Using Process Invariants to Detect Cyber Attacks on a Water Treatment System IFIP International Information Security and Privacy Conference SEC 2016: ICT Systems Security and Privacy Protection pp 91-104 | Cite as Sridhar Adepu (1) Email author (
[email protected]) Aditya Mathur (1) 1. Singapore University of Technology and Design, Singapore, Singapore Conference paper First Online: 11 May 2016 1 Citations 8 Readers 682 Downloads Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 471)
Abstract An experimental investigation was undertaken to assess the effectiveness of process invariants in detecting cyber-attacks on an Industrial Control System (ICS). An invariant was derived from one selected sub-process and coded into the corresponding controller. Experiments were performed each with an attack selected from a set of three stealthy attack types and launched in different states of the system to cause tank overflow and degrade system productivity. The impact of power failure, possibly due to an attack on the power source, was also studied. The effectiveness of the detection method was investigated against several design parameters. Despite the apparent simplicity of the experiment, results point to challenges in implementing invariant-based attack detection in an operational Industrial Control System.
Keywords Attack detection Cyber attacks Cyber physical systems Industrial control systems Secure water treatment testbed
Notes Acknowledgements Kaung Myat Aung for assistance in conducting the experiments. This work was supported by research grant 9013102373 from the Ministry of Defense and NRF2014-NCR-NCR001-040 from the National Research Foundation, Singapore.
References 1.
Adepu, S., Mathur, A.: An investigation into the response of a water treatment system to cyber attacks. In: Proceedings of the 17th IEEE High Assurance Systems Engineering Symposium, Orlando, January 2016 Google Scholar (https://scholar.google.com/scholar? q=Adepu%2C%20S.%2C%20Mathur%2C%20A.%3A%20An%20investigation%20into%20the%20response%20of%20a%20water%20treat ment%20system%20to%20cyber%20attacks.%20In%3A%20Proceedings%20of%20the%2017th%20IEEE%20High%20Assurance%20Syste ms%20Engineering%20Symposium%2C%20Orlando%2C%20January%202016)
2.
Beaver, J., Borges-Hink, R., Buckner, M.: An evaluation of machine learning methods to detect malicious SCADA communications. In: 12th International Conference on Machine Learning and Applications (ICMLA), vol. 2, pp. 54–59, December 2013 Google Scholar (https://scholar.google.com/scholar?q=Beaver%2C%20J.%2C%20BorgesHink%2C%20R.%2C%20Buckner%2C%20M.%3A%20An%20evaluation%20of%20machine%20learning%20methods%20to%20detect%2 0malicious%20SCADA%20communications.%20In%3A%2012th%20International%20Conference%20on%20Machine%20Learning%20an d%20Applications%20%28ICMLA%29%2C%20vol.%202%2C%20pp.%2054%E2%80%9359%2C%20December%202013)
3.
Berthier, R. Sanders.: Specification-based intrusion detection for advanced metering infrastructures. In: 17th IEEE Pacific Rim International Symposium on Dependable Computing, pp. 184–193, October 2011 Google Scholar (https://scholar.google.com/scholar?q=Berthier%2C%20R.%20Sanders.%3A%20Specificationbased%20intrusion%20detection%20for%20advanced%20metering%20infrastructures.%20In%3A%2017th%20IEEE%20Pacific%20Rim%2 0International%20Symposium%20on%20Dependable%20Computing%2C%20pp.%20184%E2%80%93193%2C%20October%202011)
4.
Cárdenas, A.A., Amin, S., Lin, Z.-S., Huang, Y.-L., Huang, C.-Y., Sastry, S.: Attacks against process control systems: Risk assessment, detection, and response. In: ACM Symposium on Information, Computer and Communications Security (2011) Google Scholar (https://scholar.google.com/scholar?q=C%C3%A1rdenas%2C%20A.A.%2C%20Amin%2C%20S.%2C%20Lin%2C%20Z.S.%2C%20Huang%2C%20Y.-L.%2C%20Huang%2C%20C.Y.%2C%20Sastry%2C%20S.%3A%20Attacks%20against%20process%20control%20systems%3A%20Risk%20assessment%2C%20detectio n%2C%20and%20response.%20In%3A%20ACM%20Symposium%20on%20Information%2C%20Computer%20and%20Communications% 20Security%20%282011%29)
5.
Choudhari, A., Ramaprasad, H., Paul, T., Kimball, J., Zawodniok, M., McMillin, B., Chellappan, S.: Stability of a cyber-physical smart grid system using cooperating invariants. In: 2013 IEEE 37th Annual Computer Software and Applications Conference (COMPSAC), pp. 760–769, July 2013 Google Scholar (https://scholar.google.com/scholar? q=Choudhari%2C%20A.%2C%20Ramaprasad%2C%20H.%2C%20Paul%2C%20T.%2C%20Kimball%2C%20J.%2C%20Zawodniok%2C% 20M.%2C%20McMillin%2C%20B.%2C%20Chellappan%2C%20S.%3A%20Stability%20of%20a%20cyberphysical%20smart%20grid%20system%20using%20cooperating%20invariants.%20In%3A%202013%20IEEE%2037th%20Annual%20Co mputer%20Software%20and%20Applications%20Conference%20%28COMPSAC%29%2C%20pp.%20760%E2%80%93769%2C%20July %202013)
6.
ICS-CERT Advisories. https://ics-cert.us-cert.gov/advisories (https://ics-cert.us-cert.gov/advisories)
7.
Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: Semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 126–135, New York, NY, USA, ACM (2014) Google Scholar (https://scholar.google.com/scholar? q=Had%C5%BEiosmanovi%C4%87%2C%20D.%2C%20Sommer%2C%20R.%2C%20Zambon%2C%20E.%2C%20Hartel%2C%20P.H.%3A %20Through%20the%20eye%20of%20the%20PLC%3A%20Semantic%20security%20monitoring%20for%20industrial%20processes.%20I n%3A%20Proceedings%20of%20the%2030th%20Annual%20Computer%20Security%20Applications%20Conference%2C%20pp.%20126 %E2%80%93135%2C%20New%20York%2C%20NY%2C%20USA%2C%20ACM%20%282014%29)
8.
Han, S., Xie, M., Chen, H.-H., Ling, Y.: Intrusion detection in cyber-physical systems: Techniques and challenges. IEEE Syst. J. 8(4), 1049– 1059 (2014) Google Scholar (http://scholar.google.com/scholar_lookup?title=Intrusion%20detection%20in%20cyberphysical%20systems%3A%20Techniques%20and%20challenges&author=S.%20Han&author=M.%20Xie&author=HH.%20Chen&author=Y.%20Ling&journal=IEEE%20Syst.%20J.&volume=8&issue=4&pages=1049-1059&publication_year=2014)
9.
Hsiao, S.-W., Sun, Y., Chen, M.C., Zhang, H.: Cross-level behavioral analysis for robust early intrusion detection. In: IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 95–100, May 2010 Google Scholar (https://scholar.google.com/scholar?q=Hsiao%2C%20S.W.%2C%20Sun%2C%20Y.%2C%20Chen%2C%20M.C.%2C%20Zhang%2C%20H.%3A%20Crosslevel%20behavioral%20analysis%20for%20robust%20early%20intrusion%20detection.%20In%3A%20IEEE%20International%20Conferen ce%20on%20Intelligence%20and%20Security%20Informatics%20%28ISI%29%2C%20pp.%2095%E2%80%93100%2C%20May%202010 )
10.
McParland, C., Peisert, S., Scaglione, A.: Monitoring security of networked control systems: It’s the physics. IEEE Secur. Priv. 12(6), 32–39 (2014) CrossRef (https://doi.org/10.1109/MSP.2014.122) Google Scholar (http://scholar.google.com/scholar_lookup? title=Monitoring%20security%20of%20networked%20control%20systems%3A%20It%E2%80%99s%20the%20physics&author=C.%20Mc Parland&author=S.%20Peisert&author=A.%20Scaglione&journal=IEEE%20Secur.%20Priv.&volume=12&issue=6&pages=3239&publication_year=2014)
11.
Niazi, R.H., Shamsi, J.A., Waseem, T., Khan, M.M.: Signature-based detection of privilege-escalation attacks on Android. In: 2015 Conference on Information Assurance and Cyber Security (CIACS), pp. 44–49, December 2015 Google Scholar (https://scholar.google.com/scholar? q=Niazi%2C%20R.H.%2C%20Shamsi%2C%20J.A.%2C%20Waseem%2C%20T.%2C%20Khan%2C%20M.M.%3A%20Signaturebased%20detection%20of%20privilegeescalation%20attacks%20on%20Android.%20In%3A%202015%20Conference%20on%20Information%20Assurance%20and%20Cyber%20 Security%20%28CIACS%29%2C%20pp.%2044%E2%80%9349%2C%20December%202015)
12.
Paul, T., Kimball, J., Zawodniok, M., Roth, T., McMillin, B.: Invariants as a unified knowledge model for cyber-physical systems. In: IEEE International Conference on Service-Oriented Computing and Applications (SOCA), pp. 1–8, December 2011 Google Scholar (https://scholar.google.com/scholar? q=Paul%2C%20T.%2C%20Kimball%2C%20J.%2C%20Zawodniok%2C%20M.%2C%20Roth%2C%20T.%2C%20McMillin%2C%20B.%3 A%20Invariants%20as%20a%20unified%20knowledge%20model%20for%20cyberphysical%20systems.%20In%3A%20IEEE%20International%20Conference%20on%20ServiceOriented%20Computing%20and%20Applications%20%28SOCA%29%2C%20pp.%201%E2%80%938%2C%20December%202011)
13.
Rasti, R., Murthy, M., Weaver, N., Paxson, V.: Temporal lensing and its application in pulsing denial-of-service attacks. In: IEEE Symposium on Security and Privacy (SP), pp. 187–198, May 2015 Google Scholar (https://scholar.google.com/scholar? q=Rasti%2C%20R.%2C%20Murthy%2C%20M.%2C%20Weaver%2C%20N.%2C%20Paxson%2C%20V.%3A%20Temporal%20lensing%2 0and%20its%20application%20in%20pulsing%20denial-ofservice%20attacks.%20In%3A%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20%28SP%29%2C%20pp.%20187%E2% 80%93198%2C%20May%202015)
14.
Tartakovsky, A., Rozovskii, B., Blazek, R., Kim, H.: A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Trans. Signal Process. 54(9), 3372–3382 (2006) CrossRef (https://doi.org/10.1109/TSP.2006.879308) Google Scholar (http://scholar.google.com/scholar_lookup? title=A%20novel%20approach%20to%20detection%20of%20intrusions%20in%20computer%20networks%20via%20adaptive%20sequenti al%20and%20batch-sequential%20changepoint%20detection%20methods&author=A.%20Tartakovsky&author=B.%20Rozovskii&author=R.%20Blazek&author=H.%20Kim&journal =IEEE%20Trans.%20Signal%20Process.&volume=54&issue=9&pages=3372-3382&publication_year=2006)
15.
Thatte, G., Mitra, U., Heidemann, J.: Parametric methods for anomaly detection in aggregate traffic. IEEE/ACM Trans. Netw. 19(2), 512–525 (2011) CrossRef (https://doi.org/10.1109/TNET.2010.2070845) Google Scholar (http://scholar.google.com/scholar_lookup? title=Parametric%20methods%20for%20anomaly%20detection%20in%20aggregate%20traffic&author=G.%20Thatte&author=U.%20Mitra& author=J.%20Heidemann&journal=IEEE%2FACM%20Trans.%20Netw.&volume=19&issue=2&pages=512-525&publication_year=2011)
16.
Wu, Z.-J., Zhang, L., Yue, M.: Low-rate DoS attacks detection based on network multifractal. IEEE Trans. Dependable Secure Comput. PP(99), 1–10 (2015) Google Scholar (http://scholar.google.com/scholar_lookup?title=Lowrate%20DoS%20attacks%20detection%20based%20on%20network%20multifractal&author=ZJ.%20Wu&author=L.%20Zhang&author=M.%20Yue&journal=IEEE%20Trans.%20Dependable%20Secure%20Comput.&volume=PP&issue= 99&pages=1-10&publication_year=2015)
Copyright information © IFIP International Federation for Information Processing 2016
About this paper Cite this paper as: Adepu S., Mathur A. (2016) Using Process Invariants to Detect Cyber Attacks on a Water Treatment System. In: Hoepman JH., Katzenbeisser S. (eds) ICT Systems Security and Privacy Protection. SEC 2016. IFIP Advances in Information and Communication Technology, vol 471. Springer, Cham DOI (Digital Object Identifier) https://doi.org/10.1007/978-3-319-33630-5_7 Publisher Name Springer, Cham Print ISBN 978-3-319-33629-9 Online ISBN 978-3-319-33630-5 eBook Packages Computer Science About this book Reprints and Permissions
Personalised recommendations
© 2017 Springer International Publishing AG. Part of Springer Nature. Not logged in Not affiliated 185.191.229.108