CPS-SPC ’18- Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy
SESSION: Session 2: Intrusion and Anomaly detection
While the ever-increasing connectivity of cyber-physical systems enlarges their attack surface, existing anomaly detection frameworks often do not incorporate the rising heterogeneity of involved systems. Existing frameworks focus on a single fieldbus protocol or require more detailed knowledge of the cyber-physical system itself. Thus, we introduce a uniform method and framework for applying anomaly detection to a variety of fieldbus protocols. We use stacked denoising autoencoders to derive a feature learning and packet classification method in one step. As the approach is based on the raw byte stream of the network traffic, neither specific protocols nor detailed knowledge of the application is needed. Additionally, we pay attention on creating an efficient framework which can also handle the increased amount of communication in cyber-physical systems. Our evaluation on a Secure Water Treatment dataset using EtherNet/IP and a Modbus dataset shows that we can acquire network packets up to 100 times faster than packet parsing based methods. However, we still achieve precision and recall metrics for longer lasting attacks of over 99%.
Smart Manufacturing (SM) is envisioned to make manufacturing processes more efficient through automation and integration of networked information systems. Robotic arms are integral to this vision. However the benefits of SM, enabled by automation and networking, also come with cyber risks. In this work, we propose an anomaly detection framework for robotic arms in a manufacturing pipeline and integrate it into Robot Operating System (ROS), a middleware framework whose variants are being considered for deployment in industrial environments for flexible automation. In particular, we explore whether the repetitive behavior of an industrial arm can be leveraged to detect anomalous behaviour that may indicate an intrusion. Based on a learned model, we classify a robot’s actions as anomalous or benign. We introduce the notion of a ‘tolerance envelope’ to train a supervised learning model. Our empirical evaluation shows that anomalies that take the robot out of pre-determined tolerance levels can be detected with high accuracy.
Cyber-physical systems (CPS) consist of software and physical components which are knitted together and interact with each other continuously. CPS have been targets of security attacks due to their safety-critical nature and relative lack of protection. Specification based intrusion detection systems (IDS) using data, temporal, data temporal and time, and logical correlations have been proposed in the past. But none of the approaches except the ones using logical correlations take into account the main ingredient in the operation of CPS, namely the use of physical properties. On the other hand, IDS that use physical properties either require the developer to define invariants manually, or have designed their IDS for a specific CPS. This paper proposes CORGIDS, a generic IDS capable of detecting security attacks by inferring the logical correlations of the physical properties of a CPS, and checking if they adhere to the predefined framework. We build a CORGIDS-based prototype and demonstrate its use for detecting attacks in the two CPS. We find that CORGIDS achieves a precision of 95.70%, and a recall of 87.90%, with modest memory and performance overheads.
SESSION: Session 3: Security and Safety Analysis
Digital twins play a key role in realizing the vision of a smart factory. While this concept is often associated with maintenance, optimization, and simulation, digital twins can also be leveraged to enhance the security and safety of cyber-physical systems (CPSs). In particular, digital twins can run in parallel to a CPS, allowing to perform a security and safety analysis during operation without the risk of disrupting live systems. However, replicating states of physical devices within a CPS in functionally equivalent virtual replicas, so that they precisely mirror the internal behavior of their counterparts, is an open research topic. In this paper, we propose a novel state replication approach that first identifies stimuli based on the system’s specification and then replicates them in a virtual environment. We believe that replicating states of CPSs is a prerequisite for a multitude of security and safety enhancing features that can be implemented on the basis of digital twins. To demonstrate the feasibility of the specification-based state replication approach, we provide a prototypical implementation and evaluate it in an experimental CPS test bed. The results of this paper show that attacks against CPSs can be successfully detected by leveraging the proposed state replication approach.
Modern cyber-physical systems are complex networked computing systems that electronically control physical systems. Autonomous road vehicles are an important and increasingly ubiquitous instance. Unfortunately, their increasing complexity often leads to security vulnerabilities. Network connectivity exposes these vulnerable systems to remote software attacks that can result in real-world physical damage, including vehicle crashes and loss of control authority. We introduce an integrated architecture to provide provable security and safety assurance for cyber-physical systems by ensuring that safety-critical operations and control cannot be unintentionally affected by potentially malicious parts of the system. Fine-grained information flow control is used to design both hardware and software, determining how low-integrity information can affect high-integrity control decisions. This security assurance is used to improve end-to-end security across the entire cyber-physical system. We demonstrate this integrated approach by developing a mobile robotic testbed modeling a self-driving system and testing it with a malicious attack.
Distance-bounding (DB) protocols protect against relay attacks on proximity-based access control systems. In a DB protocol, the verifier computes an upper bound on the distance to the prover by measuring the time-of-flight of exchanged messages. DB protocols are, however, vulnerable to distance fraud, in which a dishonest prover is able to manipulate the distance bound computed by an honest verifier. Despite their conceptual simplicity, devising a formal characterization of DB protocols and distance fraud attacks that is amenable to automated formal analysis is non-trivial, primarily because of their real-time and probabilistic nature. In this work, we introduce a generic, computational model, based on Rewriting Logic, for formally analyzing various forms of distance fraud, including recently identified timing attacks, on the Hancke-Kuhn family of DB protocols through statistical model checking. While providing an insightful formal characterization on its own, the model enables a practical formal analysis method that can help system designers bridge the gap between conceptual descriptions and low-level designs. In addition to accurately confirming known results, we use the model to define new attack strategies and quantitatively evaluate their effectiveness under realistic assumptions that would otherwise be difficult to reason about manually.
SESSION: Session 4: Industrial Control and SCADA Systems
This paper presents a study on detecting cyber attacks on industrial control systems (ICS) using convolutional neural networks. The study was performed on a Secure Water Treatment testbed (SWaT) dataset, which represents a scaled-down version of a real-world industrial water treatment plant. We suggest a method for anomaly detection based on measuring the statistical deviation of the predicted value from the observed value. We applied the proposed method by using a variety of deep neural network architectures including different variants of convolutional and recurrent networks. The test dataset included 36 different cyber attacks. The proposed method successfully detected 31 attacks with three false positives thus improving on previous research based on this dataset. The results of the study show that 1D convolutional networks can be successfully used for anomaly detection in industrial control systems and outperform recurrent networks in this setting. The findings also suggest that 1D convolutional networks are effective at time series prediction tasks which are traditionally considered to be best solved using recurrent neural networks. This observation is a promising one, as 1D convolutional neural networks are simpler, smaller, and faster than the recurrent neural networks.
In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Previous work showed that in many cases, it is possible to create an automata-based model of the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server, and to use the model to detect anomalies in the traffic. When testing the validity of previous models, we noticed that overall, the models have difficulty in dealing with communication patterns that change over time. In this paper we show that in many cases the traffic exhibits phases in time, where each phase has a unique pattern, and the transition between the different phases is rather sharp. We suggest a method to automatically detect traffic phase shifts, and a new anomaly detection model that incorporates multiple phases of the traffic. Furthermore we present a new sampling mechanism for training set assembly, which enables the model to learn all phases during the training stage with lower complexity. The model presented has similar accuracy and much less permissiveness compared to the previous general Deterministic Finite Automata (DFA) model. Moreover, the model can provide the operator with information about the state of the controlled process at any given time, as seen in the traffic phases.
Industrial control systems (ICS) are key enabling systems that drive the productivity and efficiency of omnipresent industries such as power, gas, water treatment, transportation, and manufacturing. These systems consist of interconnected components that communicate over industrial networks using industrial protocols such as the Common Industrial Protocol (CIP). CIP is one of the most commonly used network-based process control protocols, and utilizes an object-oriented communication structure for device to device interaction. Due to this object-oriented structure, CIP communication reveals detailed information about the devices, the communication patterns, and the system, providing an in-depth view of the system. The details from this in-depth system perspective can be utilized as part of a system cybersecurity or discovery approach. However, due to the variety of commands, corresponding parameters, and variable layer structure of the CIP network layer, processing this layer is a challenging task. This paper presents a tool, Advanced CIP Evaluator (ACE), which passively processes the CIP communication layer and automatically extracts device, communication, and system information from observed network traffic. ACE was tested and verified using a representative ICS power generation testbed. Since ACE operates passively, without generating any network traffic of its own, system operations are not disturbed. This novel tool provides ICS information, such as networked devices, communication patterns, and system operation, at a depth and breadth that is unique compared with other known tools.
Science Hackathons for Cyberphysical System Security Research: Putting CPS testbed platforms to good use
A challenge is to develop cyber-physical system scenarios that reflect the diversity and complexity of real-life cyber-physical systems in the research questions that they address. Time-bounded collaborative events, such as hackathons, jams and sprints, are increasingly used as a means of bringing groups of individuals together, in order to explore challenges and develop solutions. This paper describes our experiences, using a science hackathon to bring individual researchers together, in order to develop a common use-case implemented on a shared CPS testbed platform that embodies the diversity in their own security research questions. A qualitative study of the event was conducted, in order to evaluate the success of the process, with a view to improving future similar events.