Abstract
Evaluating the security of Cyber-Physical Systems (CPS) is challenging, mainly because it brings risks that are not acceptable in mission-critical systems like Industrial Control Systems (ICS). Model-based approaches help to address such challenges by keeping the risk associated with testing low. This paper presents a novel modelling framework and methodology that can easily be adapted to different CPS. Based on our experiments, HybLearner takes less than 140 s to build a model from historical data of a real-world water treatment testbed, and HybTester can simulate accurately about 60 min ahead of normal behaviour of the system including transitions of control strategies. We also introduce a security metrics (time-to-critical-state) that gives a measurement of how fast the system might reach a critical state, which is one of the use cases of the proposed framework to build a model-based attack detection mechanism.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
Database toolkit for Python (https://www.sqlalchemy.org/).
- 5.
- 6.
Gaussian process in Python (https://sheffieldml.github.io/GPy/).
- 7.
References
Adepu, S., Mathur, A.: An investigation into the response of a water treatment system to cyber attacks. In: 2016 IEEE 17th International Symposium on High Assurance Systems Engineering (HASE) (2016)
Alur, R.: Principles of Cyber-Physical Systems. MIT Press, Cambridge (2015)
Carcano, A., Coletta, A., Guglielmi, M., Masera, M., Fovino, I.N., Trombetta, A.: A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans. Ind. Inform. 7, 179–186 (2011)
Cárdenas, A.A., Amin, S., Lin, Z.S., Huang, Y.L., Huang, C.Y., Sastry, S.: Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (CCS) (2011)
Castellanos, J.H., Ochoa, M., Zhou, J.: Finding dependencies between cyber-physical domains for security testing of industrial control systems. In: Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC) (2018)
Etigowni, S., Hossain-McKenzie, S., Kazerooni, M., Davis, K., Zonouz, S.: Crystal (ball): I look at physics and predict control flow! just-ahead-of-time controller recovery. In: Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC) (2018)
Garulli, A., Paoletti, S., Vicino, A.: A survey on switched and piecewise affine system identification. In: IFAC Proceedings Volumes (2012)
Goebel, R., Teel, A.R., Sanfelice, R.G.: Hybrid Dynamical Systems: Modeling, Stability, and Robustness. Princeton University Press, Princeton (2012)
Goh, J., Adepu, S., Junejo, K.N., Mathur, A.: A dataset to support research in the design of secure water treatment systems. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds.) CRITIS 2016. LNCS, vol. 10242, pp. 88–99. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71368-7_8
Goh, J., Adepu, S., Tan, M., Shan, L.Z.: Anomaly detection in cyber physical systems using recurrent neural networks. In: 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE) (2017)
Henzinger, T.A.: The theory of hybrid automata. In: Inan, M.K., Kurshan, R.P. (eds.) Verification of Digital and Hybrid Systems. NATO ASI Series, vol. 170, pp. 265–292. Springer, Heidelberg (2000). https://doi.org/10.1007/978-3-642-59615-5_13
Krotofil, M., Cárdenas, A.A.: Resilience of process control systems to cyber-physical attacks. In: Riis Nielson, H., Gollmann, D. (eds.) NordSec 2013. LNCS, vol. 8208, pp. 166–182. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41488-6_12
Kwon, C., Liu, W., Hwang, I.: Security analysis for cyber-physical systems against stealthy deception attacks. In: American Control Conference (ACC) (2013)
Lin, Q., Adepu, S., Verwer, S., Mathur, A.: TABOR: a graphical model-based approach for anomaly detection in industrial control systems. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security (2018)
Ljung, L.: System identification. In: Procházka, A., Uhlíř, J., Rayner, P.W.J., Kingsbury, N.G. (eds.) Signal Analysis and Prediction. ANHA, pp. 163–173. Springer, Boston (1998). https://doi.org/10.1007/978-1-4612-1768-8_11
Murguia, C., van de Wouw, N., Ruths, J.: Reachable sets of hidden CPS sensor attacks: analysis and synthesis tools. IFAC-PapersOnLine (2017)
Pasqualetti, F., Dörfler, F., Bullo, F.: Attack detection and identification in cyber-physical systems. IEEE Trans. Autom. Control 58, 2715–2729 (2013)
Raffelt, H., Steffen, B.: LearnLib: a library for automata learning and experimentation. In: Baresi, L., Heckel, R. (eds.) FASE 2006. LNCS, vol. 3922, pp. 377–380. Springer, Heidelberg (2006). https://doi.org/10.1007/11693017_28
Santana, P.H., Lane, S., Timmons, E., Williams, B.C., Forster, C.: Learning hybrid models with guarded transitions. In: Conference on Artificial Intelligence (2015)
Teixeira, A., Amin, S., Sandberg, H., Johansson, K.H., Sastry, S.S.: Cyber security analysis of state estimators in electric power systems. In: 49th IEEE Conference on Decision and Control (CDC) (2010)
Urbina, D.I., et al.: Limiting the impact of stealthy attacks on industrial control systems. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS) (2016)
Van Der Schaft, A.J., Schumacher, J.M.: An Introduction to Hybrid Dynamical Systems, vol. 251. Springer, London (2000). https://doi.org/10.1007/BFb0109998
Zimmerschied, R., Isermann, R.: Nonlinear system identification of block-oriented systems using local affine models. In: IFAC Proceedings Volumes (2009)
Acknowledgments
This work was partly supported by SUTD start-up research grant SRG-ISTD-2017-124.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A Model-Based Detection Mechanism
Here we show additional examples how HybTester can be used as a model-based detection mechanism for two attacks (A1 and A2) described in Sect. 6.4 (Figs. 10 and 11).
Attack A1 which starts in step \(k=48\) (A1.0) and ends in step \(k=481\) (A1.1). The attack is detected in step \(k=49\) (D).
Attack A2 which starts in step \(k=200\) (A2.0) and ends in step \(k=718\) (A2.1). The attack is detected in step \(k=201\) (D).
B Continuous-Time Models for Stage One of SWaT
Figure 12 shows all nine derivatives \(\dot{y}\) for lit101.
Continuous-time model \(\bar{\mathbb {C}}\).
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Castellanos, J.H., Zhou, J. (2019). A Modular Hybrid Learning Approach for Black-Box Security Testing of CPS. In: Deng, R., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds) Applied Cryptography and Network Security. ACNS 2019. Lecture Notes in Computer Science(), vol 11464. Springer, Cham. https://doi.org/10.1007/978-3-030-21568-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-21568-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21567-5
Online ISBN: 978-3-030-21568-2
eBook Packages: Computer ScienceComputer Science (R0)