Critical infrastructure are Cyber-Physical Systems that provide essential services to the society. Such infrastructure includes plants for power generation and distribution and for water treatment and distribution. Several such plants operate under a high availability constraint. In the presence of ever increasing cyber attacks, as demonstrated by several events in the past, it becomes imperative and challenging for a plant to meet the availability requirement. Such attacks raise the importance of adding to a plant mechanisms for attack prevention, detection, and secure control. Preventive measures aim to control the incoming and outgoing network traffic and prevent unauthorised access to the plant. Detection mechanisms aim at detecting whether the plant is behaving as expected and raise alarms otherwise. Mechanisms for secure control aim at ensuring that the plant remains in a stable state despite an attack. When a preventive mechanism fails, the detection mechanism ought to detect whether the process under control is moving into an undesirable state and, if so, raise an appropriate alarm. While an alarm will likely alert an operator, it may be too late and damage may have occurred. To prevent such damage, a secure control mechanism ensures that despite the plant entering an abnormal state, the plant components, e.g., pumps and generators, do not get damaged and the process continues to function albeit in degraded mode. The ongoing process in the plant is said to be anomalous when its state is not in accordance with the plant design. A number of proposed detection mechanisms rely on the physics of the process to detect anomalous behavior. Several such mechanisms have been implemented in testbeds. In this talk we analyze two methods for the detection of process anomalies, namely the CUSUM method[2], and a relatively newer method based on the notion of state entanglement [1]. Both methods are based on models of the underlying process in the plant. CUSUM is a statistical technique for detecting change points in a time series that corresponds to a process variable. The method uses two parameters, namely bias and threshold. The bias is determined from the mean of the process variable of concern. The bias so obtained is used in conjunction with the predicted and observed state of the plant. The process is said to have changed its behavior when the CUSUM statistic exceeds a pre-specified threshold. The occurrence of a change implies process anomaly. State entanglement uses the joint state space of one or more components of the plant to construct a state space that consists of prohibited states during plant operation. The prohibited state space of the components leads to one or more invariants. The invariants so derived are coded as monitors and placed in the plant network and in the controllers. A monitor raises an alarm when the process enters a prohibited state. While both methods mentioned above have been evaluated experimentally, we wish to identif
{"title":"On The Limits of Detecting Process Anomalies in Critical Infrastructure","authors":"A. Mathur","doi":"10.1145/3198458.3198466","DOIUrl":"https://doi.org/10.1145/3198458.3198466","url":null,"abstract":"Critical infrastructure are Cyber-Physical Systems that provide essential services to the society. Such infrastructure includes plants for power generation and distribution and for water treatment and distribution. Several such plants operate under a high availability constraint. In the presence of ever increasing cyber attacks, as demonstrated by several events in the past, it becomes imperative and challenging for a plant to meet the availability requirement. Such attacks raise the importance of adding to a plant mechanisms for attack prevention, detection, and secure control. Preventive measures aim to control the incoming and outgoing network traffic and prevent unauthorised access to the plant. Detection mechanisms aim at detecting whether the plant is behaving as expected and raise alarms otherwise. Mechanisms for secure control aim at ensuring that the plant remains in a stable state despite an attack. When a preventive mechanism fails, the detection mechanism ought to detect whether the process under control is moving into an undesirable state and, if so, raise an appropriate alarm. While an alarm will likely alert an operator, it may be too late and damage may have occurred. To prevent such damage, a secure control mechanism ensures that despite the plant entering an abnormal state, the plant components, e.g., pumps and generators, do not get damaged and the process continues to function albeit in degraded mode. The ongoing process in the plant is said to be anomalous when its state is not in accordance with the plant design. A number of proposed detection mechanisms rely on the physics of the process to detect anomalous behavior. Several such mechanisms have been implemented in testbeds. In this talk we analyze two methods for the detection of process anomalies, namely the CUSUM method[2], and a relatively newer method based on the notion of state entanglement [1]. Both methods are based on models of the underlying process in the plant. CUSUM is a statistical technique for detecting change points in a time series that corresponds to a process variable. The method uses two parameters, namely bias and threshold. The bias is determined from the mean of the process variable of concern. The bias so obtained is used in conjunction with the predicted and observed state of the plant. The process is said to have changed its behavior when the CUSUM statistic exceeds a pre-specified threshold. The occurrence of a change implies process anomaly. State entanglement uses the joint state space of one or more components of the plant to construct a state space that consists of prohibited states during plant operation. The prohibited state space of the components leads to one or more invariants. The invariants so derived are coded as monitors and placed in the plant network and in the controllers. A monitor raises an alarm when the process enters a prohibited state. While both methods mentioned above have been evaluated experimentally, we wish to identif","PeriodicalId":296635,"journal":{"name":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116276378","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Keynote 3","authors":"Jianying Zhou","doi":"10.1145/3258581","DOIUrl":"https://doi.org/10.1145/3258581","url":null,"abstract":"","PeriodicalId":296635,"journal":{"name":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","volume":"140 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132729695","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this talk, we discuss how control theory can contribute to the analysis and design of secure cyber-physical systems. We start by reviewing conditions for undetectable false-data injection attacks on feedback control systems. In particular, we highlight how a physical understanding of the controlled process can guide us in the allocation of protective measures. We show that protecting only a few carefully selected actuators or sensors can give indirect protection to many more components. We then illustrate how such analysis is exploited in the design of a resilient control scheme for a microgrid energy management system.
{"title":"Control Theory for Practical Cyber-Physical Security: Extended Abstract","authors":"H. Sandberg","doi":"10.1145/3198458.3198467","DOIUrl":"https://doi.org/10.1145/3198458.3198467","url":null,"abstract":"In this talk, we discuss how control theory can contribute to the analysis and design of secure cyber-physical systems. We start by reviewing conditions for undetectable false-data injection attacks on feedback control systems. In particular, we highlight how a physical understanding of the controlled process can guide us in the allocation of protective measures. We show that protecting only a few carefully selected actuators or sensors can give indirect protection to many more components. We then illustrate how such analysis is exploited in the design of a resilient control scheme for a microgrid energy management system.","PeriodicalId":296635,"journal":{"name":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","volume":"262 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125233582","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 1: Risk Analysis and Security Testing for CPS","authors":"D. Gollmann","doi":"10.1145/3258579","DOIUrl":"https://doi.org/10.1145/3258579","url":null,"abstract":"","PeriodicalId":296635,"journal":{"name":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","volume":"116 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122072109","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ahnaf Siddiqi, Nils Ole Tippenhauer, D. Mashima, Binbin Chen
Industrial control system networks in real world usually require a complex composition of many different devices, protocols, and services. Unfortunately, such practical setups are rarely documented publicly in sufficient technical detail to allow third parties to use the system as reference for their research. As a result, security researchers often have to work with abstract and simplified system assumptions, which might not translate well to practice. In this work, we provide a comprehensive overview of the network services provided by industrial devices found in the EPIC (Electric Power and Intelligent Control) system at SUTD. We provide a detailed network topology of the different network segments, enumerate hosts, models, protocols, and services provided. We argue that such a detailed system description can serve as an enabler for more practical security research. In particular, we discuss how the reported information can be used for emulating a diverse set of important threat scenarios in the smart grid domain. In addition, the provided details allow other researchers to build more detailed models or simulations.
{"title":"On Practical Threat Scenario Testing in an Electric Power ICS Testbed","authors":"Ahnaf Siddiqi, Nils Ole Tippenhauer, D. Mashima, Binbin Chen","doi":"10.1145/3198458.3198461","DOIUrl":"https://doi.org/10.1145/3198458.3198461","url":null,"abstract":"Industrial control system networks in real world usually require a complex composition of many different devices, protocols, and services. Unfortunately, such practical setups are rarely documented publicly in sufficient technical detail to allow third parties to use the system as reference for their research. As a result, security researchers often have to work with abstract and simplified system assumptions, which might not translate well to practice. In this work, we provide a comprehensive overview of the network services provided by industrial devices found in the EPIC (Electric Power and Intelligent Control) system at SUTD. We provide a detailed network topology of the different network segments, enumerate hosts, models, protocols, and services provided. We argue that such a detailed system description can serve as an enabler for more practical security research. In particular, we discuss how the reported information can be used for emulating a diverse set of important threat scenarios in the smart grid domain. In addition, the provided details allow other researchers to build more detailed models or simulations.","PeriodicalId":296635,"journal":{"name":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129524192","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 2: Access Control for CPS","authors":"Jianying Zhou","doi":"10.1145/3258582","DOIUrl":"https://doi.org/10.1145/3258582","url":null,"abstract":"","PeriodicalId":296635,"journal":{"name":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127828776","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
F. Martinelli, C. Michailidou, P. Mori, A. Saracino
Distributed environments such as Internet of Things, have an increasing need of introducing access and usage control mechanisms, to manage the rights to perform specific operations and regulate the access to the plethora of information daily generated by these devices. Defining policies which are specific to these distributed environments could be a challenging and tedious task, mainly due to the large set of attributes that should be considered, hence the upcoming of unforeseen conflicts or unconsidered conditions. In this paper we propose a qualitative risk-based usage control model, aimed at enabling a framework where is possible to define and enforce policies at different levels of granularity. In particular, the proposed framework exploits the Analytic Hierarchy Process (AHP) to coalesce the risk value assigned to different attributes in relation to a specific operation, in a single risk value, to be used as unique attribute of usage control policies. Two sets of experiments that show the benefits both in policy definition and in performance, validate the proposed model, demonstrating the equivalence of enforcement among standard policies and the derived single-attributed policies.
{"title":"Too Long, did not Enforce: A Qualitative Hierarchical Risk-Aware Data Usage Control Model for Complex Policies in Distributed Environments","authors":"F. Martinelli, C. Michailidou, P. Mori, A. Saracino","doi":"10.1145/3198458.3198463","DOIUrl":"https://doi.org/10.1145/3198458.3198463","url":null,"abstract":"Distributed environments such as Internet of Things, have an increasing need of introducing access and usage control mechanisms, to manage the rights to perform specific operations and regulate the access to the plethora of information daily generated by these devices. Defining policies which are specific to these distributed environments could be a challenging and tedious task, mainly due to the large set of attributes that should be considered, hence the upcoming of unforeseen conflicts or unconsidered conditions. In this paper we propose a qualitative risk-based usage control model, aimed at enabling a framework where is possible to define and enforce policies at different levels of granularity. In particular, the proposed framework exploits the Analytic Hierarchy Process (AHP) to coalesce the risk value assigned to different attributes in relation to a specific operation, in a single risk value, to be used as unique attribute of usage control policies. Two sets of experiments that show the benefits both in policy definition and in performance, validate the proposed model, demonstrating the equivalence of enforcement among standard policies and the derived single-attributed policies.","PeriodicalId":296635,"journal":{"name":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","volume":"183 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115176793","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
G. Brost, Manuel Huber, Michael Weiß, Mykola Protsenko, J. Schütte, Sascha Wessel
The most recent and prominent advances in industrial computing include the growing interconnectivity of cyber-physical devices, as well as the increasing variety of complex applications exchanging data across company domains. In this context, the data becomes a valuable business asset and a trade good. The Industrial Data Space is a platform designed for the industry, allowing organizations the efficient data exchange and trade. The possibilities such platforms enable inevitably come along with new security risks regarding the establishment of trust, communication security, data usage control, or the integrity of participating systems. We define the key security requirements for the operation of such platforms in untrusted environments and present an overall security architecture for the whole ecosystem including the secure design and implementation of an architecture for the participating cyber-physical devices. On these devices, we allow for the controlled and isolated execution of services for application-specific gathering, processing and exchanging of data between organizations.
{"title":"An Ecosystem and IoT Device Architecture for Building Trust in the Industrial Data Space","authors":"G. Brost, Manuel Huber, Michael Weiß, Mykola Protsenko, J. Schütte, Sascha Wessel","doi":"10.1145/3198458.3198459","DOIUrl":"https://doi.org/10.1145/3198458.3198459","url":null,"abstract":"The most recent and prominent advances in industrial computing include the growing interconnectivity of cyber-physical devices, as well as the increasing variety of complex applications exchanging data across company domains. In this context, the data becomes a valuable business asset and a trade good. The Industrial Data Space is a platform designed for the industry, allowing organizations the efficient data exchange and trade. The possibilities such platforms enable inevitably come along with new security risks regarding the establishment of trust, communication security, data usage control, or the integrity of participating systems. We define the key security requirements for the operation of such platforms in untrusted environments and present an overall security architecture for the whole ecosystem including the secure design and implementation of an architecture for the participating cyber-physical devices. On these devices, we allow for the controlled and isolated execution of services for application-specific gathering, processing and exchanging of data between organizations.","PeriodicalId":296635,"journal":{"name":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127547369","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Keynote 1","authors":"D. Gollmann","doi":"10.1145/3258578","DOIUrl":"https://doi.org/10.1145/3258578","url":null,"abstract":"","PeriodicalId":296635,"journal":{"name":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134374901","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 3: SCADA Security and Digital Twins","authors":"N. Tippenhauer","doi":"10.1145/3258583","DOIUrl":"https://doi.org/10.1145/3258583","url":null,"abstract":"","PeriodicalId":296635,"journal":{"name":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131668044","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: