Content uploaded by Ernesto Del Prete
Author content
All content in this area was uploaded by Ernesto Del Prete on Jun 24, 2021
Content may be subject to copyright.
Anomaly and Attack Detection in Supervisory Control Networks for Cyber-Physical
Systems
Ernesto Del Prete and Fabio Pera
National Institute for Insurance against Accidents at Work, Italy. E-mail: {e.delprete, f.pera}@inail.it
Luca Faramondi, Camilla Fioravanti, Simone Guarino, Gabriele Oliva, and Roberto Setola
Department of Engineering, Campus Bio-Medico University of Rome, Italy.
E-mail: {l.faramondi, g.oliva, r.setola}@unicampus.it {camilla.fioravanti, simone.guarino}@alcampus.it
As shown by recent episodes such as STUXNET or TRITON, supervisory networks in charge to control Cyber-
Physical Systems (CPS) are prone to cyber-attacks that could potentially cause physical consequences in terms of
disruption of the operational continuity (e.g., physical disruption of equipment) or in terms of safety of workers and
their environment (e.g., waste water leakage or release of toxic gases). Traditional intrusion or anomaly detection
systems have proven to be effective in detecting classical attack patterns but may fail to identify cyber-attacks that
exploit the physical characteristics of the CPS. In this view, even a situation/configuration that is formally correct
(e.g., the tank level below the upper limit) may become an anomaly depending on the physical condition and the
dynamics of the process. In order to spot sophisticated attacks, it is mandatory to consider the dynamics of the
physical system being controlled. Actually, this is the scope of this paper, where we show that considering a digital
twin (i.e., a real-time simulation of the physical process) can be quite beneficial for the identification of some types
of cyber-attacks but it is vulnerable to smart stealth threats. The proposed approach is validated with respect to a test
bed environment featuring a small-scale hardware simulator of a water distribution network, a control network and
a SCADA system.
Keywords: Cyber-Physical Systems, Cyber Attacks, Cyber-Phisical Attack Detection, Digital Twin.
1. Introduction
In recent years, the automation systems dedicated
to management and control of both civil and in-
dustrial facilities have become vulnerable to cyber
threats. Modern society depends on complex engi-
neering systems known as Critical Infrastructures
(CIs); the main examples are: electrical power
plants and national electrical grids, oil and natural
gas systems, telecommunication and information
networks, water distribution systems, transporta-
tion networks, banking and financial institutes,
healthcare and security services. These systems
represent the backbone of nation’s economy, se-
curity and health systems, therefore they must be
safely managed and available 24 hours a day.
The experience and analysis of historical data
show that these requirements haven’t been always
successful; in many occasions, in fact, CI systems
collapsed, entailing all sorts of catastrophic conse-
quences. In early 2001, electric power disruptions
stopped the oil and natural gas production, refin-
ery operations, pipeline transport of gasoline and
jet fuel in California and many of its neighboring
states; the water movement from the northern to
the central and southern regions of the state for
crop irrigation was affected as well (Farmer et al.
(2001)). In November 2006, a local failure in the
German grid has spread in various European areas
leaving in darkness 10 million people in Germany,
Austria, France, Italy, Belgium and Spain (Maas
et al. (2007)). Similar unpleasant consequences
can occur in case of one or more failures within
the system with the aim to manage water in-
frastructures, especially when such a deficiency
is not immediately detected. In March 2000,
Australian Maroochy Shire Council experienced
problems with its new waste water facility: an
insider contractor hacked into the system with
the consequence of more than one million liters
of untreated sewage released into waterways and
local parks (Slay and Miller (2008)).
Over large geographic areas usually covered by
CIs, both the management of the huge information
flow and the control of automated tasks are pro-
vided by complex systems known as SCADA (Su-
pervisory Control and Data Acquisition); this tight
coupling with the information technology leads
to a dangerous cyber threat exposure. Stuxnet
(Falliere et al. (2011)) and Duqu(Bencs´
ath et al.
(2011)) malwares only represent the most impres-
sive examples of how potential attackers could
take advantage of these vulnerabilities . Hence,
preserving CIs from these risks is an unavoidable
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference
Edited by Piero Baraldi, Francesco Di Maio and Enrico Zio
Copyright c
ESREL2020-PSAM15 Organizers.Published by Research Publishing, Singapore.
ISBN: 978-981-14-8593-0; doi:10.3850/978-981-14-8593-0 1352
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference 1353
necessity.
Possible countermeasures to cyber threats in the
field of SCADA systems are represented by digital
twins. A digital twin (DT) is a digital copy of
physical entities ((Tao et al., 2019)), with the aim
to simulate and reflect the state and behaviors of
physical entities by means of modeling and simu-
lation analysis. Through feedback, a DT must pre-
dict and control its future states and behaviors. For
reaching this target, the first and most important
step is to create virtual models with a very high
level of fidelity. The DT, in order to be consistent,
must mimic the physical properties, the behav-
iors and the mathematical laws of the physical
counterpart. These models must also simulate the
spatiotemporal status. In summary, the virtual
model and the physical entities must evolve in
parallel like mirrors of the same reality. Because
of numerical reasons, a DT has to adjust a physical
process through feedback. Bidirectional mapping
must be used, in order to do so, so that both
worlds can evolve together. As described in (Tao
et al., 2019), the fault detection method mimics
the physical world instead of checking the bounds
of normal operations in order to detect faults and
cyber-attacks. The algorithm will become more
sophisticated if there are more detailed models
like the ones used in process control. Anyway,
the use of fully integrated DT in manufacturing is
minimal. Few publications just deal with small
parts concerning the development of DT. There
are no publications that cover completely the in-
troduction of DT into manufacturing, like from
physical and virtual modeling to the data.
In (Puig et al., 2016) the authors propose a pro-
cedure based on checking the consistency between
the observed and the normal system behavior us-
ing a set of analytical redundancy relations, which
relates the values for measured variables accord-
ing to a normal operation model of the monitored
system.
In (Soupionis et al., 2016) two algorithms are
proposed for cyber-attacks detection in power grid
infrastructures: limit checking and model-based
fault detection. In order to adjust model parame-
ters, authors propose to train the detector with nor-
mal operation data streams coming from sensors.
Data Fusion (Fuller et al., 2019) (Haghighat
et al., 2016) is a promising and heavily explored
research area but not very much applied in the
industrial sector. Data fusion, that at an indus-
trial level is declined as sensor fusion, collects
information coming from many sources in order
to take decisions. Of course, collecting data from
many sources reports more information than from
one only source. Another way is to join data
fusion with developing generic models. Literature
is exploring the way how to combine predictive
maintenance with digital twin and data fusion (Cai
et al., 2017) (Liu et al., 2018). There is still a lack
in standardized approaches for joining digital twin
Fig. 1. Scheme of the part of the testbed involved in the study.
and data fusion.
1.1. Contribution
In this paper we propose the analysis of a ma-
licious cyber-attack against a real SCADA sys-
tem. Our goal is to identify the connection be-
tween the cyber and the physical relations in this
kind of infrastructure in order to propose efficient
countermeasures that are able to identify cyber
threats. Our study takes into account a simpli-
fied scenario characterized by a human operator
who sends a control signal to the system in or-
der to manage its behavior, receiving data from
the sensors. Moreover, the operator is supported
by a digital twin able to predict the state of the
controlled system and to highlight the presence of
non-standard dynamics. The aim of the attacker
is the modification of the sensor data in order to
compromise the state of the system. We propose
the implementation of two different cyber-attacks
in order to highlight the strengths and the weak-
nesses of DT applications. The paper is organized
as follows: in Section 2 we summarize the main
cyber and physical aspects of the adopted test bed.
In Section 3 we discuss the aim of the attacker and
the adopted strategies. The results are discussed
in Section 4, finally, some conclusive remarks
complete the paper in Section 5.
2. The Test Bed Environment
2.1. Physical Process
The test environment is represented by the test
bed described in Bernieri et al. (2017), which
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference 1354
emulates a water distribution system of a small
city. The physical architecture is composed by
5 tanks connected by pipes and each tank is
equipped with a sensor in order to measure the wa-
ter level. The water flow is managed by actuators
(pumps and valves). For the sake of simplicity,
in this work we adopt only a part of the entire
test bed taking into account the system shown
in Figure 1. The adopted system is composed
by two tanks equipped with a sensor, two valves
and a centrifugal pump which generates a water
flow from a water reservoir. As mentioned above,
the testbed is supported by a DT able to predict
the system state. As shown in Figure 2.a, the
control signals, sent from the operator to the test
bed, are also processed by a DT based on the
dynamic mathematical model of the system. In
this way the digital twin is able to provide the
expected behavior of the system and eventually
analyze the presence of unexpected measures. The
dynamic mathematical model, described by Eq. 1,
is based on mass conservation and Bernoulli’s law
for liquids.
⎧
⎪
⎪
⎪
⎨
⎪
⎪
⎪
⎩
˙
ˆ
h1(t)=−v1(t)a
A12gˆ
h1(t)+ Q(t)
A1
˙
ˆ
h2(t)=−v2(t)a
A22gˆ
h2(t)+v1
a
A22gˆ
h1(t)
(1)
The two-tank system, represented Eq. 1, is a
Multiple-input and Multiple-output (MIMO) sys-
tem with three inputs (two valves and a pump)
and two outputs (the measures of the two water
levels h1and h2). A1and A2respectively repre-
sent the cylindrical sections of Tank 1 and Tank
2, the tanks are connected via cylindrical pipes
characterized by a section a. Concerning the two
valves, vi∈{0; 1},ifvi=0the valve is closed,
otherwise it is open. Finally, grepresents the
gravitational acceleration and Qis the input flow
due to the activation of the centrifugal pump.
As depicted in Figure 2.a, the operator sends
the actuators commands (v1,v2,Q) to the tank
system in order to manage the water flow. Pe-
riodically, the sensors send the measures of the
water levels (h1,h2) to the operator. Note that the
actuators control signals and measures retrieved
from the sensors, are also given as input to the DT.
The DT predicts the evolution of the measures of
the system according to the mathematical model,
compares the predicted measures (ˆ
h1,ˆ
h2) to the
measures that retrieves from the sensors, and eval-
uates the difference according to Eq. 2.
r(t)= 1
Tt
t−T|ˆ
h1(t)−h1(t)|+|ˆ
h2(t)−h2(t)|dt (2)
(a) Scenario in normal conditions
(b) Scenario in presence of cyber threat
Fig. 2. Data exchange between human operator, SCADA
system, and DT
Note that the value rtakes into account the
evolution of measures and the associated estima-
tion in a time window T. The DT informs the
operator that there is an anomaly in the system
behavior by triggering an alarm when ris larger
than a threshold β. The threshold depends on the
accuracy of the model. A too low value implies
a false alarm activation, instead a too high value
implies a low perception of faults. The value of
βis usually defined analyzing the system under
normal conditions.
2.2. Network Description
We now analyze the cyber architecture of the test
environment. In normal conditions, the LAN of
the test bed is composed by a network switch
and only two hosts: the SCADA system and the
operator’s interface equipped with a DT. The data
exchange between the operator’s interface and the
SCADA system is based on the Modbus/TCP pro-
tocol (Erez and Wool (2015)). The Modbus is a
data transmission protocol developed by Modicon
and largely adopted in industrial environments.
It ensures a Master/Slave communication archi-
tecture among devices connected to the network,
according to a request/response scheme. The
Modbus packet is divided into two fields: a ded-
icated header, the Modbus Application Protocol
(MBAP), and a Protocol Data Unit (PDU). The
Modbus protocol provides a set of 18 defined
functions for data access and diagnostic services.
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference 1355
(a) Step 1 (b) Step 2 (c) Step 3
Fig. 3. Three-steps routine.
The PDU field of a Modbus packet is composed
by two fields: the function code indicates the type
of action to be performed by the slave, while the
data field contains the response data related to the
requested action. In this context, we focus our
attention on the Read Input Register and Write
Single Coil functions respectively used to acquire
data from the sensors and to send commands to
the actuators in order to change their state.
2.3. Operator’s Activities
We now conclude the definition of the test bed
environment by describing how the operator in-
teracts with the tank system. Periodically, the op-
erator is devoted to performing a series of manual
activities. A three-steps routine is necessary for
emptying and filling partially Tank 1 as depicted
in Figure 3. Starting from an initial state, in t=
T0, characterized by h1= 2000 and h2=0, the
operator opens valve v1in order to partially empty
Tank 1 (Figure 3(a)). The valve remains open
until the level h1reaches the value 1000. When
in t=T1,h1= 1000, the operator starts the
second step (Figure 3(b)). He/she closes the valve
v1, opens valve v2and activates the flow Qfrom
the water reservoir in order to fill again Tank 1 and
to empty Tank 2. When in t=T2(Figure 3(c))
h1= 2000 and h1=0, the operator deactivates
the pump and closes the valve v2(third step). The
state of the system corresponds to the initial state
and the control routine can be repeated.
3. Attacker Behavior
In this section we describe the aim of the attacker.
The attacker wants to mislead the operator by
modifying the data flow over the network and by
corrupting the measures he/she acquired from the
sensors. In more details, the attacker starts his/her
malicious activities in t=T1, he/she modifies the
real values that retrieves from the sensors in order
to simulate a fake emptying process of Tank 2,
anticipating the real process that is expected dur-
ing the second step (see Section 2.3). As depicted
in Figure 2.b the attacker is connected to the test
bed network. In the simulation setting we adopt
a Kali Linux (Allen et al. (2014)) distribution
to compromise the data exchange. The man in
the middle attack (MITM) represents a typology
of cyber threat that allows the attacker to read,
modify or inject packets among two communi-
cating peers on the network. With the purpose
of carrying out a malicious action on the system,
the attacker must be able to communicate over the
network. From a methodology point of view, a
first preliminary step must be carried out in order
to perform a MITM attack: the ARP spoofing
attack. This preliminary fundamental step is nec-
essary for modifying the ARP tables of the victims
(hosts) involved in the MITM attack. For the sake
of simplicity in this context we omit the details
about this procedure. For further notions about
this technique see Whalen (2001). We now illus-
trate two different attack strategies to reproduce a
fake emptying process of Tank 2 during the second
step of the operator’s activities.
3.1. MITM Attack
As introduced before, the attacker starts his/her
malicious activities in t=T1. In the second
step of the three-steps routine, the operator opens
valve v2in order to drain Tank 2. In this first
attack strategy, the attacker wants to reproduce a
fake fast emptying process with the aim to cause
a water overflow when the operator restarts the
three-steps procedure. More precisely, in t=T1,
the attacker compromises the Read Input Register
response sent by the sensor to the operator by
changing the measure associated to Tank 2 in the
PDU. In this attack strategy the attacker instantly
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference 1356
reduces the measure of Tank 2 from the real value
(h2)toha
2=0. When t=T1the attacker starts
the research of Modbus packets containing the
measures about the water level. To this end, he/she
analyzes the intercepted Modbus traffic looking
for a Read Input Register response sent from the
sensors to the operator. This kind of packet is
characterized by the value 4 in the Function Code
field. When the packet is identified, the attacker
modifies the data value associated to the Tank 2
measure and calculates the new length and the
new checksum for the packeta. Once the data, the
length and the checksum fields are modified, the
attacker sends the modified packet to the operator.
3.2. Stealth MITM Attack
In our experiment we propose also a stealth ver-
sion of the MITM attack. In more details, when
t=T1, the attacker corrupts two different kinds
of packets. The first corrupted packet consists
in the v2opening command sent to the SCADA
system by the operator. In this case, the attacker
identifies the packet containing the Write Single
Coil request, sent from the user to the SCADA
system (function code set to 5), and modifies the
value from 1 (open valve v2) to 0 (close valve va
2).
The second packet modification is about the traffic
related to the Read Input Register responses. As
described before, the attacker aims at simulating a
fake Tank 2 emptying process by setting the real
measure (h2)toha
2=0. In this case, the attacker
corrupts the real value according to the emptying
model of Tank 2. In this way the attacker simu-
lates a real emptying process for Tank 2 but the
valve v2is closed and the water remains in the
tank.
4. Simulations and Results
In this section we analyze the effectiveness of the
two attack strategies defined in Section 3.1 and
Section 3.2 by implementing two Python scripts
and analyzing the DT alarm activations during
the three-step routine defined in Section 2.3. As
described in Section 2.1, the DT takes into account
the physical model of the test bed and activates an
alarm if the measures received from the sensors
don’t correspond to the predicted values. If the
difference between the real value hiand the pre-
dicted value ˆ
hi, evaluated in terms of r(Eq. 2, is
larger than the threshold β= 200 than the DT
activates an alarm for the operator. In Figure 4.a,
aThe size of the packet and the checksum values are stored in
two dedicated fields of the packet. When the attacker corrupts
the measures, he/she must calculates the new values for these
fields in order to avoid inconsistencies which would cause the
elimination of the packet from the receiver host due to its
inconsistency.
T1 T
2
MITM
(a) DT output in case of MITM
T1 T
2
Stealth MITM
(b) DT output in case of Stealth MITM
Fig. 4. DT output in case of MITM attack on h2measure.
the output of the DT is represented in case of a
MITM intrusion, according to the attack strategy
described in Section 3.1. In t=T1the attacker
corrupts the measures about the water in Tank 2
by setting the value h2=ha
2=0. This data
modification implies the increment of DT output r
due to the large difference between the predicted
value of ˆ
h2and the corrupted measures ha
2.In
this case, when t=T1,r>βhence the cyber
intrusion is detected.
In the second case the attacker modifies the
network traffic according to the strategy illustrated
in Section 3.2. In this setting, due to the cyber
intrusion and the data modification, the SCADA
system ignores the opening command of valve v2
in t=T1, moreover, the measures about the water
level in Tank 2 are corrupted according to the
emptying model of the tank. As shown in Figure
4.b, in this case, the corrupted measures received
from the DT are in line with the estimated values
and the value of r<β. In this way, the MITM
attack is not detected and, in t=T2, the user
can restart the routine being confident that Tank 2
is empty when it is actually full, causing a water
overflow.
5. Conclusions and Future Works
In this paper a water distribution system has been
emulated and a MITM attack has been performed
in order to highlight the most vulnerable aspects of
the Modbus protocol and DT adoption. It has been
demonstrated that, despite the presence of a DT,
the effects of a cyber-attack can be hard to identify
when the attacker’s strategy is in line with the
physical behavior of the system. Consequently,
this kind of intrusion can modify the state of the
plant. This fact suggests that, due to the strong
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference 1357
relation between the cyber and the physical layer
of a CPS, a valid countermeasure to exogenous
intrusions must consider also the cyber perspec-
tive of the environment. Future improvements
will examine the integration of the digital twin
for the physical check about the system state with
a network traffic controller for the detection of
cyber intrusions able to modify the behavior of the
system.
References
Allen, L., T. Heriyanto, and S. Ali (2014). Kali
Linux–Assuring security by penetration testing.
Packt Publishing Ltd.
Bencs´
ath, B., G. P´
ek, L. Butty´
an,
and M. F´
elegyh´
azi (2011). Duqu: A Stuxnet-
like malware found in the wild. CrySyS Lab
Technical Report 14.
Bernieri, G., E. E. Miciolino, F. Pascucci, and
R. Setola (2017). Monitoring system reaction
in cyber-physical testbed under cyber-attacks.
Computers & Electrical Engineering 59, 86–
98.
Cai, Y., B. Starly, P. Cohen, and Y.-S. Lee (2017).
Sensor data and information fusion to construct
digital-twins virtual machine tools for cyber-
physical manufacturing. Procedia Manufactur-
ing 10, 1031–1042.
Erez, N. and A. Wool (2015). Control variable
classification, modeling and anomaly detection
in modbus/tcp scada systems. International
Journal of Critical Infrastructure Protection 10,
59–70.
Falliere, N., L. Murchu, and E. Chien (2011,
February). W32. Stuxnet Dossier. Technical
Report 1.4, Symantec.
Farmer, R. D., G. Cohen, and D. Zimmerman
(2001). Causes and lessons of the California
electricity crisis. CBO.
Fuller, A., Z. Fan, and C. Day (2019). Digi-
tal twin: Enabling technology, challenges and
open research.
Haghighat, M., M. Abdel-Mottaleb, and W. Alha-
labi (2016, September). Discriminant Correla-
tion Analysis: Real-Time Feature Level Fusion
for Multimodal Biometric Recognition.
Liu, Z., N. Meyendorf, and N. Mrad (2018). The
role of data fusion in predictive maintenance
using digital twin. (Provo, Utah, USA).
Maas, G., M. Bial, and J. Fijalkowski (2007).
Final report-system disturbance on 4 november
2006. Union for the Coordination of Transmis-
sion of Electricity in Europe, Tech. Rep.
Puig, V., T. Escobet, R. Sarrate, and J. Quevedo
(2016). Fault detection and isolation in critical
infrastructure systems. In C. G. Panayiotou,
G. Ellinas, E. Kyriakides, and M. M. Polycar-
pou (Eds.), Critical Information Infrastructures
Security, Cham, pp. 3–12. Springer Interna-
tional Publishing.
Slay, J. and M. Miller (2008). Lessons learned
from the maroochy water breach. Springer.
Soupionis, Y., S. Ntalampiras, and G. Giannopou-
los (2016). Faults and cyber attacks detection
in critical infrastructures. In C. G. Panayiotou,
G. Ellinas, E. Kyriakides, and M. M. Polycar-
pou (Eds.), Critical Information Infrastructures
Security, Cham, pp. 283–289. Springer Interna-
tional Publishing.
Tao, F., Q. Qi, L. Wang, and A. Nee (2019). Dig-
ital twins and cyber-physical systems toward
smart manufacturing and industry 4.0: Corre-
lation and comparison. Engineering.
Whalen, S. (2001). An introduction to arp spoof-
ing. Node99 [Online Document], April.