288 research outputs found
Development of directed randomization for discussing a minimal security architecture
Strategies for mitigating the impacts of cyberattacks on control systems using a control-oriented perspective have become of greater interest in recent years. Our group has contributed to this trend by developing several methods for detecting cyberattacks on process sensors, actuators, or both sensors and actuators simultaneously using an advanced optimization-based control strategy known as Lyapunov-based economic model predictive control (LEMPC). However, each technique comes with benefits and limitations, both with respect to one another and with respect to traditional information technology and computer science-type approaches to cybersecurity. An important question to ask, therefore, is what the goal should be of the development of new control-based techniques for handling cyberattacks on control systems, and how we will be able to benchmark these as “successful” compared to other techniques to drive development or signal when the research in this direction has reached maturity. In this paper, we propose that the goal of research in control system cybersecurity for next-generation manufacturing should be the development of a security architecture that provides flexibility and safety with lowest cost, and seek to clarify this concept by re-analyzing some of the security techniques from our prior work in such a context. We also show how new methods can be developed and analyzed within this “minimum security architecture” context by proposing a technique which we term “directed randomization” that may require less sensors to be secured in a system than some of our prior methods, potentially adding flexibility to the system while still maintaining security. Directed randomization seeks to utilize the existence of two possible stabilizing inputs at every sampling time to attempt to create a challenge for an attacker for setting up an arbitrary sensor attack policy without being detected within a finite number of sampling periods. We discuss benefits and limitations of this technique with respect to our prior cybersecurity strategies and also with respect to extended versions of these prior concepts, such as image-based control and distributed control, to provide further insights into the minimum security concep
Real-time Adaptive Sensor Attack Detection and Recovery in Autonomous Cyber-physical Systems
Cyber-Physical Systems (CPS) tightly couple information technology with physical processes, which rises new vulnerabilities such as physical attacks that are beyond conventional cyber attacks.Attackers may non-invasively compromise sensors and spoof the controller to perform unsafe actions. This issue is even emphasized with the increasing autonomy in CPS. While this fact has motivated many defense mechanisms against sensor attacks, a clear vision of the timing and usability (or the false alarm rate) of attack detection still remains elusive. Existing works tend to pursue an unachievable goal of minimizing the detection delay and false alarm rate at the same time, while there is a clear trade-off between the two metrics. Instead, this dissertation argues that attack detection should bias different metrics (detection delay and false alarm) when a system sits in different states. For example, if the system is close to unsafe states, reducing the detection delay is preferable to lowering the false alarm rate, and vice versa. This dissertation proposes two real-time adaptive sensor attack detection frameworks. The frameworks can dynamically adapt the detection delay and false alarm rate so as to meet a detection deadline and improve usability according to different system statuses. We design and implement the proposed frameworks and validate them using realistic sensor data of automotive CPS to demonstrate its efficiency and efficacy.
Further, this dissertation proposes \textit{Recovery-by-Learning}, a data-driven attack recovery framework that restores CPS from sensor attacks. The importance of attack recovery is emphasized by the need to mitigate the attack\u27s impact on a system and restore it to continue functioning. We propose a double sliding window-based checkpointing protocol to remove compromised data and keep trustful data for state estimation.
Together, the proposed solutions enable a holistic attack resilient solution for automotive cyber-physical systems
SoK: Security of Programmable Logic Controllers
Billions of people rely on essential utility and manufacturing
infrastructures such as water treatment plants, energy management, and food
production. Our dependence on reliable infrastructures makes them valuable
targets for cyberattacks. One of the prime targets for adversaries attacking
physical infrastructures are Programmable Logic Controllers (PLCs) because they
connect the cyber and physical worlds. In this study, we conduct the first
comprehensive systematization of knowledge that explores the security of PLCs:
We present an in-depth analysis of PLC attacks and defenses and discover trends
in the security of PLCs from the last 17 years of research. We introduce a
novel threat taxonomy for PLCs and Industrial Control Systems (ICS). Finally,
we identify and point out research gaps that, if left ignored, could lead to
new catastrophic attacks against critical infrastructures.Comment: 25 pages, 13 figures, Extended version February 2024, A shortened
version is to be published in the 33rd USENIX Security Symposium, for more
information, see https://efrenlopez.org
FALCON: Framework for Anomaly Detection in Industrial Control Systems
Industrial Control Systems (ICS) are used to control physical processes in critical infrastructure. These systems are used in a wide variety of operations such as water treatment, power generation and distribution, and manufacturing. While the safety and security of these systems are of serious concern, recent reports have shown an increase in targeted attacks aimed at manipulating physical processes to cause catastrophic consequences. This trend emphasizes the need for algorithms and tools that provide resilient and smart attack detection mechanisms to protect ICS. In this paper, we propose an anomaly detection framework for ICS based on a deep neural network. The proposed methodology uses dilated convolution and long short-term memory (LSTM) layers to learn temporal as well as long term dependencies within sensor and actuator data in an ICS. The sensor/actuator data are passed through a unique feature engineering pipeline where wavelet transformation is applied to the sensor signals to extract features that are fed into the model. Additionally, this paper explores four variations of supervised deep learning models, as well as an unsupervised support vector machine (SVM) model for this problem. The proposed framework is validated on Secure Water Treatment testbed results. This framework detects more attacks in a shorter period of time than previously published methods
EPASAD: Ellipsoid decision boundary based Process-Aware Stealthy Attack Detector
Due to the importance of Critical Infrastructure (CI) in a nation's economy,
they have been lucrative targets for cyber attackers. These critical
infrastructures are usually Cyber-Physical Systems (CPS) such as power grids,
water, and sewage treatment facilities, oil and gas pipelines, etc. In recent
times, these systems have suffered from cyber attacks numerous times.
Researchers have been developing cyber security solutions for CIs to avoid
lasting damages. According to standard frameworks, cyber security based on
identification, protection, detection, response, and recovery are at the core
of these research. Detection of an ongoing attack that escapes standard
protection such as firewall, anti-virus, and host/network intrusion detection
has gained importance as such attacks eventually affect the physical dynamics
of the system. Therefore, anomaly detection in physical dynamics proves an
effective means to implement defense-in-depth. PASAD is one example of anomaly
detection in the sensor/actuator data, representing such systems' physical
dynamics. We present EPASAD, which improves the detection technique used in
PASAD to detect these micro-stealthy attacks, as our experiments show that
PASAD's spherical boundary-based detection fails to detect. Our method EPASAD
overcomes this by using Ellipsoid boundaries, thereby tightening the boundaries
in various dimensions, whereas a spherical boundary treats all dimensions
equally. We validate EPASAD using the dataset produced by the TE-process
simulator and the C-town datasets. The results show that EPASAD improves
PASAD's average recall by 5.8% and 9.5% for the two datasets, respectively.Comment: Submitte
- …