Conference PaperPDF Available

Figures

Content may be subject to copyright.
Anomaly and Attack Detection in Supervisory Control Networks for Cyber-Physical
Systems
Ernesto Del Prete and Fabio Pera
National Institute for Insurance against Accidents at Work, Italy. E-mail: {e.delprete, f.pera}@inail.it
Luca Faramondi, Camilla Fioravanti, Simone Guarino, Gabriele Oliva, and Roberto Setola
Department of Engineering, Campus Bio-Medico University of Rome, Italy.
E-mail: {l.faramondi, g.oliva, r.setola}@unicampus.it {camilla.fioravanti, simone.guarino}@alcampus.it
As shown by recent episodes such as STUXNET or TRITON, supervisory networks in charge to control Cyber-
Physical Systems (CPS) are prone to cyber-attacks that could potentially cause physical consequences in terms of
disruption of the operational continuity (e.g., physical disruption of equipment) or in terms of safety of workers and
their environment (e.g., waste water leakage or release of toxic gases). Traditional intrusion or anomaly detection
systems have proven to be effective in detecting classical attack patterns but may fail to identify cyber-attacks that
exploit the physical characteristics of the CPS. In this view, even a situation/configuration that is formally correct
(e.g., the tank level below the upper limit) may become an anomaly depending on the physical condition and the
dynamics of the process. In order to spot sophisticated attacks, it is mandatory to consider the dynamics of the
physical system being controlled. Actually, this is the scope of this paper, where we show that considering a digital
twin (i.e., a real-time simulation of the physical process) can be quite beneficial for the identification of some types
of cyber-attacks but it is vulnerable to smart stealth threats. The proposed approach is validated with respect to a test
bed environment featuring a small-scale hardware simulator of a water distribution network, a control network and
a SCADA system.
Keywords: Cyber-Physical Systems, Cyber Attacks, Cyber-Phisical Attack Detection, Digital Twin.
1. Introduction
In recent years, the automation systems dedicated
to management and control of both civil and in-
dustrial facilities have become vulnerable to cyber
threats. Modern society depends on complex engi-
neering systems known as Critical Infrastructures
(CIs); the main examples are: electrical power
plants and national electrical grids, oil and natural
gas systems, telecommunication and information
networks, water distribution systems, transporta-
tion networks, banking and financial institutes,
healthcare and security services. These systems
represent the backbone of nation’s economy, se-
curity and health systems, therefore they must be
safely managed and available 24 hours a day.
The experience and analysis of historical data
show that these requirements haven’t been always
successful; in many occasions, in fact, CI systems
collapsed, entailing all sorts of catastrophic conse-
quences. In early 2001, electric power disruptions
stopped the oil and natural gas production, refin-
ery operations, pipeline transport of gasoline and
jet fuel in California and many of its neighboring
states; the water movement from the northern to
the central and southern regions of the state for
crop irrigation was affected as well (Farmer et al.
(2001)). In November 2006, a local failure in the
German grid has spread in various European areas
leaving in darkness 10 million people in Germany,
Austria, France, Italy, Belgium and Spain (Maas
et al. (2007)). Similar unpleasant consequences
can occur in case of one or more failures within
the system with the aim to manage water in-
frastructures, especially when such a deficiency
is not immediately detected. In March 2000,
Australian Maroochy Shire Council experienced
problems with its new waste water facility: an
insider contractor hacked into the system with
the consequence of more than one million liters
of untreated sewage released into waterways and
local parks (Slay and Miller (2008)).
Over large geographic areas usually covered by
CIs, both the management of the huge information
flow and the control of automated tasks are pro-
vided by complex systems known as SCADA (Su-
pervisory Control and Data Acquisition); this tight
coupling with the information technology leads
to a dangerous cyber threat exposure. Stuxnet
(Falliere et al. (2011)) and Duqu(Bencs´
ath et al.
(2011)) malwares only represent the most impres-
sive examples of how potential attackers could
take advantage of these vulnerabilities . Hence,
preserving CIs from these risks is an unavoidable
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference
Edited by Piero Baraldi, Francesco Di Maio and Enrico Zio
Copyright c
ESREL2020-PSAM15 Organizers.Published by Research Publishing, Singapore.
ISBN: 978-981-14-8593-0; doi:10.3850/978-981-14-8593-0 1352
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference 1353
necessity.
Possible countermeasures to cyber threats in the
field of SCADA systems are represented by digital
twins. A digital twin (DT) is a digital copy of
physical entities ((Tao et al., 2019)), with the aim
to simulate and reflect the state and behaviors of
physical entities by means of modeling and simu-
lation analysis. Through feedback, a DT must pre-
dict and control its future states and behaviors. For
reaching this target, the first and most important
step is to create virtual models with a very high
level of fidelity. The DT, in order to be consistent,
must mimic the physical properties, the behav-
iors and the mathematical laws of the physical
counterpart. These models must also simulate the
spatiotemporal status. In summary, the virtual
model and the physical entities must evolve in
parallel like mirrors of the same reality. Because
of numerical reasons, a DT has to adjust a physical
process through feedback. Bidirectional mapping
must be used, in order to do so, so that both
worlds can evolve together. As described in (Tao
et al., 2019), the fault detection method mimics
the physical world instead of checking the bounds
of normal operations in order to detect faults and
cyber-attacks. The algorithm will become more
sophisticated if there are more detailed models
like the ones used in process control. Anyway,
the use of fully integrated DT in manufacturing is
minimal. Few publications just deal with small
parts concerning the development of DT. There
are no publications that cover completely the in-
troduction of DT into manufacturing, like from
physical and virtual modeling to the data.
In (Puig et al., 2016) the authors propose a pro-
cedure based on checking the consistency between
the observed and the normal system behavior us-
ing a set of analytical redundancy relations, which
relates the values for measured variables accord-
ing to a normal operation model of the monitored
system.
In (Soupionis et al., 2016) two algorithms are
proposed for cyber-attacks detection in power grid
infrastructures: limit checking and model-based
fault detection. In order to adjust model parame-
ters, authors propose to train the detector with nor-
mal operation data streams coming from sensors.
Data Fusion (Fuller et al., 2019) (Haghighat
et al., 2016) is a promising and heavily explored
research area but not very much applied in the
industrial sector. Data fusion, that at an indus-
trial level is declined as sensor fusion, collects
information coming from many sources in order
to take decisions. Of course, collecting data from
many sources reports more information than from
one only source. Another way is to join data
fusion with developing generic models. Literature
is exploring the way how to combine predictive
maintenance with digital twin and data fusion (Cai
et al., 2017) (Liu et al., 2018). There is still a lack
in standardized approaches for joining digital twin
Fig. 1. Scheme of the part of the testbed involved in the study.
and data fusion.
1.1. Contribution
In this paper we propose the analysis of a ma-
licious cyber-attack against a real SCADA sys-
tem. Our goal is to identify the connection be-
tween the cyber and the physical relations in this
kind of infrastructure in order to propose efficient
countermeasures that are able to identify cyber
threats. Our study takes into account a simpli-
fied scenario characterized by a human operator
who sends a control signal to the system in or-
der to manage its behavior, receiving data from
the sensors. Moreover, the operator is supported
by a digital twin able to predict the state of the
controlled system and to highlight the presence of
non-standard dynamics. The aim of the attacker
is the modification of the sensor data in order to
compromise the state of the system. We propose
the implementation of two different cyber-attacks
in order to highlight the strengths and the weak-
nesses of DT applications. The paper is organized
as follows: in Section 2 we summarize the main
cyber and physical aspects of the adopted test bed.
In Section 3 we discuss the aim of the attacker and
the adopted strategies. The results are discussed
in Section 4, finally, some conclusive remarks
complete the paper in Section 5.
2. The Test Bed Environment
2.1. Physical Process
The test environment is represented by the test
bed described in Bernieri et al. (2017), which
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference 1354
emulates a water distribution system of a small
city. The physical architecture is composed by
5 tanks connected by pipes and each tank is
equipped with a sensor in order to measure the wa-
ter level. The water flow is managed by actuators
(pumps and valves). For the sake of simplicity,
in this work we adopt only a part of the entire
test bed taking into account the system shown
in Figure 1. The adopted system is composed
by two tanks equipped with a sensor, two valves
and a centrifugal pump which generates a water
flow from a water reservoir. As mentioned above,
the testbed is supported by a DT able to predict
the system state. As shown in Figure 2.a, the
control signals, sent from the operator to the test
bed, are also processed by a DT based on the
dynamic mathematical model of the system. In
this way the digital twin is able to provide the
expected behavior of the system and eventually
analyze the presence of unexpected measures. The
dynamic mathematical model, described by Eq. 1,
is based on mass conservation and Bernoulli’s law
for liquids.
˙
ˆ
h1(t)=v1(t)a
A12gˆ
h1(t)+ Q(t)
A1
˙
ˆ
h2(t)=v2(t)a
A22gˆ
h2(t)+v1
a
A22gˆ
h1(t)
(1)
The two-tank system, represented Eq. 1, is a
Multiple-input and Multiple-output (MIMO) sys-
tem with three inputs (two valves and a pump)
and two outputs (the measures of the two water
levels h1and h2). A1and A2respectively repre-
sent the cylindrical sections of Tank 1 and Tank
2, the tanks are connected via cylindrical pipes
characterized by a section a. Concerning the two
valves, vi∈{0; 1},ifvi=0the valve is closed,
otherwise it is open. Finally, grepresents the
gravitational acceleration and Qis the input flow
due to the activation of the centrifugal pump.
As depicted in Figure 2.a, the operator sends
the actuators commands (v1,v2,Q) to the tank
system in order to manage the water flow. Pe-
riodically, the sensors send the measures of the
water levels (h1,h2) to the operator. Note that the
actuators control signals and measures retrieved
from the sensors, are also given as input to the DT.
The DT predicts the evolution of the measures of
the system according to the mathematical model,
compares the predicted measures (ˆ
h1,ˆ
h2) to the
measures that retrieves from the sensors, and eval-
uates the difference according to Eq. 2.
r(t)= 1
Tt
tT|ˆ
h1(t)h1(t)|+|ˆ
h2(t)h2(t)|dt (2)
(a) Scenario in normal conditions
(b) Scenario in presence of cyber threat
Fig. 2. Data exchange between human operator, SCADA
system, and DT
Note that the value rtakes into account the
evolution of measures and the associated estima-
tion in a time window T. The DT informs the
operator that there is an anomaly in the system
behavior by triggering an alarm when ris larger
than a threshold β. The threshold depends on the
accuracy of the model. A too low value implies
a false alarm activation, instead a too high value
implies a low perception of faults. The value of
βis usually defined analyzing the system under
normal conditions.
2.2. Network Description
We now analyze the cyber architecture of the test
environment. In normal conditions, the LAN of
the test bed is composed by a network switch
and only two hosts: the SCADA system and the
operator’s interface equipped with a DT. The data
exchange between the operator’s interface and the
SCADA system is based on the Modbus/TCP pro-
tocol (Erez and Wool (2015)). The Modbus is a
data transmission protocol developed by Modicon
and largely adopted in industrial environments.
It ensures a Master/Slave communication archi-
tecture among devices connected to the network,
according to a request/response scheme. The
Modbus packet is divided into two fields: a ded-
icated header, the Modbus Application Protocol
(MBAP), and a Protocol Data Unit (PDU). The
Modbus protocol provides a set of 18 defined
functions for data access and diagnostic services.
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference 1355
(a) Step 1 (b) Step 2 (c) Step 3
Fig. 3. Three-steps routine.
The PDU field of a Modbus packet is composed
by two fields: the function code indicates the type
of action to be performed by the slave, while the
data field contains the response data related to the
requested action. In this context, we focus our
attention on the Read Input Register and Write
Single Coil functions respectively used to acquire
data from the sensors and to send commands to
the actuators in order to change their state.
2.3. Operator’s Activities
We now conclude the definition of the test bed
environment by describing how the operator in-
teracts with the tank system. Periodically, the op-
erator is devoted to performing a series of manual
activities. A three-steps routine is necessary for
emptying and filling partially Tank 1 as depicted
in Figure 3. Starting from an initial state, in t=
T0, characterized by h1= 2000 and h2=0, the
operator opens valve v1in order to partially empty
Tank 1 (Figure 3(a)). The valve remains open
until the level h1reaches the value 1000. When
in t=T1,h1= 1000, the operator starts the
second step (Figure 3(b)). He/she closes the valve
v1, opens valve v2and activates the flow Qfrom
the water reservoir in order to fill again Tank 1 and
to empty Tank 2. When in t=T2(Figure 3(c))
h1= 2000 and h1=0, the operator deactivates
the pump and closes the valve v2(third step). The
state of the system corresponds to the initial state
and the control routine can be repeated.
3. Attacker Behavior
In this section we describe the aim of the attacker.
The attacker wants to mislead the operator by
modifying the data flow over the network and by
corrupting the measures he/she acquired from the
sensors. In more details, the attacker starts his/her
malicious activities in t=T1, he/she modifies the
real values that retrieves from the sensors in order
to simulate a fake emptying process of Tank 2,
anticipating the real process that is expected dur-
ing the second step (see Section 2.3). As depicted
in Figure 2.b the attacker is connected to the test
bed network. In the simulation setting we adopt
a Kali Linux (Allen et al. (2014)) distribution
to compromise the data exchange. The man in
the middle attack (MITM) represents a typology
of cyber threat that allows the attacker to read,
modify or inject packets among two communi-
cating peers on the network. With the purpose
of carrying out a malicious action on the system,
the attacker must be able to communicate over the
network. From a methodology point of view, a
first preliminary step must be carried out in order
to perform a MITM attack: the ARP spoofing
attack. This preliminary fundamental step is nec-
essary for modifying the ARP tables of the victims
(hosts) involved in the MITM attack. For the sake
of simplicity in this context we omit the details
about this procedure. For further notions about
this technique see Whalen (2001). We now illus-
trate two different attack strategies to reproduce a
fake emptying process of Tank 2 during the second
step of the operator’s activities.
3.1. MITM Attack
As introduced before, the attacker starts his/her
malicious activities in t=T1. In the second
step of the three-steps routine, the operator opens
valve v2in order to drain Tank 2. In this first
attack strategy, the attacker wants to reproduce a
fake fast emptying process with the aim to cause
a water overflow when the operator restarts the
three-steps procedure. More precisely, in t=T1,
the attacker compromises the Read Input Register
response sent by the sensor to the operator by
changing the measure associated to Tank 2 in the
PDU. In this attack strategy the attacker instantly
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference 1356
reduces the measure of Tank 2 from the real value
(h2)toha
2=0. When t=T1the attacker starts
the research of Modbus packets containing the
measures about the water level. To this end, he/she
analyzes the intercepted Modbus traffic looking
for a Read Input Register response sent from the
sensors to the operator. This kind of packet is
characterized by the value 4 in the Function Code
field. When the packet is identified, the attacker
modifies the data value associated to the Tank 2
measure and calculates the new length and the
new checksum for the packeta. Once the data, the
length and the checksum fields are modified, the
attacker sends the modified packet to the operator.
3.2. Stealth MITM Attack
In our experiment we propose also a stealth ver-
sion of the MITM attack. In more details, when
t=T1, the attacker corrupts two different kinds
of packets. The first corrupted packet consists
in the v2opening command sent to the SCADA
system by the operator. In this case, the attacker
identifies the packet containing the Write Single
Coil request, sent from the user to the SCADA
system (function code set to 5), and modifies the
value from 1 (open valve v2) to 0 (close valve va
2).
The second packet modification is about the traffic
related to the Read Input Register responses. As
described before, the attacker aims at simulating a
fake Tank 2 emptying process by setting the real
measure (h2)toha
2=0. In this case, the attacker
corrupts the real value according to the emptying
model of Tank 2. In this way the attacker simu-
lates a real emptying process for Tank 2 but the
valve v2is closed and the water remains in the
tank.
4. Simulations and Results
In this section we analyze the effectiveness of the
two attack strategies defined in Section 3.1 and
Section 3.2 by implementing two Python scripts
and analyzing the DT alarm activations during
the three-step routine defined in Section 2.3. As
described in Section 2.1, the DT takes into account
the physical model of the test bed and activates an
alarm if the measures received from the sensors
don’t correspond to the predicted values. If the
difference between the real value hiand the pre-
dicted value ˆ
hi, evaluated in terms of r(Eq. 2, is
larger than the threshold β= 200 than the DT
activates an alarm for the operator. In Figure 4.a,
aThe size of the packet and the checksum values are stored in
two dedicated fields of the packet. When the attacker corrupts
the measures, he/she must calculates the new values for these
fields in order to avoid inconsistencies which would cause the
elimination of the packet from the receiver host due to its
inconsistency.
T1 T
2
MITM
(a) DT output in case of MITM
T1 T
2
Stealth MITM
(b) DT output in case of Stealth MITM
Fig. 4. DT output in case of MITM attack on h2measure.
the output of the DT is represented in case of a
MITM intrusion, according to the attack strategy
described in Section 3.1. In t=T1the attacker
corrupts the measures about the water in Tank 2
by setting the value h2=ha
2=0. This data
modification implies the increment of DT output r
due to the large difference between the predicted
value of ˆ
h2and the corrupted measures ha
2.In
this case, when t=T1,r>βhence the cyber
intrusion is detected.
In the second case the attacker modifies the
network traffic according to the strategy illustrated
in Section 3.2. In this setting, due to the cyber
intrusion and the data modification, the SCADA
system ignores the opening command of valve v2
in t=T1, moreover, the measures about the water
level in Tank 2 are corrupted according to the
emptying model of the tank. As shown in Figure
4.b, in this case, the corrupted measures received
from the DT are in line with the estimated values
and the value of r<β. In this way, the MITM
attack is not detected and, in t=T2, the user
can restart the routine being confident that Tank 2
is empty when it is actually full, causing a water
overflow.
5. Conclusions and Future Works
In this paper a water distribution system has been
emulated and a MITM attack has been performed
in order to highlight the most vulnerable aspects of
the Modbus protocol and DT adoption. It has been
demonstrated that, despite the presence of a DT,
the effects of a cyber-attack can be hard to identify
when the attacker’s strategy is in line with the
physical behavior of the system. Consequently,
this kind of intrusion can modify the state of the
plant. This fact suggests that, due to the strong
Proceedings of the 30th European Safety and Reliability Conference and
the 15th Probabilistic Safety Assessment and Management Conference 1357
relation between the cyber and the physical layer
of a CPS, a valid countermeasure to exogenous
intrusions must consider also the cyber perspec-
tive of the environment. Future improvements
will examine the integration of the digital twin
for the physical check about the system state with
a network traffic controller for the detection of
cyber intrusions able to modify the behavior of the
system.
References
Allen, L., T. Heriyanto, and S. Ali (2014). Kali
Linux–Assuring security by penetration testing.
Packt Publishing Ltd.
Bencs´
ath, B., G. P´
ek, L. Butty´
an,
and M. F´
elegyh´
azi (2011). Duqu: A Stuxnet-
like malware found in the wild. CrySyS Lab
Technical Report 14.
Bernieri, G., E. E. Miciolino, F. Pascucci, and
R. Setola (2017). Monitoring system reaction
in cyber-physical testbed under cyber-attacks.
Computers & Electrical Engineering 59, 86–
98.
Cai, Y., B. Starly, P. Cohen, and Y.-S. Lee (2017).
Sensor data and information fusion to construct
digital-twins virtual machine tools for cyber-
physical manufacturing. Procedia Manufactur-
ing 10, 1031–1042.
Erez, N. and A. Wool (2015). Control variable
classification, modeling and anomaly detection
in modbus/tcp scada systems. International
Journal of Critical Infrastructure Protection 10,
59–70.
Falliere, N., L. Murchu, and E. Chien (2011,
February). W32. Stuxnet Dossier. Technical
Report 1.4, Symantec.
Farmer, R. D., G. Cohen, and D. Zimmerman
(2001). Causes and lessons of the California
electricity crisis. CBO.
Fuller, A., Z. Fan, and C. Day (2019). Digi-
tal twin: Enabling technology, challenges and
open research.
Haghighat, M., M. Abdel-Mottaleb, and W. Alha-
labi (2016, September). Discriminant Correla-
tion Analysis: Real-Time Feature Level Fusion
for Multimodal Biometric Recognition.
Liu, Z., N. Meyendorf, and N. Mrad (2018). The
role of data fusion in predictive maintenance
using digital twin. (Provo, Utah, USA).
Maas, G., M. Bial, and J. Fijalkowski (2007).
Final report-system disturbance on 4 november
2006. Union for the Coordination of Transmis-
sion of Electricity in Europe, Tech. Rep.
Puig, V., T. Escobet, R. Sarrate, and J. Quevedo
(2016). Fault detection and isolation in critical
infrastructure systems. In C. G. Panayiotou,
G. Ellinas, E. Kyriakides, and M. M. Polycar-
pou (Eds.), Critical Information Infrastructures
Security, Cham, pp. 3–12. Springer Interna-
tional Publishing.
Slay, J. and M. Miller (2008). Lessons learned
from the maroochy water breach. Springer.
Soupionis, Y., S. Ntalampiras, and G. Giannopou-
los (2016). Faults and cyber attacks detection
in critical infrastructures. In C. G. Panayiotou,
G. Ellinas, E. Kyriakides, and M. M. Polycar-
pou (Eds.), Critical Information Infrastructures
Security, Cham, pp. 283–289. Springer Interna-
tional Publishing.
Tao, F., Q. Qi, L. Wang, and A. Nee (2019). Dig-
ital twins and cyber-physical systems toward
smart manufacturing and industry 4.0: Corre-
lation and comparison. Engineering.
Whalen, S. (2001). An introduction to arp spoof-
ing. Node99 [Online Document], April.
... Many distributed control and estimation strategies are designed based on consensus algorithms [1], [2], which increase the capabilities of individual agents with limited communication and sensing ranges, establishing themselves in applications such as mobile robots [3], the sub-systems of a plant [4], wireless sensor networks [5], [6], or strategies applied to blockchain [7]. In these contexts, cyber attacks are particularly critical as they can easily affect the operation of physical processes [8]. In particular, privacy attacks are mostly passive and may require access to private data, or make inferences about specific information based on public data [9], [10]. ...
Conference Paper
Distributed average consensus is a fundamental feature of multi-agents systems; yet, in several cases agents are reluctant to disclose their initial conditions, e.g., due to their sensitivity about private data. Consequently, ensuring the privacy of such information against honest but curious neighbours becomes a mandatory necessity. In this paper we propose to implement a privacy-preserving consensus strategy that exploits, for this purpose, unpredictable chaotic phenomena, such as the trend of variables in a Chua oscillator. The initial conditions are then split into two fragments, one of which always remains hidden in the node, while the other is exchanged after undergoing oscillator-dependent manipulation, adding an extra layer of security to what is exchanged over the network. In this way, the combination of the two fragments converges to the average of the true initial conditions of each node. The paper is complemented by a simulation campaign aimed at numerically demonstrating the effectiveness of the proposed approach.
Article
Full-text available
State-of-the-art technologies such as the Internet of Things (IoT), cloud computing (CC), big data analytics (BDA), and artificial intelligence (AI) have greatly stimulated the development of smart manufacturing. An important prerequisite for smart manufacturing is cyber–physical integration, which is increasingly being embraced by manufacturers. As the preferred means of such integration, cyber–physical systems (CPS) and digital twins (DTs) have gained extensive attention from researchers and practitioners in industry. With feedback loops in which physical processes affect cyber parts and vice versa, CPS and DTs can endow manufacturing systems with greater efficiency, resilience, and intelligence. CPS and DTs share the same essential concepts of an intensive cyber–physical connection, real-time interaction, organization integration, and in-depth collaboration. However, CPS and DTs are not identical from many perspectives, including their origin, development, engineering practices, cyber–physical mapping, and core elements. In order to highlight the differences and correlation between them, this paper reviews and analyzes CPS and DTs from multiple perspectives.
Article
Full-text available
This paper presents sensor data integration and information fusion to build “digital-twins” virtual machine tools for cyber-physical manufacturing. Virtual machine tools are useful for simulating machine tools’ capabilities in a safe and cost-effective way, but it is challenging to accurately emulate the behavior of the physical tools. When a physical machine tool breaks down or malfunctions, engineers can always go back to check the digital traces of the “digital-twins” virtual machine for diagnosis and prognosis. This paper presents an integration of manufacturing data and sensory data into developing “digital-twins” virtual machine tools to improve their accountability and capabilities for cyber-physical manufacturing. The sensory data are used to extract the machining characteristics profiles of a digital-twins machine tool, with which the tool can better reflect the actual status of its physical counterpart in its various applications. In this paper, techniques are discussed for deploying sensors to capture machine-specific features, and analytical techniques of data and information fusion are presented for modeling and developing “digital-twins” virtual machine tools. Example of developing the digital-twins of a 3-axis vertical milling machine is presented to demonstrate the concept of modeling and building a digital-twins virtual machine tool for cyber-physical manufacturing. The presented technique can be used as a building block for cyber-physic manufacturing development.
Article
Full-text available
This paper describes a novel domain-aware anomaly detection system that detects irregular changes in Modbus/TCP SCADA control register values. The research discovered the presence of three classes of registers: (i) sensor registers; (ii) counter registers; and (iii) constant registers. An automatic classifier was developed to identify these classes. Additionally, parameterized behavior models were created for each class. During its learning phase, the anomaly detection system used the classifier to identify the different types of registers and instantiated the model for each register based on its type. During the enforcement phase, the system detected deviations from the model. The anomaly detection system was evaluated using 131 hours of traffic from a production SCADA system. The classifier had a true positive classification rate of 93%. During the enforcement phase, a 0.86% false alarm rate was obtained for the correctly-classified registers.
Conference Paper
Full-text available
Supervisory control and data acquisition (SCADA) systems are widely used to monitor and control operations in electrical power distribution facilities, oil and gas pipelines, water distribution systems and sewage treatment plants. Technological advances over the past decade have seen these traditionally closed systems become open and Internet-connected, which puts the service infrastructures at risk. This paper examines the response to the 2000 SCADA security incident at Maroochy Water Services in Queensland, Australia. The lessons learned from this incident are useful for establishing academic and industry-based research agendas in SCADA security as well as for safeguarding critical infrastructure components. Keywords: SCADA security, Maroochy Water Services breach
Conference Paper
Modern aerospace industry is migrating from reactive to proactive and predictive maintenance to increase platform operational availability and efficiency, extend its useful life cycle and reduce its life cycle cost. Multiphysics modeling together with data-driven analytics generate a new paradigm called “Digital Twin.” The digital twin is actually a living model of the physical asset or system, which continually adapts to operational changes based on the collected online data and information, and can forecast the future of the corresponding physical counterpart. This paper reviews the overall framework to develop a digital twin coupled with the industrial Internet of Things technology to advance aerospace platforms autonomy. Data fusion techniques particularly play a significant role in the digital twin framework. The flow of information from raw data to high-level decision making is propelled by sensor-to-sensor, sensor-to-model, and model-to-model fusion. This paper further discusses and identifies the role of data fusion in the digital twin framework for aircraft predictive maintenance.
Article
In this paper, we exploit the cyber-physical testbed developed within the EU Project FACIES to analyze how monitor systems, typically used in Industrial Control Systems, may be prone to fail when facing cyber-attacks. Specifically, through several experimental trials, we test the poor ability of a Fault Diagnosis module to correctly manage cyber-attacks, which generally turn to be considered physical faults, forcing operators to perform erroneous countermeasures. To conclude, we outline how the presence of a cyber Intrusion Detection System improves the effectiveness and the reliability of the protection schema. The experimental validation has been carried out on an emulated water distribution system.
Conference Paper
Critical infrastructure systems (CIS) are complex large-scale systems which in turn require highly sophisticated supervisory control systems to ensure that high performance can be achieved and maintained under adverse conditions. The global CIS Real-Time Control (RTC) need of operating in adverse conditions involves, with a high probability, sensor and actuator malfunctions (faults). This problem calls for the use of an on-line Fault Detection and Isolation (FDI) system able to detect such faults. This paper proposes a FDI mechanism that extends the classical Boolean fault signature matrix concept taking into account several fault signal properties to isolate faults in CIS. To exemplify the proposed FDI scheme in CIS, the Barcelona drinking water network is used as a case study.
Kali Linux-Assuring security by penetration testing
  • L Allen
  • T Heriyanto
  • S Ali
  • B Bencsáth
  • G Pék
  • L Buttyán
  • M Félegyházi
Allen, L., T. Heriyanto, and S. Ali (2014). Kali Linux-Assuring security by penetration testing. Packt Publishing Ltd. Bencsáth, B., G. Pék, L. Buttyán, and M. Félegyházi (2011). Duqu: A Stuxnetlike malware found in the wild. CrySyS Lab Technical Report 14.