Abstract: With the advent of Industry 4.0, water treatment systems (WTSs) are recognized as typical industrial cyber-physical systems (iCPSs) that are connected to the open Internet. Advanced information technology (IT) benefits the WTS in the aspects of reliability, efficiency, and economy. However, the vulnerabilities exposed in the communication and control infrastructure on the cyber side make WTSs prone to cyber attacks. The traditional IT system oriented defense mechanisms cannot be directly applied in safety-critical WTSs because the availability and real-time requirements are of great importance. In this paper, we propose an entropy-based intrusion detection (EBID) method to thwart cyber attacks against widely used controllers (e.g., programmable logic controllers) in WTSs to address this issue. Because of the varied WTS operating conditions, there is a high false-positive rate with a static threshold for detection. Therefore, we propose a dynamic threshold adjustment mechanism to improve the performance of EBID. To validate the performance of the proposed approaches, we built a high-fidelity WTS testbed with more than 50 measurement points. We conducted experiments under two attack scenarios with a total of 36 attacks, showing that the proposed methods achieved a detection rate of 97.22% and a false alarm rate of 1.67%.

水处理系统网络攻击的检测和定位：基于熵的方法

[1]Barbosa RRR, Sadre R, Pras A, 2012. Towards periodicity based anomaly detection in SCADA networks. Proc 17^th IEEE Int Conf on Emerging Technologies & Factory Automation, p.1-4.

[2]Bereziński P, Jasiul B, Szpyrka M, 2015. An entropy-based network anomaly detection method. Entropy, 17(4):2367-2408.

[3]Carcano A, Coletta A, Guglielmi M, et al., 2011. A multi-dimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans Ind Inform, 7(2):179-186.

[4]Cover TM, Thomas JA, 2012. Elements of Information Theory. John Wiley & Sons, New York, USA, p.250-252.

[5]Farwell JP, Rohozinski R, 2011. Stuxnet and the future of cyber war. Survival, 53(1):23-40.

[6]Feng C, Reddy Palleti V, Mathur A, et al., 2019. A systematic framework to generate invariants for anomaly detection in industrial control systems. Proc Network and Distributed Systems Security Symp, p.1-22.

[7]Formby D, Srinivasan P, Leonard A, et al., 2016. Who's in control of your control system? Device fingerprinting for cyber-physical systems. Proc Network and Distributed Systems Security Symp, p.1-15.

[8]Fovino IN, Coletta A, Carcano A, et al., 2012. Critical state-based filtering system for securing SCADA network protocols. IEEE Trans Ind Electron, 59(10):3943-3950.

[9]Geng YY, Wang Y, Liu WW, et al., 2019. A survey of industrial control system testbeds. IOP Conf Ser Mater Sci Eng, 569(4):042030.

[10]Goldenberg N, Wool A, 2013. Accurate modeling of Modbus/ TCP for intrusion detection in SCADA systems. Int J Crit Infrastruct Protect, 6(2):63-75.

[11]Hadeli H, Schierholz R, Braendle M, et al., 2009. Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration. Proc IEEE Conf on Emerging Technologies & Factory Automation, p.1-8.

[12]Hu Y, Li H, Luan TH, et al., 2020. Detecting stealthy attacks on industrial control systems using a permutation entropy-based method. Fut Gener Comput Syst, 108:1230-1240.

[13]ICS-CERT, 2016. ICS-CERT Annual Assessment Report. Technical Report. NCCIC/ICS-CERT, Washington DC, USA.

[14]Kaspersky ICS CERT, 2019. Threat Landscape for Industrial Automation Systems. H2 2018. Kaspersky. Available from https://ics-cert.kaspersky.com/publications/reports/2019/03/27/threat-landscape-for-industrial-automation-systems-h2-2018/ [Accessed on Jan. 1, 2021].

[15]Kaspersky ICS CERT, 2020a. Targeted Attacks on Israeli Water Supply and Wastewater Treatment Facilities. Available from https://ics-cert.kaspersky.com/news/2020/04/29/israel-water-cyberattacks/ [Accessed on Jan. 1, 2021].

[16]Kaspersky ICS CERT, 2020b. Threat Landscape for Industrial Automation Systems. Vulnerabilities Identified in 2019. Kaspersky. Available from https://ics-cert.kaspersky.com/reports/2020/04/24/threat-landscape-for-industrial-automation-systems-vulnerabilities-identified-in-2019/ [Accessed on Jan. 1, 2021].

[17]Khraisat A, Gondal I, Vamplew P, et al., 2019. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity, 2:20.

[18]Kleinmann A, Wool A, 2014. Accurate modeling of the Siemens S7 SCADA protocol for intrusion detection and digital forensics. J Dig Forens Secur Law, 9(2):37-50.

[19]Lee R, Slowik J, Miller B, et al., 2017. Industroyer/ Crashoverride: Zero Things Cool about a Threat Group Targeting the Power Grid. Technical Report. Black Hat, USA.

[20]Lin H, Slagell A, di Martino C, et al., 2013. Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol. Proc 8^th Annual Cyber Security and Information Intelligence Research Workshop, p.1-4.

[21]Linda O, Manic M, Vollmer T, et al., 2011a. Fuzzy logic based anomaly detection for embedded network security cyber sensor. Proc IEEE Symp on Computational Intelligence in Cyber Security, p.202-209.

[22]Linda O, Manic M, Alves-Foss J, et al., 2011b. Towards resilient critical infrastructures: application of type-2 fuzzy logic in embedded network security cyber sensor. Proc 4^th Int Symp on Resilient Control Systems, p.26-32.

[23]Ma RK, Cheng P, Zhang ZY, et al., 2019. Stealthy attack against redundant controller architecture of industrial cyber-physical system. IEEE Int Things J, 6(6):9783-9793.

[24]Maglaras LA, Jiang JM, 2014. Intrusion detection in SCADA systems using machine learning techniques. Proc Science and Information Conf, p.626-631.

[25]Mathur AP, Tippenhauer NO, 2016. SWaT: a water treatment testbed for research and training on ICS security. Proc Int Workshop on Cyber-Physical Systems for Smart Water Networks, p.31-36.

[26]Morris T, Vaughn R, Dandass Y, 2012. A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems. Proc 45^th IEEE Hawaii Int Conf on System Sciences, p.2338-2345.

[27]Navaz ASS, Sangeetha V, Prabhadevi C, 2013. Entropy based anomaly detection system to prevent DDoS attacks in cloud. Int J Comput Appl, 62(15):42-47.

[28]Nelson T, Chaffin M, 2011. Common Cybersecurity Vulnerabilities in Industrial Control Systems. Technical Report. The U.S. Department of Homeland Security (DHS) National Cyber Security Division, Washington DC, USA.

[29]Ponomarev S, Atkison T, 2016. Industrial control system network intrusion detection by telemetry analysis. IEEE Trans Depend Sec Comput, 13(2):252-260.

[30]Qian Q, Che HY, Zhang R, 2009. Entropy based method for network anomaly detection. Proc 15^th IEEE Pacific Rim Int Symp on Dependable Computing, p.189-191.

[31]Sample C, Schaffer K, 2013. An overview of anomaly detection. IT Prof, 15(1):8-11.

[32]SecurityWeek, 2016. Attackers Alter Water Treatment Systems in Utility Hack: Report. Available from https://www.securityweek.com/attackers-alter-water-treatment-systems-utility-hack-report [Accessed on Jan. 1, 2021].

[33]Song ZW, Liu ZH, 2019. Abnormal detection method of industrial control system based on behavior model. Comput Secur, 84:166-178.

[34]Stouffer K, Pillitteri V, Lightman S, et al., 2011. Guide to Industrial Control Systems (ICSs) Security. NIST Special Publication 800-82.

[35]Tate RF, 1954. Correlation between a discrete and a continuous variable. Point-biserial correlation. Ann Math Stat, 25(3):603-607.

[36]Ten CW, Manimaran G, Liu CC, 2010. Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans Syst Man Cybern A, 40(4):853-865.

[37]Terai A, Abe S, Kojima S, et al., 2017. Cyber-attack detection for industrial control system monitoring with support vector machine based on communication profile. Proc IEEE European Symp on Security and Privacy Workshops, p.132-138.

[38]The Wall Street Journal's San Francisco Bureau, 2015. Iranian Hackers Infiltrated New York Dam in 2013. Available from https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559 [Accessed on Jan. 1, 2021].

[39]Vollmer T, Manic M, 2009. Computationally efficient neural network intrusion security awareness. Proc 2^nd Int Symp on Resilient Control Systems, p.25-30.

[40]Vollmer T, Alves-Foss J, Manic M, 2011. Autonomous rule creation for intrusion detection. Proc IEEE Symp on Computational Intelligence in Cyber Security, p.1-8.

[41]Walton B, 2016. Water Sector Prepares for Cyberattacks. Available from https://www.circleofblue.org/2016/world/water-sector-prepares-cyberattacks [Accessed on Jan. 1, 2021].

[42]Wang YS, Fan KF, Lai YX, et al., 2017. Intrusion detection of industrial control system based on Modbus TCP protocol. Proc 13^th IEEE Int Symp on Autonomous Decentralized System, p.156-162.

[43]Wikipedia, 2020a. Critical Infrastructure. Available from https://en.wikipedia.org/wiki/Critical_infrastructure [Accessed on Jan. 1, 2021].

[44]Wikipedia, 2020b. Water Treatment. Available from https://en.wikipedia.org/wiki/Water_treatment [Accessed on Jan. 1, 2021].

[45]Yu W, Wang X, Xuan D, et al., 2006. Effective detection of active worms with varying scan rate. Proc Securecomm and Workshops, p.1-10.

[46]Zhang F, Kodituwakku HADE, Hines JW, et al., 2019. Multi-layer data-driven cyber-attack detection system for industrial control systems based on network, system, and process data. IEEE Trans Ind Inform, 15(7):4362-4369.