Monitoring system reaction in cyber-physical testbed under cyber-attacks

https://doi.org/10.1016/j.compeleceng.2017.02.010Get rights and content

Highlights

  • An emulator for water distribution infrastructure is introduced.

  • Cyber-attacks models have been developed according to the Control Theory perspective.

  • Classic Fault Diagnosis systems are not able to correctly manage cyber-attacks.

  • How Intrusion Detection System improves the protection effectiveness is illustrated.

Abstract

In this paper, we exploit the cyber-physical testbed developed within the EU Project FACIES to analyze how monitor systems, typically used in Industrial Control Systems, may be prone to fail when facing cyber-attacks. Specifically, through several experimental trials, we test the poor ability of a Fault Diagnosis module to correctly manage cyber-attacks, which generally turn to be considered physical faults, forcing operators to perform erroneous countermeasures. To conclude, we outline how the presence of a cyber Intrusion Detection System improves the effectiveness and the reliability of the protection schema. The experimental validation has been carried out on an emulated water distribution system.

Introduction

In recent years, the Information and Communications Technology (ICT) evolution joined the Industrial Control Systems (ICSs) development, leading to new significant enhancements. After the first Supervisory Control And Data Acquisition (SCADA) monolithic systems, conceived in the 60s, the networked generation was born, which exploits TCP/IP (Transmission Control Protocol/Internet Protocol) infrastructure for remote monitoring and control [1]. Even though the benefits of the interaction of these two worlds are noticeable, new security challenges concerning industrial facilities arisen: typical vulnerabilities of the cyber domain emerged in ICSs. The classic cyber-security tools [2], [3] are ineffective, since ICSs are designed to operate in standalone or isolated configurations and are characterized by hard real-time and bandwidth constraints. In the last decade, Critical Infrastructures (CIs) have experienced a large number of cyber-attacks, as reported by the ICS–CERT (Industrial Control System – Cyber Emergency Response Team) for the US [4]. The most famous example is Stuxnet, the first Programmable Logic Controller (PLC) rootkit targeting specific devices ever [5]. More recently, a serious cyber-event occurred in Ukraine in December 2015, when several power grids were exposed to organized cyber-attacks leading to diffuse power loss [6]. Despite the impact of such “alarms”, the paramount importance of the information traveling in the SCADA system networks and its protection is still underestimated. As narrated in “Blackout” [7], cyber-attacks, successful in misleading the monitoring modules, may induce erroneous reactions from the operators.

In literature, many works have demonstrated that the security of SCADA systems may benefit from the fusion of control engineering and ICT security. In this work, an analysis of the impact of cyber-attacks on the monitoring systems generally used for managing ICSs is presented. To this aim, several cyber-attacks against a realistic water system emulator, designed within the EU Project FACIES [8], are implemented. The impact of these attacks on a classical model-based Fault Diagnosis (FD) module supported by an Intrusion Detection System (IDS) is evaluated.

The remainder of the paper is structured as follows. Initially, a brief introduction of the related works is addressed in Section 2. In Section 3, the general model representing the dynamic behavior of Cyber-Physical Systems (CPS) is described, highlighting the interaction between the SCADA system and the monitored plant. The testbed employed as case study is introduced in Section 4, where its structure and its control architecture are detailed. Thereafter, the FD problem is addressed in Section 5, where the analytical model for the testbed and the FD module are shown. In Section 6, the cyber aspects are investigated, introducing models for the cyber-threats that have been developed according to the Control Theory perspective. Section 7 examines the methodology behind the experimental tests and analyzes the FD system response under cyber-attacks. Moreover, the role of a specific IDS is studied. Conclusions and future developments are discussed in Section 8.

Section snippets

Related work

The challenges of securing ICSs have been addressed in [9], where it is foreseen the development of innovative solutions encompassing both cyber and physical threats. One of the most important components of any SCADA system is the Alarm Module, which shows to the operator the presence of anomalous values in the monitored variables. As a result of the complexity of the system, operators are unable to continuously verify the consistence of the collected data. Hence, the Alarm Module is designed

General analytic model of a cyber-physical system

ICSs are CPSs characterized by being geographically distributed. In fact, an ICS system can be considered composed of a physical and a cyber structure, as schematically represented in Fig. 1. Specifically, the physical structure consists of the infrastructure/plant to be managed (e.g., all in-field devices), while the cyber structure encompasses the communication infrastructure and the elements used to supervise and manage the physical structure (e.g., the Human-Machine Interface – HMI). The

Case study: water system testbed

The system mentioned in this paper is used as testbed to emulate a water system of a small city, as shown in Fig. 2. It encompasses the physical, control, and communication aspects, and has been developed within the EU project FACIES [8].

Fault diagnosis system

The main purpose of the FD system is to use a simulated dynamic model of the plant/infrastructure. The model is forced with the same inputs provided to the real system in order to compare the model outputs with the measurements acquired from the field. The occurrence of a significant deviation from the foreseen behavior of the model and the actual values emphasizes the presence of a fault in the physical plant. Moreover, under suitable hypothesis, the FD may also identify the faulted component

Cyber-threats and attack models

The aim of a secure system is to guarantee data and/or resources availability, preventing unauthorized users access and protecting data integrity. On the contrary, the aim of an attacker is to take control or manipulate system parameters to generate and exploit threats, modify the system’s behavior, obtain and tamper data, or reduce data and/or resources availability. A cyber-attack may have several effects on the physical system and may downgrade its operability, performance, and efficiency.

Experimental results

Extensive experimental tests have been carried out using the testbed described in Section 4. All the five tanks are used to emulate a typical 24 h water demand (i.e., the Healthy run). The scenario is scaled down to 6 min and it is implemented through the sequential activation of valves and pumps. For the sake of space, only a few trials are reported. In most of them, the attack starts at ks=100 s when the water demand presents a local minimum. As previously mentioned, it is assumed that the

Conclusions and future developments

The research has highlighted the importance of determining the possible reactions of the implemented monitoring systems when they are undergoing different types of cyber-attacks. Specifically, it has been demonstrated how cyber-attacks might be misinterpreted as physical faults by exploiting a model-based FD system. To cope with this inconsistency, it is important to consider a fusion between classical FD techniques and IT security solutions. In most cases, to the best of our knowledge, these

Acknowledgments

This paper has been supported by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme European Commission – Directorate – General Home Affairs, under the EU project FACIES (HOME/2011/CIPS/AG/4000002115).

Giuseppe Bernieri is currently a PhD student at the Dept. of Engineering of the University of “Roma Tre”, Italy. His research interests include cyber security applied to industrial contexts and Critical Infrastructures, the development and implementation of ad-hoc solutions for the control and management of SCADA systems.

References (23)

  • L. Cazorla et al.

    Cyber stealth attacks in critical information infrastructures

    IEEE Syst J

    (2016)
  • C. Alcaraz et al.

    Security aspects of SCADA and DCS environments

    (2012)
  • E.D. Knapp et al.

    Industrial network security: securing critical infrastructure networks for smart grid, SCADA, and other industrial control systems

    (2014)
  • Luiijf E.. SCADA security good practices for the drinking water sector - TNO Report. TNO Defence, Security and...
  • ICS-CERT

    Incident Response Summary-Rep. 2009-11

    Tech. Rep.

    (2012)
  • N. Falliere et al.

    W32. Stuxnet Dossier

    Tech. Rep. 1.4

    (2011)
  • R.M. Lee et al.

    Analysis of the cyber attack on the ukrainian power grid

    (2016)
  • M. Elsberg

    Blackout

    (2013)
  • E. Etchevés Miciolino et al.

    FACIES: a testbed for distributed fault and attack identification in interdependent critical infrastructures

    2nd International SCADALab workshop, Seville (Spain)

    (2014)
  • A. Cárdenas et al.

    Secure control: Towards survivable cyber-physical systems

    The 28th international conference on distributed computing systems workshops

    (2008)
  • A. Cárdenas et al.

    Attacks against process control systems: risk assessment, detection, and response

    Proceedings of the 6th ACM symposium on information, computer and communications security

    (2011)
  • Cited by (0)

    Giuseppe Bernieri is currently a PhD student at the Dept. of Engineering of the University of “Roma Tre”, Italy. His research interests include cyber security applied to industrial contexts and Critical Infrastructures, the development and implementation of ad-hoc solutions for the control and management of SCADA systems.

    Estefanía Etchevés Miciolino received the PhD in Engineering from University Campus Bio-Medico of Rome, Italy (2016), where is member of the Complex Systems & Security (COSERITY) Lab. Her research interests are in the field of SCADA systems security, Fault Diagnosis and Critical Infrastructures Protection, and received the 2014 CIPRNet Young CRITIS Award for the best conference paper.

    Federica Pascucci is an Assistant Professor of University “Roma Tre”, Italy. She received the PhD in Systems Engineering from the University “La Sapienza” of Rome. Her research interests include wireless sensor networks, indoor localization, physical and cyber fault diagnosis, ICSs, CI Protection. She has published more than 70 journal and conference papers, receiving three best conference paper awards.

    Roberto Setola is an Associate Professor, chair of the Master Program in Homeland Security, and head of Coserity lab at University Campus Bio-Medico of Rome. He received the PhD in Electronic Engineering from the University of Naples “Federico II”. His main research interests are the modeling and control of complex systems. He coordinated several projects and co-authored more than 150 papers.

    Reviews processed and recommended for publication to the Editor-in-Chief by Guest Editor Dr. J. Joaquin Garcia-Alfaro.

    View full text