Using Process Invariants to Detect Cyber Attacks on a Water

Using Process Invariants to Detect Cyber Attacks on a Water Treatment System IFIP International Information Security and Privacy Conference SEC 2016: ICT Systems Security and Privacy Protection pp 91-104 | Cite as Sridhar Adepu (1) Email author ([email protected]) Aditya Mathur (1) 1. Singapore University of Technology and Design, Singapore, Singapore Conference paper First Online: 11 May 2016 1 Citations 8 Readers 682 Downloads Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 471)

Abstract An experimental investigation was undertaken to assess the effectiveness of process invariants in detecting cyber-attacks on an Industrial Control System (ICS). An invariant was derived from one selected sub-process and coded into the corresponding controller. Experiments were performed each with an attack selected from a set of three stealthy attack types and launched in different states of the system to cause tank overflow and degrade system productivity. The impact of power failure, possibly due to an attack on the power source, was also studied. The effectiveness of the detection method was investigated against several design parameters. Despite the apparent simplicity of the experiment, results point to challenges in implementing invariant-based attack detection in an operational Industrial Control System.

Keywords Attack detection Cyber attacks Cyber physical systems Industrial control systems Secure water treatment testbed

Notes Acknowledgements Kaung Myat Aung for assistance in conducting the experiments. This work was supported by research grant 9013102373 from the Ministry of Defense and NRF2014-NCR-NCR001-040 from the National Research Foundation, Singapore.

References 1.

Adepu, S., Mathur, A.: An investigation into the response of a water treatment system to cyber attacks. In: Proceedings of the 17th IEEE High Assurance Systems Engineering Symposium, Orlando, January 2016 Google Scholar ( q=Adepu%2C%20S.%2C%20Mathur%2C%20A.%3A%20An%20investigation%20into%20the%20response%20of%20a%20water%20treat ment%20system%20to%20cyber%20attacks.%20In%3A%20Proceedings%20of%20the%2017th%20IEEE%20High%20Assurance%20Syste ms%20Engineering%20Symposium%2C%20Orlando%2C%20January%202016)


Beaver, J., Borges-Hink, R., Buckner, M.: An evaluation of machine learning methods to detect malicious SCADA communications. In: 12th International Conference on Machine Learning and Applications (ICMLA), vol. 2, pp. 54–59, December 2013 Google Scholar ( 0malicious%20SCADA%20communications.%20In%3A%2012th%20International%20Conference%20on%20Machine%20Learning%20an d%20Applications%20%28ICMLA%29%2C%20vol.%202%2C%20pp.%2054%E2%80%9359%2C%20December%202013)


Berthier, R. Sanders.: Specification-based intrusion detection for advanced metering infrastructures. In: 17th IEEE Pacific Rim International Symposium on Dependable Computing, pp. 184–193, October 2011 Google Scholar ( 0International%20Symposium%20on%20Dependable%20Computing%2C%20pp.%20184%E2%80%93193%2C%20October%202011)


Cárdenas, A.A., Amin, S., Lin, Z.-S., Huang, Y.-L., Huang, C.-Y., Sastry, S.: Attacks against process control systems: Risk assessment, detection, and response. In: ACM Symposium on Information, Computer and Communications Security (2011) Google Scholar ( n%2C%20and%20response.%20In%3A%20ACM%20Symposium%20on%20Information%2C%20Computer%20and%20Communications% 20Security%20%282011%29)


Choudhari, A., Ramaprasad, H., Paul, T., Kimball, J., Zawodniok, M., McMillin, B., Chellappan, S.: Stability of a cyber-physical smart grid system using cooperating invariants. In: 2013 IEEE 37th Annual Computer Software and Applications Conference (COMPSAC), pp. 760–769, July 2013 Google Scholar ( q=Choudhari%2C%20A.%2C%20Ramaprasad%2C%20H.%2C%20Paul%2C%20T.%2C%20Kimball%2C%20J.%2C%20Zawodniok%2C% 20M.%2C%20McMillin%2C%20B.%2C%20Chellappan%2C%20S.%3A%20Stability%20of%20a%20cyberphysical%20smart%20grid%20system%20using%20cooperating%20invariants.%20In%3A%202013%20IEEE%2037th%20Annual%20Co mputer%20Software%20and%20Applications%20Conference%20%28COMPSAC%29%2C%20pp.%20760%E2%80%93769%2C%20July %202013)


ICS-CERT Advisories. (


Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: Semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 126–135, New York, NY, USA, ACM (2014) Google Scholar ( q=Had%C5%BEiosmanovi%C4%87%2C%20D.%2C%20Sommer%2C%20R.%2C%20Zambon%2C%20E.%2C%20Hartel%2C%20P.H.%3A %20Through%20the%20eye%20of%20the%20PLC%3A%20Semantic%20security%20monitoring%20for%20industrial%20processes.%20I n%3A%20Proceedings%20of%20the%2030th%20Annual%20Computer%20Security%20Applications%20Conference%2C%20pp.%20126 %E2%80%93135%2C%20New%20York%2C%20NY%2C%20USA%2C%20ACM%20%282014%29)


Han, S., Xie, M., Chen, H.-H., Ling, Y.: Intrusion detection in cyber-physical systems: Techniques and challenges. IEEE Syst. J. 8(4), 1049– 1059 (2014) Google Scholar (


Hsiao, S.-W., Sun, Y., Chen, M.C., Zhang, H.: Cross-level behavioral analysis for robust early intrusion detection. In: IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 95–100, May 2010 Google Scholar ( ce%20on%20Intelligence%20and%20Security%20Informatics%20%28ISI%29%2C%20pp.%2095%E2%80%93100%2C%20May%202010 )


McParland, C., Peisert, S., Scaglione, A.: Monitoring security of networked control systems: It’s the physics. IEEE Secur. Priv. 12(6), 32–39 (2014) CrossRef ( Google Scholar ( title=Monitoring%20security%20of%20networked%20control%20systems%3A%20It%E2%80%99s%20the%20physics&author=C.%20Mc Parland&author=S.%20Peisert&author=A.%20Scaglione&journal=IEEE%20Secur.%20Priv.&volume=12&issue=6&pages=3239&publication_year=2014)


Niazi, R.H., Shamsi, J.A., Waseem, T., Khan, M.M.: Signature-based detection of privilege-escalation attacks on Android. In: 2015 Conference on Information Assurance and Cyber Security (CIACS), pp. 44–49, December 2015 Google Scholar ( q=Niazi%2C%20R.H.%2C%20Shamsi%2C%20J.A.%2C%20Waseem%2C%20T.%2C%20Khan%2C%20M.M.%3A%20Signaturebased%20detection%20of%20privilegeescalation%20attacks%20on%20Android.%20In%3A%202015%20Conference%20on%20Information%20Assurance%20and%20Cyber%20 Security%20%28CIACS%29%2C%20pp.%2044%E2%80%9349%2C%20December%202015)


Paul, T., Kimball, J., Zawodniok, M., Roth, T., McMillin, B.: Invariants as a unified knowledge model for cyber-physical systems. In: IEEE International Conference on Service-Oriented Computing and Applications (SOCA), pp. 1–8, December 2011 Google Scholar ( q=Paul%2C%20T.%2C%20Kimball%2C%20J.%2C%20Zawodniok%2C%20M.%2C%20Roth%2C%20T.%2C%20McMillin%2C%20B.%3 A%20Invariants%20as%20a%20unified%20knowledge%20model%20for%20cyberphysical%20systems.%20In%3A%20IEEE%20International%20Conference%20on%20ServiceOriented%20Computing%20and%20Applications%20%28SOCA%29%2C%20pp.%201%E2%80%938%2C%20December%202011)


Rasti, R., Murthy, M., Weaver, N., Paxson, V.: Temporal lensing and its application in pulsing denial-of-service attacks. In: IEEE Symposium on Security and Privacy (SP), pp. 187–198, May 2015 Google Scholar ( q=Rasti%2C%20R.%2C%20Murthy%2C%20M.%2C%20Weaver%2C%20N.%2C%20Paxson%2C%20V.%3A%20Temporal%20lensing%2 0and%20its%20application%20in%20pulsing%20denial-ofservice%20attacks.%20In%3A%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20%28SP%29%2C%20pp.%20187%E2% 80%93198%2C%20May%202015)


Tartakovsky, A., Rozovskii, B., Blazek, R., Kim, H.: A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Trans. Signal Process. 54(9), 3372–3382 (2006) CrossRef ( Google Scholar ( title=A%20novel%20approach%20to%20detection%20of%20intrusions%20in%20computer%20networks%20via%20adaptive%20sequenti al%20and%20batch-sequential%20changepoint%20detection%20methods&author=A.%20Tartakovsky&author=B.%20Rozovskii&author=R.%20Blazek&author=H.%20Kim&journal =IEEE%20Trans.%20Signal%20Process.&volume=54&issue=9&pages=3372-3382&publication_year=2006)


Thatte, G., Mitra, U., Heidemann, J.: Parametric methods for anomaly detection in aggregate traffic. IEEE/ACM Trans. Netw. 19(2), 512–525 (2011) CrossRef ( Google Scholar ( title=Parametric%20methods%20for%20anomaly%20detection%20in%20aggregate%20traffic&author=G.%20Thatte&author=U.%20Mitra& author=J.%20Heidemann&journal=IEEE%2FACM%20Trans.%20Netw.&volume=19&issue=2&pages=512-525&publication_year=2011)


Wu, Z.-J., Zhang, L., Yue, M.: Low-rate DoS attacks detection based on network multifractal. IEEE Trans. Dependable Secure Comput. PP(99), 1–10 (2015) Google Scholar ( 99&pages=1-10&publication_year=2015)

Copyright information © IFIP International Federation for Information Processing 2016

About this paper Cite this paper as: Adepu S., Mathur A. (2016) Using Process Invariants to Detect Cyber Attacks on a Water Treatment System. In: Hoepman JH., Katzenbeisser S. (eds) ICT Systems Security and Privacy Protection. SEC 2016. IFIP Advances in Information and Communication Technology, vol 471. Springer, Cham DOI (Digital Object Identifier) Publisher Name Springer, Cham Print ISBN 978-3-319-33629-9 Online ISBN 978-3-319-33630-5 eBook Packages Computer Science About this book Reprints and Permissions

Personalised recommendations

© 2017 Springer International Publishing AG. Part of Springer Nature. Not logged in Not affiliated


Using Process Invariants to Detect Cyber Attacks on a Water

Using Process Invariants to Detect Cyber Attacks on a Water Treatment System IFIP International Information Security and Privacy Conference SEC 2016: ...

56KB Sizes 6 Downloads 16 Views

Recommend Documents

Common Cyber Attacks -
Common Cyber Attacks: Reducing The Impact has been produced by CESG (the Information Security Arm of. GCHQ) with CERT-UK

Cities Wide Open to Cyber Attacks - IOActive
Cities around the world are becoming increasingly smart, which creates huge attack surfaces for potential cyber attacks.

Cyber Attacks and Public Embarrassment
Bay3 and Facebook (Anonymous News Network).4 Internet Relay Chats (IRC) and image boards, Internet forums, as ... Anonyw

Jaundice is one of the most common disease affecting neonates worldwide caused by hyperbilirubinaemia in blood, which re

... express the utmost gratitude to my advisor and committee chairman Dr. Sumit Jha for ... Finally, I would like to ack

Before Rolling Blackouts Begin: Briefing Boards on Cyber Attacks That
Oct 1, 2013 - and Sandy, blackouts not only “take lives” but force doctors to choose who will receive life-saving el

Using crowdsourced imagery to detect cultural ecosystem services: a
opportunities offered by social media to investigate spatial preferences. Combining ... The most anthropocentric ES are

Post-Graduate Diploma in Cyber Security Cyber Attacks and Counter
3.10.3 How to Identify Fake EMail And Trace Sender's Location . ..... process or programs from normal anti virus scan de

'DDoS attacks' in Cyber Security |
Cyber Security filtered by DDoS attacks.

cyber attacks during the war on terrorism - Dartmouth ISTS
Sep 22, 2001 - EXECUTIVE SUMMARY. This paper should be viewed as a clear ... LESSONS FROM RECENT CYBER ATTACK CASE STUDI