Monitoring system reaction in cyber-physical testbed under cyber-attacks☆
Graphical abstract
Introduction
In recent years, the Information and Communications Technology (ICT) evolution joined the Industrial Control Systems (ICSs) development, leading to new significant enhancements. After the first Supervisory Control And Data Acquisition (SCADA) monolithic systems, conceived in the 60s, the networked generation was born, which exploits TCP/IP (Transmission Control Protocol/Internet Protocol) infrastructure for remote monitoring and control [1]. Even though the benefits of the interaction of these two worlds are noticeable, new security challenges concerning industrial facilities arisen: typical vulnerabilities of the cyber domain emerged in ICSs. The classic cyber-security tools [2], [3] are ineffective, since ICSs are designed to operate in standalone or isolated configurations and are characterized by hard real-time and bandwidth constraints. In the last decade, Critical Infrastructures (CIs) have experienced a large number of cyber-attacks, as reported by the ICS–CERT (Industrial Control System – Cyber Emergency Response Team) for the US [4]. The most famous example is Stuxnet, the first Programmable Logic Controller (PLC) rootkit targeting specific devices ever [5]. More recently, a serious cyber-event occurred in Ukraine in December 2015, when several power grids were exposed to organized cyber-attacks leading to diffuse power loss [6]. Despite the impact of such “alarms”, the paramount importance of the information traveling in the SCADA system networks and its protection is still underestimated. As narrated in “Blackout” [7], cyber-attacks, successful in misleading the monitoring modules, may induce erroneous reactions from the operators.
In literature, many works have demonstrated that the security of SCADA systems may benefit from the fusion of control engineering and ICT security. In this work, an analysis of the impact of cyber-attacks on the monitoring systems generally used for managing ICSs is presented. To this aim, several cyber-attacks against a realistic water system emulator, designed within the EU Project FACIES [8], are implemented. The impact of these attacks on a classical model-based Fault Diagnosis (FD) module supported by an Intrusion Detection System (IDS) is evaluated.
The remainder of the paper is structured as follows. Initially, a brief introduction of the related works is addressed in Section 2. In Section 3, the general model representing the dynamic behavior of Cyber-Physical Systems (CPS) is described, highlighting the interaction between the SCADA system and the monitored plant. The testbed employed as case study is introduced in Section 4, where its structure and its control architecture are detailed. Thereafter, the FD problem is addressed in Section 5, where the analytical model for the testbed and the FD module are shown. In Section 6, the cyber aspects are investigated, introducing models for the cyber-threats that have been developed according to the Control Theory perspective. Section 7 examines the methodology behind the experimental tests and analyzes the FD system response under cyber-attacks. Moreover, the role of a specific IDS is studied. Conclusions and future developments are discussed in Section 8.
Section snippets
Related work
The challenges of securing ICSs have been addressed in [9], where it is foreseen the development of innovative solutions encompassing both cyber and physical threats. One of the most important components of any SCADA system is the Alarm Module, which shows to the operator the presence of anomalous values in the monitored variables. As a result of the complexity of the system, operators are unable to continuously verify the consistence of the collected data. Hence, the Alarm Module is designed
General analytic model of a cyber-physical system
ICSs are CPSs characterized by being geographically distributed. In fact, an ICS system can be considered composed of a physical and a cyber structure, as schematically represented in Fig. 1. Specifically, the physical structure consists of the infrastructure/plant to be managed (e.g., all in-field devices), while the cyber structure encompasses the communication infrastructure and the elements used to supervise and manage the physical structure (e.g., the Human-Machine Interface – HMI). The
Case study: water system testbed
The system mentioned in this paper is used as testbed to emulate a water system of a small city, as shown in Fig. 2. It encompasses the physical, control, and communication aspects, and has been developed within the EU project FACIES [8].
Fault diagnosis system
The main purpose of the FD system is to use a simulated dynamic model of the plant/infrastructure. The model is forced with the same inputs provided to the real system in order to compare the model outputs with the measurements acquired from the field. The occurrence of a significant deviation from the foreseen behavior of the model and the actual values emphasizes the presence of a fault in the physical plant. Moreover, under suitable hypothesis, the FD may also identify the faulted component
Cyber-threats and attack models
The aim of a secure system is to guarantee data and/or resources availability, preventing unauthorized users access and protecting data integrity. On the contrary, the aim of an attacker is to take control or manipulate system parameters to generate and exploit threats, modify the system’s behavior, obtain and tamper data, or reduce data and/or resources availability. A cyber-attack may have several effects on the physical system and may downgrade its operability, performance, and efficiency.
Experimental results
Extensive experimental tests have been carried out using the testbed described in Section 4. All the five tanks are used to emulate a typical 24 h water demand (i.e., the Healthy run). The scenario is scaled down to 6 min and it is implemented through the sequential activation of valves and pumps. For the sake of space, only a few trials are reported. In most of them, the attack starts at s when the water demand presents a local minimum. As previously mentioned, it is assumed that the
Conclusions and future developments
The research has highlighted the importance of determining the possible reactions of the implemented monitoring systems when they are undergoing different types of cyber-attacks. Specifically, it has been demonstrated how cyber-attacks might be misinterpreted as physical faults by exploiting a model-based FD system. To cope with this inconsistency, it is important to consider a fusion between classical FD techniques and IT security solutions. In most cases, to the best of our knowledge, these
Acknowledgments
This paper has been supported by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme European Commission – Directorate – General Home Affairs, under the EU project FACIES (HOME/2011/CIPS/AG/4000002115).
Giuseppe Bernieri is currently a PhD student at the Dept. of Engineering of the University of “Roma Tre”, Italy. His research interests include cyber security applied to industrial contexts and Critical Infrastructures, the development and implementation of ad-hoc solutions for the control and management of SCADA systems.
References (23)
- et al.
Cyber stealth attacks in critical information infrastructures
IEEE Syst J
(2016) - et al.
Security aspects of SCADA and DCS environments
(2012) - et al.
Industrial network security: securing critical infrastructure networks for smart grid, SCADA, and other industrial control systems
(2014) - Luiijf E.. SCADA security good practices for the drinking water sector - TNO Report. TNO Defence, Security and...
Incident Response Summary-Rep. 2009-11
Tech. Rep.
(2012)- et al.
W32. Stuxnet Dossier
Tech. Rep. 1.4
(2011) - et al.
Analysis of the cyber attack on the ukrainian power grid
(2016) Blackout
(2013)- et al.
FACIES: a testbed for distributed fault and attack identification in interdependent critical infrastructures
2nd International SCADALab workshop, Seville (Spain)
(2014) - et al.
Secure control: Towards survivable cyber-physical systems
The 28th international conference on distributed computing systems workshops
(2008)
Attacks against process control systems: risk assessment, detection, and response
Proceedings of the 6th ACM symposium on information, computer and communications security
Cited by (0)
Giuseppe Bernieri is currently a PhD student at the Dept. of Engineering of the University of “Roma Tre”, Italy. His research interests include cyber security applied to industrial contexts and Critical Infrastructures, the development and implementation of ad-hoc solutions for the control and management of SCADA systems.
Estefanía Etchevés Miciolino received the PhD in Engineering from University Campus Bio-Medico of Rome, Italy (2016), where is member of the Complex Systems & Security (COSERITY) Lab. Her research interests are in the field of SCADA systems security, Fault Diagnosis and Critical Infrastructures Protection, and received the 2014 CIPRNet Young CRITIS Award for the best conference paper.
Federica Pascucci is an Assistant Professor of University “Roma Tre”, Italy. She received the PhD in Systems Engineering from the University “La Sapienza” of Rome. Her research interests include wireless sensor networks, indoor localization, physical and cyber fault diagnosis, ICSs, CI Protection. She has published more than 70 journal and conference papers, receiving three best conference paper awards.
Roberto Setola is an Associate Professor, chair of the Master Program in Homeland Security, and head of Coserity lab at University Campus Bio-Medico of Rome. He received the PhD in Electronic Engineering from the University of Naples “Federico II”. His main research interests are the modeling and control of complex systems. He coordinated several projects and co-authored more than 150 papers.
- ☆
Reviews processed and recommended for publication to the Editor-in-Chief by Guest Editor Dr. J. Joaquin Garcia-Alfaro.