JZUS - Journal of Zhejiang University SCIENCE

Frontiers of Information Technology & Electronic Engineering 2022 Vol.23 No.4 P.587-603

http://doi.org/10.1631/FITEE.2000546

Detection and localization of cyber attacks on water treatment systems: an entropy-based approach

Author(s): Ke LIU, Mufeng WANG, Rongkuan MA, Zhenyong ZHANG, Qiang WEI
Affiliation(s): State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China; more
Corresponding email(s): bendawang@gmail.com, csewmf@zju.edu.cn, rongkuan233@gmail.com, zhangzhenyong@zju.edu.cn, funnywei@163.com
Key Words: Industrial cyber-physical system, Water treatment system, Intrusion detection, Abnormal state, Detection and localization, Information theory

Share this article to： More <<< Previous Article \|Next Article >>>

Abstract: With the advent of Industry 4.0, water treatment systems (WTSs) are recognized as typical industrial cyber-physical systems (iCPSs) that are connected to the open Internet. Advanced information technology (IT) benefits the WTS in the aspects of reliability, efficiency, and economy. However, the vulnerabilities exposed in the communication and control infrastructure on the cyber side make WTSs prone to cyber attacks. The traditional IT system oriented defense mechanisms cannot be directly applied in safety-critical WTSs because the availability and real-time requirements are of great importance. In this paper, we propose an entropy-based intrusion detection (EBID) method to thwart cyber attacks against widely used controllers (e.g., programmable logic controllers) in WTSs to address this issue. Because of the varied WTS operating conditions, there is a high false-positive rate with a static threshold for detection. Therefore, we propose a dynamic threshold adjustment mechanism to improve the performance of EBID. To validate the performance of the proposed approaches, we built a high-fidelity WTS testbed with more than 50 measurement points. We conducted experiments under two attack scenarios with a total of 36 attacks, showing that the proposed methods achieved a detection rate of 97.22% and a false alarm rate of 1.67%.

水处理系统网络攻击的检测和定位：基于熵的方法

刘可¹，汪慕峰²，麻荣宽¹，张镇勇²，魏强¹
¹数学工程与先进计算国家重点实验室，中国郑州市，450001
²浙江大学控制科学与工程学院，中国杭州市，310027
摘要：随着工业4.0的发展，水处理系统作为一种典型工业信息物理系统逐渐接入互联网。先进的信息技术使水处理系统在可靠性、效率和经济性方面受益。然而，网络和基础设施中潜在的漏洞使水处理系统很容易遭受网络攻击。由于水处理系统对于实时性和可用性的严苛要求，传统的面向信息系统的防御机制无法直接应用于水处理系统。本文提出一种基于熵的入侵检测方法来抵御针对系统中控制器（如可编程逻辑控制器）的攻击。由于水处理系统运行条件的变化，在模型采用静态阈值进行检测时会产生较高误报率。因此本文提出一种动态阈值调整机制来提高所提方法的检测性能。为验证所提方法，我们建立了一个包含超过50个测量点的高保真水处理系统测试平台。在两种攻击场景下进行实验，共涵盖了36次攻击。结果表明，所提方法能够实现97.22%的检测率和1.67%的误报率。

关键词：工业信息物理系统；水处理系统；入侵检测；异常状态；检测和定位；信息论

Reference

[1]Barbosa RRR, Sadre R, Pras A, 2012. Towards periodicity based anomaly detection in SCADA networks. Proc 17^th IEEE Int Conf on Emerging Technologies & Factory Automation, p.1-4.

[2]Bereziński P, Jasiul B, Szpyrka M, 2015. An entropy-based network anomaly detection method. Entropy, 17(4):2367-2408.

[3]Carcano A, Coletta A, Guglielmi M, et al., 2011. A multi-dimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans Ind Inform, 7(2):179-186.

[4]Cover TM, Thomas JA, 2012. Elements of Information Theory. John Wiley & Sons, New York, USA, p.250-252.

[5]Farwell JP, Rohozinski R, 2011. Stuxnet and the future of cyber war. Survival, 53(1):23-40.

[6]Feng C, Reddy Palleti V, Mathur A, et al., 2019. A systematic framework to generate invariants for anomaly detection in industrial control systems. Proc Network and Distributed Systems Security Symp, p.1-22.

[7]Formby D, Srinivasan P, Leonard A, et al., 2016. Who's in control of your control system? Device fingerprinting for cyber-physical systems. Proc Network and Distributed Systems Security Symp, p.1-15.

[8]Fovino IN, Coletta A, Carcano A, et al., 2012. Critical state-based filtering system for securing SCADA network protocols. IEEE Trans Ind Electron, 59(10):3943-3950.

[9]Geng YY, Wang Y, Liu WW, et al., 2019. A survey of industrial control system testbeds. IOP Conf Ser Mater Sci Eng, 569(4):042030.

[10]Goldenberg N, Wool A, 2013. Accurate modeling of Modbus/ TCP for intrusion detection in SCADA systems. Int J Crit Infrastruct Protect, 6(2):63-75.

[11]Hadeli H, Schierholz R, Braendle M, et al., 2009. Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration. Proc IEEE Conf on Emerging Technologies & Factory Automation, p.1-8.

[12]Hu Y, Li H, Luan TH, et al., 2020. Detecting stealthy attacks on industrial control systems using a permutation entropy-based method. Fut Gener Comput Syst, 108:1230-1240.

[13]ICS-CERT, 2016. ICS-CERT Annual Assessment Report. Technical Report. NCCIC/ICS-CERT, Washington DC, USA.

[14]Kaspersky ICS CERT, 2019. Threat Landscape for Industrial Automation Systems. H2 2018. Kaspersky. Available from https://ics-cert.kaspersky.com/publications/reports/2019/03/27/threat-landscape-for-industrial-automation-systems-h2-2018/ [Accessed on Jan. 1, 2021].

[15]Kaspersky ICS CERT, 2020a. Targeted Attacks on Israeli Water Supply and Wastewater Treatment Facilities. Available from https://ics-cert.kaspersky.com/news/2020/04/29/israel-water-cyberattacks/ [Accessed on Jan. 1, 2021].

[16]Kaspersky ICS CERT, 2020b. Threat Landscape for Industrial Automation Systems. Vulnerabilities Identified in 2019. Kaspersky. Available from https://ics-cert.kaspersky.com/reports/2020/04/24/threat-landscape-for-industrial-automation-systems-vulnerabilities-identified-in-2019/ [Accessed on Jan. 1, 2021].

[17]Khraisat A, Gondal I, Vamplew P, et al., 2019. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity, 2:20.

[18]Kleinmann A, Wool A, 2014. Accurate modeling of the Siemens S7 SCADA protocol for intrusion detection and digital forensics. J Dig Forens Secur Law, 9(2):37-50.

[19]Lee R, Slowik J, Miller B, et al., 2017. Industroyer/ Crashoverride: Zero Things Cool about a Threat Group Targeting the Power Grid. Technical Report. Black Hat, USA.

[20]Lin H, Slagell A, di Martino C, et al., 2013. Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol. Proc 8^th Annual Cyber Security and Information Intelligence Research Workshop, p.1-4.

[21]Linda O, Manic M, Vollmer T, et al., 2011a. Fuzzy logic based anomaly detection for embedded network security cyber sensor. Proc IEEE Symp on Computational Intelligence in Cyber Security, p.202-209.

[22]Linda O, Manic M, Alves-Foss J, et al., 2011b. Towards resilient critical infrastructures: application of type-2 fuzzy logic in embedded network security cyber sensor. Proc 4^th Int Symp on Resilient Control Systems, p.26-32.

[23]Ma RK, Cheng P, Zhang ZY, et al., 2019. Stealthy attack against redundant controller architecture of industrial cyber-physical system. IEEE Int Things J, 6(6):9783-9793.

[24]Maglaras LA, Jiang JM, 2014. Intrusion detection in SCADA systems using machine learning techniques. Proc Science and Information Conf, p.626-631.

[25]Mathur AP, Tippenhauer NO, 2016. SWaT: a water treatment testbed for research and training on ICS security. Proc Int Workshop on Cyber-Physical Systems for Smart Water Networks, p.31-36.

[26]Morris T, Vaughn R, Dandass Y, 2012. A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems. Proc 45^th IEEE Hawaii Int Conf on System Sciences, p.2338-2345.

[27]Navaz ASS, Sangeetha V, Prabhadevi C, 2013. Entropy based anomaly detection system to prevent DDoS attacks in cloud. Int J Comput Appl, 62(15):42-47.

[28]Nelson T, Chaffin M, 2011. Common Cybersecurity Vulnerabilities in Industrial Control Systems. Technical Report. The U.S. Department of Homeland Security (DHS) National Cyber Security Division, Washington DC, USA.

[29]Ponomarev S, Atkison T, 2016. Industrial control system network intrusion detection by telemetry analysis. IEEE Trans Depend Sec Comput, 13(2):252-260.

[30]Qian Q, Che HY, Zhang R, 2009. Entropy based method for network anomaly detection. Proc 15^th IEEE Pacific Rim Int Symp on Dependable Computing, p.189-191.

[31]Sample C, Schaffer K, 2013. An overview of anomaly detection. IT Prof, 15(1):8-11.

[32]SecurityWeek, 2016. Attackers Alter Water Treatment Systems in Utility Hack: Report. Available from https://www.securityweek.com/attackers-alter-water-treatment-systems-utility-hack-report [Accessed on Jan. 1, 2021].

[33]Song ZW, Liu ZH, 2019. Abnormal detection method of industrial control system based on behavior model. Comput Secur, 84:166-178.

[34]Stouffer K, Pillitteri V, Lightman S, et al., 2011. Guide to Industrial Control Systems (ICSs) Security. NIST Special Publication 800-82.

[35]Tate RF, 1954. Correlation between a discrete and a continuous variable. Point-biserial correlation. Ann Math Stat, 25(3):603-607.

[36]Ten CW, Manimaran G, Liu CC, 2010. Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans Syst Man Cybern A, 40(4):853-865.

[37]Terai A, Abe S, Kojima S, et al., 2017. Cyber-attack detection for industrial control system monitoring with support vector machine based on communication profile. Proc IEEE European Symp on Security and Privacy Workshops, p.132-138.

[38]The Wall Street Journal's San Francisco Bureau, 2015. Iranian Hackers Infiltrated New York Dam in 2013. Available from https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559 [Accessed on Jan. 1, 2021].

[39]Vollmer T, Manic M, 2009. Computationally efficient neural network intrusion security awareness. Proc 2^nd Int Symp on Resilient Control Systems, p.25-30.

[40]Vollmer T, Alves-Foss J, Manic M, 2011. Autonomous rule creation for intrusion detection. Proc IEEE Symp on Computational Intelligence in Cyber Security, p.1-8.

[41]Walton B, 2016. Water Sector Prepares for Cyberattacks. Available from https://www.circleofblue.org/2016/world/water-sector-prepares-cyberattacks [Accessed on Jan. 1, 2021].

[42]Wang YS, Fan KF, Lai YX, et al., 2017. Intrusion detection of industrial control system based on Modbus TCP protocol. Proc 13^th IEEE Int Symp on Autonomous Decentralized System, p.156-162.

[43]Wikipedia, 2020a. Critical Infrastructure. Available from https://en.wikipedia.org/wiki/Critical_infrastructure [Accessed on Jan. 1, 2021].

[44]Wikipedia, 2020b. Water Treatment. Available from https://en.wikipedia.org/wiki/Water_treatment [Accessed on Jan. 1, 2021].

[45]Yu W, Wang X, Xuan D, et al., 2006. Effective detection of active worms with varying scan rate. Proc Securecomm and Workshops, p.1-10.

[46]Zhang F, Kodituwakku HADE, Hines JW, et al., 2019. Multi-layer data-driven cyber-attack detection system for industrial control systems based on network, system, and process data. IEEE Trans Ind Inform, 15(7):4362-4369.

Open peer comments: Debate/Discuss/Question/Opinion

<1>

Similar articles

- Go to

水处理系统网络攻击的检测和定位：基于熵的方法

Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article

Reference