Towards Low-Barrier Cybersecurity Research and Education for Industrial Control Systems

The protection of Industrial Control Systems (ICS) that are employed in public critical infrastructures is of utmost importance due to catastrophic physical damages cyberattacks may cause. The research community requires testbeds for validation and comparing various intrusion detection algorithms to protect ICS. However, there exist high barriers to entry for research and education in the ICS cybersecurity domain due to expensive hardware, software, and inherent dangers of manipulating real-world systems. To close the gap, built upon recently developed 3D high-fidelity simulators, we further showcase our integrated framework to automatically launch cyberattacks, collect data, train machine learning models, and evaluate for practical chemical and manufacturing processes. On our testbed, we validate our proposed intrusion detection model called Minimal Threshold and Window SVM (MinTWin SVM) that utilizes unsupervised machine learning via a one-class SVM in combination with a sliding window and classification threshold. Results show that MinTWin SVM minimizes false positives and is responsive to physical process anomalies. Furthermore, we incorporate our framework with ICS cybersecurity education by using our dataset in an undergraduate machine learning course where students gain hands-on experience in practicing machine learning theory with a practical ICS dataset. All of our implementations have been open-sourced.Comment: accepted to the 20th Annual IEEE International Conference on Intelligence and Security Informatics (ISI

A resilient cyber-physical demand forecasting system for critical infrastructures against stealthy false data injection attacks

The safe and efficient function of critical national infrastructure (CNI) relies on the accurate demand forecast. Cyber-physical system-based demand forecasting systems (CDFS), typically found in CNI (such as energy, water, and transport), are highly vulnerable to being compromised under false data injection attacks (FDIAs). The problem is that the majority of existing CDFS employ anomaly-based intrusion detection systems (AIDS) to combat FDIAs. Since the distribution of demand time series keeps changing naturally with time, AIDS treat a major change in the distribution as an attack, but this approach is not effective against colluding FDIAs. To overcome this problem, we propose a novel resilient CDFS called PRDFS (Proposed Resilient Demand Forecasting System). The primary novelty of PRDFS is that it uses signature-based intrusion detection systems (SIDS) that automatically generate attack signatures through the game-theoretic approach for the early detection of malicious nodes. We simulate the performance of PRDFS under colluding FDIA on High Performance Computing (HPC). The simulation results show that the demand forecasting resilience of PRDFS never goes below 80%, regardless of the percentage of malicious nodes. In contrast, the resilience of the benchmark system decreases sharply from about 99% to less than 30%, over the simulation period as the percentage of malicious nodes increases

Safety monitoring under stealthy sensor injection attacks using reachable sets

Stealthy sensor injection attacks are serious threats for industrial plants as they can compromise the plant's integrity without being detected by traditional fault detectors. In this manuscript, we study the possibility of revealing the presence of such attacks by monitoring only the control input. This approach consists in computing an ellipsoidal bound of the input reachable set. When the control input does not belong to this set, this means that a stealthy sensor injection attack is driving the plant to critical states. The problem of finding this ellipsoidal bound is posed as a convex optimization problem (convex cost with Linear Matrix Inequalities constraints). Our monitoring approach is tested in simulation

Destructive Attacks Detection and Response System for Physical Devices in Cyber-Physical Systems

Nowadays, physical health of equipment controlled by Cyber-Physical Systems (CPS) is a significant concern. This paper reports a work, in which, a hardware is placed between Programmable Logic Controller (PLC) and the actuator as a solution. The proposed hardware operates in two conditions, i.e. passive and active. Operation of the proposed solution is based on the repetitive operational profile of the actuators. The normal operational profile of the actuator is fed to the protective hardware and is considered as the normal operating condition. In the normal operating condition, the middleware operates in its passive mode and simply monitors electronic signals passing between PLC and Actuator. In case of any malicious operation, the proposed hardware operates in its active mode and both slowly stops the actuator and sends an alert to SCADA server initiating execution of the actuator’s emergency profile. Thus, the proposed hardware gains control over the actuator and prevents any physical damage on the operating devices. Two sample experiments are reported in which, results of implementing the proposed solution are reported and assessed. Results show that once the PLC sends incorrect data to actuator, the proposed hardware detects it as an anomaly. Therefore, it does not allow the PLC to send incorrect and unauthorized data pattern to its actuator. Significance of the paper is in introducing a solution to prevent destruction of physical devices apart from source or purpose of the encountered anomaly and apart from CPS functionality or PLC model and operation

Defense by Deception against Stealthy Attacks in Power Grids

Cyber-physical Systems (CPSs) and the Internet of Things (IoT) are converging towards a hybrid platform that is becoming ubiquitous in all modern infrastructures. The integration of the complex and heterogeneous systems creates enormous space for the adversaries to get into the network and inject cleverly crafted false data into measurements, misleading the control center to make erroneous decisions. Besides, the attacker can make a critical part of the system unavailable by compromising the sensor data availability. To obfuscate and mislead the attackers, we propose DDAF, a deceptive data acquisition framework for CPSs\u27 hierarchical communication network. Each switch in the hierarchical communication network generates a random pattern of addresses/IDs by shuffling the original sensor IDs reported through it. During the data acquisition from remotely located sensors to the central controller, the switches craft the network packets by replacing a few sensors\u27 associated addresses/IDs with the generated deceptive IDs and by adding decoy data for the rest. While misleading the attackers, the control center must retrieve the actual data to operate the system correctly. We propose three remapping mechanisms (e.g., seed-based, prediction-based, and hybrid) and compare their robustness against different stealthy attacks. Due to the deception, artfully altered measurements turn into random data injections, making it easy to remove them as outliers. As the outliers and the estimated residuals contain the potential attack vectors, DDAF can detect and localize the attack points and the targeted sensors by analyzing this information. DDAF is generic and scalable to be implemented in any hierarchical CPSs network. Experimental results on the standard IEEE 14, 57, and 300 bus power systems show that DDAF can detect, mitigate, and localize up-to 100% of the stealthy cyberattacks. To the best of our knowledge, this is the first framework that implements complete randomization in the data acquisition of the hierarchical CPSs

A Framework for Determining Robust Context-Aware Attack-Detection Thresholds for Cyber-Physical Systems

Process-aware attack detection plays a key role in securing cyber-physical systems. A process-aware detection system (PADS) identifies a baseline behaviour of the physical process in cyber-physical systems and continuously attempts to detect deviations from the baseline attributed to malicious modifications in the process operation. Typically, a PADS triggers an alarm whenever the detection score crosses a fixed and predetermined threshold. In this paper, we argue that in the context of securing cyber-physical systems, relying on a single fixed threshold can undermine the effectiveness of the PADS, and propose a context-aware framework for determining two-dimensional thresholds that enhance the sensibility and reliability of such detection systems by rendering them more robust to false detection. In addition, we propose an algorithm, out of many possible, within this framework as a practical example

Machine learning for intrusion detection in industrial control systems : challenges and lessons from experimental evaluation

Abstract: Gradual increase in the number of successful attacks against Industrial Control Systems (ICS) has led to an urgent need to create defense mechanisms for accurate and timely detection of the resulting process anomalies. Towards this end, a class of anomaly detectors, created using data-centric approaches, are gaining attention. Using machine learning algorithms such approaches can automatically learn the process dynamics and control strategies deployed in an ICS. The use of these approaches leads to relatively easier and faster creation of anomaly detectors compared to the use of design-centric approaches that are based on plant physics and design. Despite the advantages, there exist significant challenges and implementation issues in the creation and deployment of detectors generated using machine learning for city-scale plants. In this work, we enumerate and discuss such challenges. Also presented is a series of lessons learned in our attempt to meet these challenges in an operational plant

Recent Advances on State Estimation for Power Grids with Unconventional Measurements

State estimation problem for power systems has long been a fundamental issue that demands a variety of methodologies depending on the system settings. With the recent introduction of advanced devices of phasor measurement units (PMUs) and dedicated communication networks, the infrastructure of power grids has been greatly improved. Coupled with the infrastructure improvements are three emerging issues for the state estimation problems, namely, the coexistence of both traditional and PMU measurements, the incomplete information resulting from delayed, asynchronous and missing measurements due to communication constraints, and the cyber-attacks on the communication channels. In this study, the authors aim to survey some recent advances on the state estimation methods which tackle the above three issues in power grids. Traditional state estimation methods applied in power grids are first introduced. Latest results on state estimation with mixed measurements and incomplete measurements are then discussed in great detail. In addition, the techniques developed to ensure the cyber-security of the state estimation schemes for power grids are highlighted. Finally, some concluding remarks are given and some possible future research directions are pointed out

Deteção de propagação de ameaças e exfiltração de dados em redes empresariais

Modern corporations face nowadays multiple threats within their networks. In an era where companies are tightly dependent on information, these threats can seriously compromise the safety and integrity of sensitive data. Unauthorized access and illicit programs comprise a way of penetrating the corporate networks, able to traversing and propagating to other terminals across the private network, in search of confidential data and business secrets. The efficiency of traditional security defenses are being questioned with the number of data breaches occurred nowadays, being essential the development of new active monitoring systems with artificial intelligence capable to achieve almost perfect detection in very short time frames. However, network monitoring and storage of network activity records are restricted and limited by legal laws and privacy strategies, like encryption, aiming to protect the confidentiality of private parties. This dissertation proposes methodologies to infer behavior patterns and disclose anomalies from network traffic analysis, detecting slight variations compared with the normal profile. Bounded by network OSI layers 1 to 4, raw data are modeled in features, representing network observations, and posteriorly, processed by machine learning algorithms to classify network activity. Assuming the inevitability of a network terminal to be compromised, this work comprises two scenarios: a self-spreading force that propagates over internal network and a data exfiltration charge which dispatch confidential info to the public network. Although features and modeling processes have been tested for these two cases, it is a generic operation that can be used in more complex scenarios as well as in different domains. The last chapter describes the proof of concept scenario and how data was generated, along with some evaluation metrics to perceive the model’s performance. The tests manifested promising results, ranging from 96% to 99% for the propagation case and 86% to 97% regarding data exfiltration.Nos dias de hoje, várias organizações enfrentam múltiplas ameaças no interior da sua rede. Numa época onde as empresas dependem cada vez mais da informação, estas ameaças podem compremeter seriamente a segurança e a integridade de dados confidenciais. O acesso não autorizado e o uso de programas ilícitos constituem uma forma de penetrar e ultrapassar as barreiras organizacionais, sendo capazes de propagarem-se para outros terminais presentes no interior da rede privada com o intuito de atingir dados confidenciais e segredos comerciais. A eficiência da segurança oferecida pelos sistemas de defesa tradicionais está a ser posta em causa devido ao elevado número de ataques de divulgação de dados sofridos pelas empresas. Desta forma, o desenvolvimento de novos sistemas de monitorização ativos usando inteligência artificial é crucial na medida de atingir uma deteção mais precisa em curtos períodos de tempo. No entanto, a monitorização e o armazenamento dos registos da atividade da rede são restritos e limitados por questões legais e estratégias de privacidade, como a cifra dos dados, visando proteger a confidencialidade das entidades. Esta dissertação propõe metodologias para inferir padrões de comportamento e revelar anomalias através da análise de tráfego que passa na rede, detetando pequenas variações em comparação com o perfil normal de atividade. Delimitado pelas camadas de rede OSI 1 a 4, os dados em bruto são modelados em features, representando observações de rede e, posteriormente, processados por algoritmos de machine learning para classificar a atividade de rede. Assumindo a inevitabilidade de um terminal ser comprometido, este trabalho compreende dois cenários: um ataque que se auto-propaga sobre a rede interna e uma tentativa de exfiltração de dados que envia informações para a rede pública. Embora os processos de criação de features e de modelação tenham sido testados para estes dois casos, é uma operação genérica que pode ser utilizada em cenários mais complexos, bem como em domínios diferentes. O último capítulo inclui uma prova de conceito e descreve o método de criação dos dados, com a utilização de algumas métricas de avaliação de forma a espelhar a performance do modelo. Os testes mostraram resultados promissores, variando entre 96% e 99% para o caso da propagação e entre 86% e 97% relativamente ao roubo de dados.Mestrado em Engenharia de Computadores e Telemátic

Perancangan Virtual Simulator Sistem Pengendalian Level Berbasis Web Server untuk Praktikum Teknik Otomasi

Kegiatan praktikum memiliki peran penting dalam pendidikan teknik, terlebih untuk pendidikan vokasi yang memiliki sistem pengajaran dengan rasio 60% praktek dan 40% teori. Pandemi COVID-19 saat ini, terdapat himbauan untuk menjaga jarak (Physical Distancing) serta mengakibatkan mahasiswa tidak dapat melakukan pengajaran dan praktikum secara langsung. Virtual Live Streaming Simulator memungkinkan praktikan untuk mengakses dan berinteraksi dengan alat praktikum melalui layanan live streaming. Pada penelitian ini plant yang digunakan adalah plant pengendalian level air dengan dua buah pompa. Virtual Live Streaming Simulator terdapat webcam yang akan terhubung kepada website menggunakan live streaming service. Web server digunakan untuk menghubungkan praktikan dengan alat pengendalian level secara virtual, sehingga praktikan dapat mengubah nilai setpoint, serta dapat memonitoring variabel proses melalui website. Tahap rancang bangun sistem ini dibagi dua yaitu rancang bangun sistem interface dan sistem live streaming pada web. Tahap karakterisasi digunakan untuk mengetahui performasi alat dan tahap pengujian Virtual Live Streaming Simulator ini terletak pada akses live streaming dan interaksi praktikan dengan plant pengendalian level air. Data yang akan diambil adalah data latensi dari sistem tersebut