from sophisticated cyberattacks that can cause significant operational disruptions. This work presents a novel methodology for identification of the most critical cyberattacks that may disrupt the operation of such a system. Application of the proposed framework can enable the design and development of advanced cybersecurity solutions for a wide range of industrial applications. Attacks are assessed taking into direct consideration how they impact the system operation as measured by a defined Key Performance Indicator (KPI). A simulation model (SM), of the industrial process is employed for calculation of the KPI based on operating conditions. Such SM is augmented with a layer of information describing the communication network topology, connected devices, and potential actions an adversary can take based on each device or network link. Each possible action is associated with an abstract measure of effort, which is interpreted as a cost. It is assumed that the adversary has a corresponding budget that constrains the selection of the sequence of actions defining the progression of the attack. A dynamical system comprising a set of states associated with the cyberattack (cyber-states) and transition logic for updating their values is also proposed. The resulting augmented simulation model (ASM) is then employed in an artificial intelligence-based sequential decision-making optimization to yield the most critical cyberattack scenarios as measured by their impact on the defined KPI. The methodology is successfully tested based on an electrical power distribution system use case.

Systems and Control

Piotr Marusak,Robert Nebeluk,Andrzej Wojtulewicz,Krzysztof Cabaj,Patryk Chaber,Maciej Ławryńczuk,Sebastian Plamowski,Krzysztof Zarzycki

DOI: https://doi.org/10.3390/s24123860

IF: 3.9

2024-06-15

Sensors

Abstract:The article deals with the issue of detecting cyberattacks on control algorithms running in a real Programmable Logic Controller (PLC) and controlling a real laboratory control plant. The vulnerability of the widely used Proportional–Integral–Derivative (PID) controller is investigated. Four effective, easy-to-implement, and relatively robust methods for detecting attacks on the control signal, output variable, and parameters of the PID controller are researched. The first method verifies whether the value of the control signal sent to the control plant in the previous step is the actual value generated by the controller. The second method relies on detecting sudden, unusual changes in output variables, taking into account the inertial nature of dynamic plants. In the third method, a copy of the controller parameters is used to detect an attack on the controller's parameters implemented in the PLC. The fourth method uses the golden run in attack detection.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Tejasvi Alladi,Vinay Chamola,Sherali Zeadally

DOI: https://doi.org/10.1016/j.comcom.2020.03.007

IF: 5.047

2020-04-01

Computer Communications

Abstract:<p>It is generally understood that an attacker with limited resources would not be able to carry out targeted attacks on Industrial Control Systems. Breaking this general notion, we present case studies of major attacks on Industrial Control Systems (ICSs) in the last 20 years. The attacks chosen are the most prominent ones in terms of the economic loss inflicted, the potential to damage physical equipment and to cause human casualties. For each of these attacks, we describe the attack methodology used and suggest possible solutions to prevent such attacks. We analyze each case study to provide a better insight into the development of future cybersecurity techniques for ICSs. Finally, we suggest some recommendations on the best practices for protecting ICSs.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic

Abdulrahman Al-Abassi,Hadis Karimipour,Ali Dehghantanha,Reza M. Parizi

DOI: https://doi.org/10.48550/arXiv.2005.00936

IF: 4.729

2020-05-02

Signal Processing

Abstract:The integration of communication networks and the Internet of Things (IoT) in Industrial Control Systems (ICSs) increases their vulnerability towards cyber-attacks, causing devastating outcomes. Traditional Intrusion Detection Systems (IDSs), which are mainly developed to support Information Technology (IT) systems, count vastly on predefined models and are trained mostly on specific cyber-attacks. Besides, most IDSs do not consider the imbalanced nature of ICS datasets, thereby suffering from low accuracy and high false positive on real datasets. In this paper, we propose a deep representation learning model to construct new balanced representations of the imbalanced dataset. The new representations are fed into an ensemble deep learning attack detection model specifically designed for an ICS environment. The proposed attack detection model leverages Deep Neural Network (DNN) and Decision Tree (DT) classifiers to detect cyber-attacks from the new representations. The performance of the proposed model is evaluated based on 10-fold cross-validation on two real ICS datasets. The results show that the proposed method outperforms conventional classifiers, including Random Forest (RF), DNN, and AdaBoost, as well as recent existing models in the literature. The proposed approach is a generalized technique, which can be implemented in existing ICS infrastructures with minimum changes.

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.3390/electronics8121545

IF: 2.9

2019-01-01

Electronics

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanisms. An improved intrusion detection system (IDS), which is strongly correlated to specific industrial scenarios, is necessary for modern ICS. On one hand, this paper outlines three kinds of attack models, including infiltration attacks, creative forging attacks, and false data injection attacks. On the other hand, a two stage IDS is proposed, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on the autoregressive integrated moving average (ARIMA), can forecast the traffic of the ICS network in the short term and detect infiltration attacks precisely according to the abnormal changes in traffic patterns. Furthermore, the anomaly detection model, using a one class support vector machine (OCSVM), is able to detect malicious control instructions by analyzing the key field in Ethernet/IP packets. The confusion matrix is selected to testify to the effectiveness of the proposed method, and two other innovative IDSs are used for comparison. The experiment results show that the proposed two stage IDS in this paper has an outstanding performance in detecting infiltration attacks, forging attacks, and false data injection attacks compared with other IDSs.

Christian Moya,Junho Hong,Jiankang Wang

DOI: https://doi.org/10.48550/arXiv.1806.03544

2018-06-09

Cryptography and Security

Abstract:The future power grid will be characterized by the pervasive use of heterogeneous and non-proprietary information and communication technology, which exposes the power grid to a broad scope of cyber-attacks. In particular, Monitoring-Control Attacks (MCA) --i.e., attacks in which adversaries manipulate control decisions by fabricating measurement signals in the feedback loop-- are highly threatening. This is because, MCAs are (i) more likely to happen with greater attack surface and lower cost, (ii) difficult to detect by hiding in measurement signals, and (iii) capable of inflicting severe consequences by coordinating attack resources. To defend against MCAs, we have developed a semantic analysis framework for Intrusion Detection Systems (IDS) in power grids. The framework consists of two parts running in parallel: a Correlation Index Generator (CIG), which indexes correlated MCAs, and a Correlation Knowledge-Base~(CKB), which is updated aperiodically with attacks' Correlation Indices (CI). The framework has the advantage of detecting MCAs and estimating attack consequences with promising runtime and detection accuracy. To evaluate the performance of the framework, we computed its false alarm rates under different attack scenarios.

Michał Syfert,Andrzej Ordys,Jan Maciej Kościelny,Paweł Wnuk,Jakub Możaryn,Krzysztof Kukiełka

DOI: https://doi.org/10.3390/en15176212

IF: 3.2

2022-08-27

Energies

Abstract:This paper is concerned with the issue of the diagnostics of process faults and the detection of cyber-attacks in industrial control systems. This problem is of significant importance to energy production and distribution, which, being part of critical infrastructure, is usually equipped with process diagnostics and, at the same time, is often subject to cyber-attacks. A commonly used approach would be to separate the two types of anomalies. The detection of process faults would be handled by a control team, often with a help of dedicated diagnostic tools, whereas the detection of cyber-attacks would be handled by an information technology team. In this article, it is postulated here that the two can be usefully merged together into one, comprehensive, anomaly detection system. For this purpose, firstly, the main types of cyber-attacks and the main methods of detecting cyber-attacks are being reviewed. Subsequently, in the analogy to "process fault"—a term well established in process diagnostics—the term "cyber-fault" is introduced. Within this context a cyber-attack is considered as a vector containing a number of cyber-faults. Next, it is explained how methods used in process diagnostics for fault detection and isolation can be applied to the detection of cyber-attacks and, in some cases, also to isolation of the components of such attacks, i.e., cyber-faults. A laboratory stand and a simulator have been developed to test the proposed approach. Some test results are presented, demonstrating that, similarly to equipment/process faults, residua can be established and cyber-faults can be identified based on the mismatch between the real data from the system and the outputs of the simulation model.

energy & fuels

Jan Vavra,Martin Hromada

DOI: https://doi.org/10.1109/miltechs.2015.7153700

2015-05-01

Abstract:The contemporary penetration of information systems into all sectors of human activity is also a cause of the increase in the number of cyber-attacks. This trend also has also hit critical information infrastructures (further only - CII). Their failure could have a great impact on the population - and the state itself. Nowadays, networking between industrial systems is increasing rapidly. That is why there is an ever-growing number, sophistication and complexity of cyber-attacks on CIIs. This trend is thus leading to the formation of a new cyber battlefield, where private and state players - each promote their own interests by means of sophisticated cyber weapons.

Juan Enrique Rubio,Cristina Alcaraz,Rodrigo Roman,Javier Lopez

DOI: https://doi.org/10.1016/j.cose.2019.06.015

2019-11-01

Abstract:<p>Advanced Persistent Threats (APTs) have become a serious hazard for any critical infrastructure, as a single solution to protect all industrial assets from these complex attacks does not exist. It is then essential to understand what are the defense mechanisms that can be used as a first line of defense. For this purpose, this article will firstly study the spectrum of attack vectors that APTs can use against existing and novel elements of an industrial ecosystem. Afterwards, this article will provide an analysis of the evolution and applicability of Intrusion Detection Systems (IDS) that have been proposed in both the industry and academia.</p>

computer science, information systems