Challenges and Opportunities in CPS Security: A Physics-based Perspective

04/07/2020 ∙ by Chuadhry Mujeeb Ahmed, et al. ∙ Singapore University of Technology and Design 0

The integration of cyber technologies (computing and communication) with the physical world gives rise to complex systems referred to as Cyber Physical Systems (CPS), for example, manufacturing, transportation, smart grid, and water treatment. Many of those systems are part of the critical infrastructure and need to perform safely, reliably, and securely in real-time. CPS security is challenging as compared to the conventional IT systems. An adversary can compromise the system in both the cyber and the physical domains. However, the unique set of technologies and processes being used in a CPS also bring up opportunities for defense. CPS security has been approached in several ways due to the complex interaction of physical and cyber components. In this work, a comprehensive study is taken to summarize the challenges and the proposed solutions for securing CPS from a Physics-based perspective.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 2

page 3

page 5

page 10

page 11

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Recent progress in technology is resulting in the digitization of the physical world and things around us. It is expected that communication and computing capabilities will soon be part of all the physical objects [rajkumar_insup_CPS_intro_2010]. The integration of cyber technologies (computing and communication) with the physical world gives rise to complex systems referred to as Cyber Physical Systems (CPS). CPS has changed the methods that humans used to interact with the physical world. Some examples of CPS are manufacturing, transportation, smart grid, water treatment, medical devices and the Industrial Internet of Things (IIoT) [CPS_thesis_ETH_2018_intro]. Many of those systems are part of the critical infrastructure, and need to perform safely, reliably, and securely in real time. This article discusses the security issues related to CPS.

A CPS consists of Programmable Logic Controllers (PLC), sensors, actuators, Supervisory Control, and Data Acquisition (SCADA) workstation and Human Machine Interface (HMI) that are interconnected via a communications network. The PLCs control a physical process based on the sensor measurements. The advances in communication technologies help to better monitor and operate CPS, but this connectivity also exposes physical processes to malicious entities on the cyber and physical domains. Recent incidents of sabotage on these systems [ukranian_case2016analysis, slay_miller_2008, stuxnet], have raised concerns on the security of CPS [cardenas2009challenges].

Challenges in CPS security are different as compared with the conventional IT systems, especially in terms of consequences in case of a security lapse. Attacks on CPS might result in damage to the physical property, as a result of an explosion [aurora_attack, German_steelmill_attack] or severely affect people who depend on critical infrastructure as was the case of recent power cutoff in Ukraine [ukranian_case2016analysis]. Data integrity is an important security requirement for CPS [Gollmann2016] and hence the integrity of sensor data should be ensured. Sensor data can either be spoofed in cyber (digital) domain [urbina_CCS2016limiting] or in physical (analog) domain [shoukry2015, drone_Son2015]. Sensors are a bridge between the physical and cyber domains in a CPS. Traditionally, an Intrusion Detection System (IDS) monitors a communication network or a computing host to detect attacks. However, physical tampering with sensors or sensor spoofing in the physical/analog domain may go undetected by the legacy IDS [shoukry2015].

In this article, we briefly introduce CPS using an example from the electric power and water treatment system, highlight the challenges and opportunities based on the physics of the systems. Detection techniques based on physics of the process against attacks on sensor reading have been proposed in recent studies [ahmed2019state_book, shoukry2015, yasser-2013, drone_Son2015, sensor_saturationAttack_infusionpump_usenix2016, sampling_race2016, walnut_acoustic_attack_mems_accelerometer]. An attacker who tries to defy rules of physics would also expose itself. An understanding of the physics of the process can help to secure a CPS [ahmed_QRS2017]. A mini-survey of the existing techniques is presented by highlighting the limitations of the previous works and proposed improvements. A device fingerprinting technique used for attack detection in CPS is explained before concluding the article.

Fig. 1: A generic electrical power system as an example of CPS.

Ii Cyber Physical Systems

Cyber Physical System (CPS) is a broad term for systems ranging from medical, power, transport and industrial systems. In the following we highlight two major sectors applicable to our daily life, that is, electrical power and water treatment systems. An example of a CPS is shown in Figure 1. It shows the high-level architecture of an electrical power system. This is composed of electricity generation (power plants), transmission (electric grid system) and end-users (smart home). As one can imagine this power system is composed of a multitude of devices and physical processes. Power generation and transmission depend on the demand from the utilities and the users. To meet the requirements of the energy demand the critical infrastructure is utilized to ensure a continuous supply of power. Each of the processes in the critical infrastructure is a complex engineering system and needs a sophisticated control to achieve its desired objectives. For example, at the generation stage, we have generators, Intelligent Electronic Devices (IEDs) also incorporating electric relays, all these devices are autonomously controlled by the Programmable Logic Controllers (PLC). This means that we have a lot of sensors monitoring the physical process, actuators/generators and the physical infrastructure that communicate the current physical states with each other and with the PLC.

A similar example is a water treatment system which is one of the critical infrastructures of any modern society. Figure 2 shows a generic overview of a water treatment system, note that the distribution network is intentionally not shown to simplify the illustration in both the power and water systems. Water treatment system employs sensors to measure the flow, pressure, chemical components, level at different nodes, and also equipped with actuators, e.g., motorized valves and pumps to deliver water as required by each consumer. All these processes are controlled and operated autonomously. The automation achieved due to autonomous communication has resulted in efficient monitoring and managing of the physical processes but at the same time opened up these systems for unwanted entities.

As explained earlier CPS is a broad term and encompasses a lot of interdisciplinary fields. In this article, we focus on industrial CPS similar to examples outlined here. Since a lot of work surveyed in this article is based on an industrial CPS or industrial control system, our proposed device fingerprinting technique is also tested on a water treatment system. In the following, an abstraction of the well known Purdue architecture [Williams_purdue_reference_architecture] for each stage of the critical infrastructure is presented.

Fig. 2: A generic water treatment system as an example of CPS.
Fig. 3: An Industrial CPS architecture. Three different communication network levels are shown namely level 0, level 1 and level 2. An attacker can compromise these communication networks as well as the physical components.

Ii-a Architecture of an Industrial CPS

An industrial control system (ICS) controls a physical process. An ICS takes advantage of the advances in automation technology and interconnected devices. A typical ICS is composed of field devices, e.g., sensors and actuators; control devices, e.g., PLC; monitoring devices, e.g., HMI; control and data logging, e.g., SCADA workstation and programming terminals. In general an ICS follows a layered architecture [Williams_purdue_reference_architecture]. As shown in Figure 3, there are three levels of a communication network. Level 0 is the field communication network and is composed of field devices, e.g., remote I/O units and communication interfaces to send/receive information to/from PLCs. Using the level 0 network, sensors send the physical process state to the PLCs and in turn, PLCs send the control commands to the actuators. Level 1 is the communication layer used by PLCs to communicate with each other for exchanging data to make control decisions. Level 2 network is used by PLCs to communicate with the SCADA workstation, HMI, historian server; this is known as the supervisory control network.

The communication protocols in an ICS have been proprietary until recently when the focus shifted to using the enterprise network technologies for ease of deployment and scalability, such as the Ethernet and TCP/IP. A survey of communication protocols in an ICS can be found in [communication_protocol_ICS_survey_2013]. The Figure 3, also represents a specific example of a water treatment testbed used in this study. The communication protocol in the testbed is the Common Industrial Protocol (CIP). CIP is an application layer protocol on top of Ethernet/IP (ENIP) to exchange data at level 1 and level 2 [cip_protocol_odva, enip_protocol_rockwell]. The messages between the devices can use either wired media, i.e. IEEE 802.3, Ethernet, or wireless media i.e. IEEE 802.11 WiFi standard. There are two generic types of messages in the CIP/ENIP standard. i.e. explicit messaging and implicit messaging [cip_protocol_odva]. Explicit messages use CIP as an application layer protocol and use TCP/IP service to establish a connection. An example is a PLC sending a request message for the exchange of data to another PLC. Implicit messaging, also known as I/O messaging, is used to communicate between PLC and I/O devices. Implicit messages use ENIP protocol on top of UDP/IP service. Implicit messaging is used with time-critical devices, for the reason that those uses UDP and does not need acknowledgment of the transmitted messages as in the case of CIP. Without an authentication mechanism, one could not be sure if these commands are coming from the legitimate PLC.

Input signals to a PLC () can be digital or analog. Digital signals are ON and OFF and analog signals have a continuous range of values. These signals originate from sensors or switches and are represented in the form of voltage or current. For example, a sensor measuring values using 4-20 mA current loop scales the minimum value to 4 mA and the highest value to 20 mA. These analog signals are fed to an analog to digital converter before given to a PLC for processing. Without an authentication mechanism, the integrity of the signals cannot be assured. Similarly, output signals from a PLC are fed to a digital to analog converter before given to the field devices. The output () interface sends control commands to the actuators and also transmits the messages to rest of the PLCs. Without the authentication mechanism, one could not be sure if these commands are coming from the legitimate PLC.

In the following requirements for a CPS are discussed before mentioning the related security challenges.

Ii-B CPS Requirements

CPS monitor and control the physical world and to satisfy the real-world constraints it should be designed to address the following requirements.

  • Real-time Response: CPS should satisfy the real-time constraints depending on the process. For example, if the process under consideration is electricity the response regarding the sensor measurements should be quick as compared to the water systems. However, each process has its own real-time response constraints which should be fulfilled. Any delays in dissemination of commands due to a fault or an attack (e.g., Denial of Service), can prove to be disastrous.

  • Resource Constraints: Most of the devices in a CPS are resource constraint. For example, sensing devices, analog to digital converters, remote input/output (remote I/O) units and controllers are designed to perform specific functions with the limited memory and processing power. The main idea is for the devices to be robust, function for long time periods e.g., 15-20 years and meet the real-time performance constraints.

  • Availability: Shutting down a plant is a much more complicated business than restarting a server. CPS has an important requirement of availability. Critical nature of these systems requires a very high availability as could be the case of temperature regulator in a critical biological process or electric grid. Therefore, upgrading hardware and software is also challenging for CPS due to high up-time. The core idea is to not to interfere with the functionality of the CPS.

Ii-C CPS Security Challenges

From the above discussion, it is clear that the CPS systems are not the same as the typical IT systems. Both types of systems differ in system requirements and also differ in terms of security requirements/challenges. In general, the security policies for IT systems are defined as CIA paradigm, namely Confidentiality, Integrity and Availability of the data. However, in CPS security the paradigm is the same but in an inverted order by importance, that is, in CPS it is AIC namely Availability, Integrity and Confidentiality.

  • Availability: This security property ensures that the system or service is available to the authorized persons. As discussed in the previous section, the availability is the important requirement of a CPS and in terms of security, it is the most important property of the system. Few threats possible are Denial of Service (DoS) attacks or jamming attacks.

  • Integrity: Integrity compromise refers to the modification or destruction of data by unauthorized entities. In CPS an attacker can compromise the integrity of sensor data or the commands transmitted by the PLCs. In IT systems confidentiality is more important than integrity but in a CPS integrity of data is considered more important than to keep it confidential [cardenas2009challenges].

  • Confidentiality: This defines the authorized access to the information. Passwords and data encryption are standard techniques to ensure confidentiality of the data. Although solutions grounded in cryptography, such as those that use TLS, HMACs or other authentication and/or integrity guarantees have been advocated in the context of CPS, historically such countermeasures are not widespread due to limitations in hardware and relative computational cost of such protocols [John_ACNS2017, cardenas2009challenges]. Since many CPS run legacy hardware and are intended to do so for several years, the problem of raising the bar against authentication attacks by device fingerprinting means is a practical one.

Iii Reported Attacks on CPS in Wild

In this section, few famous CPS attacks are briefly discussed. Following those famous attacks would be a discussion on particular attacks on sensors and PLCs from the academia and industry.

Maroochy Shire (2000)

This is an early example of an attack on a CPS executed by a disgruntled employee. The attack was carried out in early 2000 by an employee of a contractor who failed to get a job at Maroochy Shire Council. He used the radio terminals installed by himself to spill the sewage in public parks and streets [slay_miller_2008].

Stuxnet (2010)

This attack is discovered in mid-2010 which targeted Iran’s nuclear enrichment facilities [stuxnet_langner_2011_SnP, stuxnet]. Stuxnet was a highly sophisticated worm which exploited 0day vulnerabilities, relied on root-kits to hide, update itself, used stolen certificates and replayed sensor and network data. It is reported to be a successful attack end up destroying target centrifuges.

Ukrainian Electric Power Grid (2015,2016)

In December 2015 cyberattacks on Ukrainian electric power grid cut off the power supply to customers at the peak of the winter season. The attackers remotely controlled the SCADA distribution system and forced operators to switch to the manual mode which resulted in much longer recovery times[ukranian_case2016analysis]. This attack was over but for another attack to come in the next year around the same time. In 2016 again Ukrainian electric power grid met another cyber attack through the use of Crashoverride malware [ukranian_case2017analysis_crashoverride], This attack switched circuit breakers in an unusual open-close pattern in a fast manner, which resulted in cutting off the power supply to the customers.

TRITON Attack (2017)

This cyber attack was executed on Saudi Arabia’s leading oil company Saudi Aramco. The attack was launched using TRITON malware by getting unauthorized access to the engineering workstation. The goal was to reprogram the controllers and cause significant physical damage. This attack forced controllers to enter into a failed safe state disrupting the control of the heavy machinery [Saudi_aramco_marina_fireeye_2017_triton].

Norsk Hydro Attack (2019)

In March 2019 one of the world’s biggest aluminum producers Norsk Hydro in Oslo was subjected to a ransomware attack. This attack costed Hydro million in damages [norsk_hydro_2019_attack_ransomware].

ASCO Industries Attack (2019)

This is one of the most recent attacks on CPS. ASCO industries manufacture aerospace parts and got hit by a ransomware attack affecting its production in plants around the world. This attack occurred in mid-June 2019 and the damage is still being assessed [asco_aircraft_2019_attack_ransomware].

Few of the famous attacks on CPS are discussed above. In the following specific attacks on the industrial devices are discussed.

Iii-a Sophisticated Attacks on CPS in Research

An important difference between Cyber Physical Systems (CPS) and traditional IT systems, is that CPS has a physical space to secure besides the cyber domain. In this context, an adversary can also launch an attack from the physical domain, such attacks are not studied in earlier cyber security research. In particular, the physical integrity of the CPS, and its availability, are often more important than confidentiality [Gollmann2016]. Moreover, in a CPS an attacker besides compromising the computing elements e.g., sensors through communication networks might also do so from the physical space. This is illustrated for instance by a recent attack [drone_Son2015] where a crash is induced in a drone by means of a sound signal that confuses the gyroscope, or by carrying out an analog sensor spoofing attack [shoukry2015, yasser-2013, sampling_race2016, ghosttalk_2013]. In [ghosttalk_2013] attackers would inject data using the sensing device wire as an antenna by intentional electromagnetic interference at the resonant frequencies of the sensing device. In [walnut_acoustic_attack_mems_accelerometer]

a new attack vector is proposed inspired from 

[drone_Son2015]. A modulated audio signal could result in desired data injection [walnut_acoustic_attack_mems_accelerometer]. A recent study has shown sonic attacks for a range of smart sensing devices [sonic_gun_blackhat2017]. Anti-lock braking system (ABS) is attacked in real vehicles using the signal injection in the analog/physical domain [yasser-2013]. A recent article [trickorheat_kevinfu_temp_sensor_attacks_EMI_2019] attacked temperature sensor in infant incubators using electromagnetic signals. Thus, security requirements for CPS introduce new challenges and hence the need to expand traditional attacker models to include physical and cyber-physical characteristics of a system [marco_cpdy2016], and consequently introduce a need for novel security solutions.

Iii-B Attacks on PLCs

Guaranteeing data integrity in the presence of strong adversaries, for instance against those who can gain full control over PLCs, is challenging. For instance, a study reported in [eireann_2013_greyhat_PLC_vulnerabiity] reveals that a large number of PLCs are connected to the Internet and contain vulnerabilities related to authentication. Using the discovered vulnerability, the authentication mechanism is bypassed and full control over the PLC could be achieved over the internet. The use of commercial off the shelf (COTS) devices in a CPS, and software backdoor, can lead to full control over PLCs [ruben_backdoors_PLC_2012_blackhat]. In [fovino_2009_malware_PLC] authors have used lack of authentication in the Modbus protocol to take over the controllers and send unauthorized commands to the other devices. Stuxnet is a famous example of a malware attack where PLCs were hijacked and malicious code altered the PLC’s configuration [stuxnet_langner_2011_SnP]. Attackers have executed web-based DoS and resetting PLC attacks by exploiting bugs in PLC code which were connected to the internet [robert_turk_2005_PLC_DoS]. Recently a range of malware and network-based attacks were designed and executed against PLCs [Anand_ESORICS2017_PLC_ladderlogicbomb, MS_thesis_PLC_attack_NTNU_2013]. Therefore, there is a need for authenticating CPS devices non-invasively and without disturbing their core functionality.

Fig. 4: Experiment Setup: Secure Water Treatment Testbed Plant Layout (SWaT)
Fig. 5: A partial setup from a water treatment plant as a motivating example.

Iv Physics based Perspective

Iv-a A Motivating Example

We will present our findings based on experimentation done in a water treatment plant. Figure 4 shows a picture of the testbed used. It is a six-stage water treatment process, for details refer to the testbed paper [swat2016]. We will use the first stage of the water treatment process as a motivating example. A physical system diagram for stage 1 is shown in Figure 5. Figure 5 shows a level sensor mounted on top of the water tank to the water level and the inflow and outflow of the water is being controlled by the motorized valve (MV-101) at the input and pump (P-101) at the output respectively. The idea is to model this inflow and outflow by considering the physical principles and the design of the physical process. For a tank, we know that the rate of change of water inside the tank is equal to the difference between water flowing into the tank and water flowing out from the tank with respect to time. We can represent this using the mass-balance equation such as,

(1)

where represents the volume of the tank, is the cross-sectional area of the tank, and is the height of the water inside the tank, (1) provides a linear equation, we can see the term represents the water flow which depends upon the PLC control actions implemented via MV-101 and P-101. From Figure 5, it can be seen that using the height and diameter of the tank from design documents, it is possible to figure out the volume and the cross-sectional area of the tank. Let us consider that state of the physical process as the height of water inside the tank. Then the solution of this equation gives us the following result.

where is the PLC control action. Here represents water level in the tank at time . The control action can be a either open/close (for the motorized valve) or on/off (for the pump). Similarly we can describe the sensor state and we can get the set of system equations. Following represents the systme dynamics in form of a state space model.

(2)

Where is the sensor measurement driven by the control action . Matrices and are the state-space matrices of appropriate dimensions. and are the process and measurement noise vectors respectively. From (2), it can be seen that if we have a system state value at time , then given the PLC control we can predict the next state at time . For example, if the MV-101 control is set to open the valve and P-101 as turned ON, given the information of this control from PLC, we know from the design of the physical process that how much the water level in the tank should increase. This is an example of how can we use the physics of the system to model the physical process. Once the system model has been obtained it is possible to learn the normal behavior of the process in a mathematical form.

Fig. 6:

(Left): Probability distribution of the residue for level sensor measurements without attack. (Right): Probability distribution of the residual for water level sensor measurements with bias injection attack.

Iv-B Attack Detection Framework

A general attack detection framework has two major components, 1) system model and estimation and 2) a threshold based detector.

System Model and Estimation: The idea of obtaining a system model is explained in the previous section. The system models can be obtained either using data based techniques or the first principles [Rizwan_ESORICS2017_stealthyAtt, Carlos_Justin_CDC2016_stealthyAtt, urbina_CCS2016limiting, pasqualetti2013attack_control4]. Using the system model it is possible to estimate the states of the system and ultimately estimate output from a sensor (). A residual vector is calculated by taking the difference between the sensor measurements and estimated sensor output as,

(3)

Where is the residual vector. For the residual, the hypothesis testing is for , the normal mode (no attacks), and , the faulty mode (with attacks). The residuals are obtained using this data along with the state estimates. Thus, the two hypotheses are stated as follows,

Threshold based Detector: To detect the presence of an attack, the residual vector is tested against a predefined threshold designed for a particular false alarm rate. Figure 6 shows the distribution for a residual vector with a mean value of 0 without an attack and the second plot in case of an attack. We can create a threshold for the residual distribution and if the values of residual are outside that threshold declare it under an attack,

(4)

Where is a threshold and || is the absolute value of the residual. There have been studies on optimizing the parameters of different stateful and stateless detectors [carlos_msc2016, urbina_CCS2016limiting]. A wide variety of algorithms exist to chose the best threshold value to maximize the attack detection rate and minimize the false alarm rate.

Iv-C Prior Research

In this section, we will highlight the research that has been done in CPS security exploiting the physical models of the process. A general approach is to, 1) create models of the normal process either based on the data from simulations/real systems or based on the first principles, and 2) use the statistical detectors to find if there are any deviations from the normal/expected behavior.

One of the earlier works on the security of power systems against data injection attacks is detailed in [liu_ccs2009_first_work_]. Authors had shown that a bad data detector would raise an alarm for random attacks similar to a fault but not a stealthy attack. Another study related to a smart water distribution system [Ahmed_AsiaCCS2017_stealthyAtt] has also made similar observations. These studies created the models of the physical process based on simulations and the real testbed respectively.

Process/Physical Invariants: The idea of invariants is to model the physical states as such that certain physical laws shall be obeyed. Invariants are designed using the relationship between different state variables. No matter what happens these relationships should not vary. Designed invariants are using physical laws underneath to ensure the laws of physics are being obeyed. A state relation based intrusion detection is proposed in [wang2014srid_ESORICS2014_invariants]. This study used a relational graph to model the different nodes related to each other via a physical principle. Similar research is conducted on a water treatment system  [adepuMathurIFIPSEC2016_invariants] by creating invariants from the physical process. A more recent effort on similar lines is to create control invariants  [choi2018detecting_dongyan_ccs2018_drone_control_invariant]. The authors tested their approach on a drone.

Active Defense: Some techniques use active methods to detect attacks. These techniques are a combination of modeling the physics of the system and active detection methods. A challenge-response based sensor attack detection technique is presented in [shoukry2015]. The proposed technique is tested on vehicles for active sensors. Another active technique called as physical watermarking is proposed in [bruno2015_watermarking].

Control Theory/State Estimation: Most of the physics-based detection techniques originate in control theory due to a history of literature on modeling the physical processes. Also, fault detection in control systems has been studied extensively over the past half-century. There are several works on using the model of a physical process [bai2014kalman_control1, CPSweek2016_stealthy_replayATT, Carlos_Justin_CDC2016_stealthyAtt, pasqualetti2013attack_control4]. Most of these works borrow ideas from fault detection literature and has also contributed towards the limitations of fault detectors to be used as attack detectors. Towards that end, secure state estimation has extensively been studied. Recently, a research work in [shoukry2018smt_control3] proposed a search algorithm based on Satisfiability Modulo Theory (SMT) to speed up the search of possible sensors sets, followed by an extended work to model the noisy systems [mishra2016secure_estimation_control2].

Unsupervised Learning:

The problem with a supervised learning detection method is that it needs to learn the normal model as well as from the data under attack. In real-world availability of attack data is a big issue, therefore, some studies employ semi-supervised or unsupervised learning for attack detection. In the following a couple of the recent works 

[noisematters_Mujeeb_acsac2018, krotofilLarsenGollman_process_matters] are discussed, those used the model from the plant dynamics and unsupervised learning for attack detection. A signal entropy based detector is used in [krotofilLarsenGollman_process_matters] and one-class SVM is used in [noisematters_Mujeeb_acsac2018] as a detector.

Physical Authentication: There have been some interesting efforts to authenticate the control logic in a PLC by using the physics of the process [roth2016physical_authentication_BruceMcmillan, sunjun_ieee_snp_2018_dataset_swat]. One recent study had exploited the physics of the process to discover an insider threat [Anand_agrawal2018poster_AsiaCCS2018].

Evaluation Metrics: A recent work in [urbina_CCS2016limiting]

proposed a new evaluation metric for the physics based attack detection algorithms. They considered a case of a stealthy attack and measured its impact on the physical process. The list here is by no means exhaustive, the intention is to give readers an idea of how popular physics based methods are in the CPS security.

Iv-D Shortcomings of Prior Works

Interfering Techniques: Active defense techniques, for example, watermarking or challenge-response can be considered interfering with the normal operation of the process. In the case of physical watermarking techniques, a noise signal is added to the optimal control signal which can degrade the performance of the system under study. Similarly in challenge-response techniques, a challenge affects the performance of the active sensors due to the introduced challenges. For a CPS a non-interfering passive technique would be preferred.

Number of Devices under Attack: State estimation based and invariants based techniques rely on the relationship between sensors and actuators. If all the sensors and actuators are under attack then model based methods shall fail. Therefore, it is desired to design a technique that can identify attacks on devices independently from other devices.

Stealthy Attacks: Most of the work using a system model along with a statistical detector is prone to a smart attacker. For example, if an attacker learns a threshold for the statistical detector and stays below that, it does not get detected. From Eq. (4) we can rewrite the expression as,

(5)

If sensor measurements are under attack () then the attacked sensor measurement goes to resulting in,

(6)

Remember is the attacker’s signal and it can choose it to be anything. An attacker can always choose which will change the expression in Eq. (6) to , which is never true and no alarms will be raised although attacker is injection a value of at each time step in the sensor measurement. Such an attack is considered to be stealthy and in theory, can be designed for any threshold based detector.

Lack of Testbed-based Validation: Most of the previous studies are performed either on a dataset or a simulation based model. It is important to validate the proposed techniques on real systems or testbeds to identify challenges which an operator or plant engineer might face when the system is under attack or due to false alarms.

Iv-E Suggested Improvements

Passive Attack Detection Techniques: Given the critical nature of the industrial systems, it is desired to have a passive technique for attack detection. We can not afford legacy ideas of active defense from the IT security literature.

Assumption on Number of Devices under Attack: Ideally the proposed attack detection techniques shall be independent of the number of devices under attack. We should come up with the methods where it would be possible to identify attacks on each device separately.

Validation on Testbeds or Real Systems: Most of the previous studies are based on the simulations. It is easier to work with simulation models but those studies miss details that are encountered in practice by industrial engineers.

In the following, we will summarize ideas related to authenticating devices based on the hardware characteristics of the devices, passively.

Fig. 7: Sensor noise from 10 ultrasonic level sensors and their noise vector distribution.
Fig. 8: A proof of existence of noise based sensor fingerprint for all the level sensors of same type and model based on three time domain features.

V Device Fingerprinting

A device fingerprint refers to some unique features of a device’s hardware, software or a combination of both. Device fingerprinting ideas have been tested in different domains. The idea of fingerprinting a PC remotely based on its clock skew is presented in 

[kohno2005]. Small microscopic deviations in device’s clock [moon1999, paxson1998] is used as a fingerprint. In [raheem2015] inter-arrival time of packets is analyzed to fingerprint devices on a small campus network. In [dey-2014] hardware imperfections during the sensor manufacturing process are exploited as a fingerprint for a smartphone. In CPS a recent work tried to create fingerprints for the actuators based on the opening/closing times [raheem2016]. Device fingerprinting techniques to authenticate devices and passively detect attacks have been found promising in the IT domain but for industrial-grade sensors, such a study was needed. In the following, we briefly discuss one of our proposed technique titled NoiSense [NoiSense_eprint_Mujeeb].

NoiSense is proposed as a non-intrusive sensor fingerprinting technique to authenticate sensors transmitting measurements to one or more PLCs. Device fingerprinting ideas existed in other fields as mentioned above, however, sensors in a CPS are not functionally/computationally similar enough to exhibit the above-mentioned fingerprints [raheem2016]. Thus, we seek an answer to the question, Do sensors in a real-world CPS have unique fingerprints? It is known that hardware imperfections during the manufacturing process exhibit some unique physical behaviors that are useful for profiling and fingerprinting [dey-2014]. In particular, we observe that noise (imperfections in measurements), an otherwise undesirable feature of sensors, strongly depends on such manufacturing imperfections. These variations affect each device differently and thus are hard to control or reproduce [gerdes2006], making it challenging for an attacker to imitate sensor noise patterns.

NoiSense

creates a fingerprint for a sensor based on a set of time domain and frequency domain features that are extracted from the sensor noise. A machine learning algorithm is used to distinguish an individual sensor from others. Experiments were performed on sensors of different types in an operational water treatment and distribution facility accessible for research 

[swat2016, wadi2017]. Sensor identification accuracy is observed to be as high as , with a low of . It is also shown that the proposed scheme is scalable for tens of sensors and that the sensor fingerprint is stable over time. The true positive rate for sensor identification is observed to be for most of the sensors and false positive rate as low as , see [NoiSense_eprint_Mujeeb] for details.

Does a unique fingerprint exist for each sensor? A limited number of sensors were available in the water utility testbeds. Hence, additional low-cost ultrasonic sensors are included to explore the existence of fingerprints for many sensors of the same type and model. To demonstrate the existence of fingerprint, ten dual transducer ultrasonic sensors (HCSR04) from the same manufacturer were used. All ten sensors were mounted on the same water tank. Data was collected for 3 hours and many chunks of the collected data taken for analysis. Each chunk consists of 300 readings from the sensor. Figure 7

shows results for the collected data. The plot on the left shows the variance of noise vector from each sensor for all chunks. It is observed that some of these sensors have a unique noise variance and can be distinguished from each other but there remain few sensors that have similar noise patterns in terms of noise variance. The middle pane is a plot of the distribution of the noise vector from each sensor. It also shows that sensors can be distinguished based on noise statistics. However, there remain overlaps among some sensors. The right pane shows 2-D clustering of the sensors. Sensors can be distinguished more precisely by using one more feature of sensor’s noise i.e. mean value. The scatter plot on the right-hand side clusters each chunk with its respective mean and variance. The separation is quite clear but there remain overlaps, e.g., sensor4, sensor8 and sensor10. We need additional features to further eliminate such overlaps. In Figure 

8, by adding one more feature, i.e. mean average deviation, sensor4, sensor8 and sensor10 can be distinguished.

Vi Sensing Technologies and Basis for Fingerprints

In this section, we explain the working principle of the sensing technologies under study. This insight in sensor construction and functionality is an aid in understanding the sources of sensor noise and fingerprints.

Vi-a Ultrasonic Level Sensors

Water treatment testbed uses ultrasonic sensors based on a piezoelectric (PZT ceramic) material transducer. The level of water in a tank is calculated by measuring the return time of the acoustic wave after hitting the water surface. Several factors contribute to variations in the measurements obtained from ultrasonic sensors. These measurements depend on the speed of sound which changes according to the surrounding temperature. Speed of sound through air as a function of temperature can be expressed as [jenny-2013],

(7)

where, is the temperature in degree Celsius; is the rate of change of speed, which is approximately 0.607 m/s at every 1 degree Celsius change; and is the speed of sound in air at 0 degree Celsius which is 331.45 m/s. Besides temperature, obstacles like tank walls reflect echo sooner than it should be, contributing towards noise in the measurements. Water sloshing is another reason for erroneous level measurements. Ultrasonic level sensors depend on PZT ceramic transducer to convert sound waves into electrical signals. These PZT materials convert sound vibrations to an electric signal. The acoustic impedance of these transducers also depends on temperature thus adding another source of noise [coutard-2005]. Thermal and polarisation noise are the main sources of voltage fluctuation in piezoelectric ceramics. Thermal noise originates from interaction of phonons with free electrons or holes. The spectral density of this noise is proportional to sensor resistance and temperature. Electrical polarization in piezoelectric materials is also a source of voltage fluctuation [petr-2011].

Fig. 9: RADAR level sensor construction. Antenna is the element responsible to capture microwaves reflected from the water surface. Operating frequency is 26 GHz [flotech_radar].
Fig. 10: Electromagnetic flow meter structure. Electromagnetic coils generate a constant electric field. When water (conducting fluid) flows through magnetic field, a voltage proportional to water speed, is induced at electrodes [flotech_flowmeter].

Vi-B Microwave Level Sensors

The microwave level/distance sensor, often called RADAR (RAdio Distance and Ranging) works in a similar way as ultrasonic sensors. A microwave pulse is emitted by the antenna that travels at the speed of light and upon hitting the surface of the target it is reflected back and received at the same antenna. The distance between the antenna and target is calculated based on the time it takes for the microwave to travel that distance. In the case study reported here the waves are bounced back by water with a dielectric constant of 80 (stronger reflections) which is higher than dielectric constant 1 (no reflection) of free space. This implies that enough energy will be reflected and reach the antenna.

Figure 9, shows the microwave level sensor used in water distribution testbed [wadi2017]. Similar to an ultrasonic sensor where the sound wave hits the transducer to produce an output voltage and calculate the distance, in microwave based level sensor it is the antenna where the electromagnetic energy is received and distance calculated. These antennae are designed to have a 50 resistance so that once connected with a cable of characteristic impedance of 50, maximum power transfer takes place from the antenna. The sensor under consideration is designed to operate at 26 GHz with a beam angle of and 1W effective radiated power [flotech_radar]. However, in practice these specifications have deviation for the same type and design of an antenna due to manufacturing imperfections and installation inaccuracies. For example, antenna connection with a cable will result in impedance variations [accuracy_radar]. Also, beam angle and radiation pattern varies for each antenna leading to deviations from theoretical design resulting in different range resolution that is ultimately reflected in sensor noise [antenna_pattern].

Vi-C Electromagnetic Flow Meters

The electromagnetic flow meters follow Faraday’s law of induction according to which a voltage is induced by an electrically conductive fluid passing through a magnetic field. In an electromagnetic flow meter, the medium acts as the electrical conductor when flowing through the meter tube, and the induced voltage is proportional to the average flow velocity (the faster the flow rate, the higher the voltage). The induced voltage is picked up by a pair of electrodes, mounted in the meter tube, and transmitted to a flow transmitter to produce various standardized output signals. Using the pipe cross-sectional area, the flow volume is calculated by the transmitter. The following equation is applicable to the induced voltage:

(8)

where is the induced voltage, is the instrument constant, is the magnetic field strength, is the mean velocity of the fluid, and is the pipe cross-section.

A commercial electromagnetic flow meter is shown in figure 10 [flotech_flowmeter]. It’s internal structure consists of a pair of coils mounted on the top and bottom of an electrically insulated flow tube. A pair of electrodes protrude through the flow tube wall perpendicular to the pipe axes and largely normal to the direction of the generated magnetic field. As the liquid passes through the pipe, it moves through the magnetic field and the positive and negative ions within the liquid experience a force upon them. The forces on the ions cause them to migrate and result in an electric field being generated across the pipe. The Voltage generated across the pipe is measured between the electrodes. Noise in these sensor readings come from the area of the electrodes and size of the electro-magnets generating electromagnetic field . The installation and alignment of electrodes and coils will result in different stray capacitance and noise [flowmeter2006].

Fig. 11: Time series data from a level sensor for a constant water level.
Fig. 12: Noise distribution for the time series of the ultrasonic level sensor.

Vii Visualizing the Performance

Vii-a Noise Signal Time Series

NoiSense, as mentioned, is a sensor fingerprint based on the measurement noise from a sensor. To visualize let’s consider a water level sensor in the water treatment plant. Figure 11 shows a time series signal measured by the level sensor that is supposed to measure a constant water level in a tank. In Figure 11 the value returned by the level sensor around a mean value is considered a noise vector. On the right-hand side, in Figure 12

the distribution of the noise vector is shown. It is observed that the noise profile follows a Gaussian distribution. For each sensor, a fingerprint is obtained based on this noise distribution.

Vii-B Confusion Matrix

For visualizing the performance of propose NoiSense, an experiment is a setup using 20 sensors of the same type and model manufactured by the same vendor. All the sensors are mounted on top of the same water tank one after another. Multiclass classification is performed by comparing each sensor with the rest of the sensors to figure out how effective is the fingerprints. In Figure 13 it is observed that all the sensors could be identified rightfully based on the NoiSense. This result points out that for a reasonable number of sensors that is the case of a medium-scale plant, we could fingerprint sensors based on their fingerprint even for the same type of sensors. NoiSense does not need any extra hardware deployment and it is a passive method for figuring out if the data is not being generated from our legitimate sensors but some malicious device or being spoofed during communicating to other devices such as PLC.

Fig. 13: Confusion matrix for 20 small ultrasonic sensors.

Vii-C Limitations

We would like to highlight that although our proposal is a passive method and it does not depend on the number of sensors under attack but there are still some limitations.

Sensor Attacks only: The proposed NoiSense detects attacks on the sensors and it is not able to detect attacks on actuators. However, actuator fingerprinting techniques [raheem2016] already exist and could be used in parallel to NoiSense to provide a holistic technique for attack detection.

Detection Time: Stateless detection techniques (e.g., bad-data detector) or stateful detection techniques (e.g., CUSUM) might be able to raise an alarm if the attack is abrupt like a fault, but NoiSense needs a chunk of data to extract the noise vector and make a decision. Therefore, NoiSense might take more time in some situations as compared to other statistical detectors. However, NoiSense has proven to be more successful in cases where statistical detectors had failed against a smart stealthy attacker.

Viii Summary and Conclusions

Challenges and Opportunities: We observed that one of the dominating challenges in CPS as compared to pure IT systems is that there is a whole lot of physical processes to be secured besides the cyber infrastructure. The same challenge of securing the physical systems becomes an opportunity if the physics of the normal process could be modeled accurately. Also, we highlighted that the integrity of data is more critical than the confidentiality of data in CPS.

State of the Art: Attack detection is an important step toward attack mitigation and recovery. There have been extensive efforts in model-based attack detection in CPS. However, model-based attack detection techniques suffer from several limitations such as inability against stealthy and multi-point attacks, interference to the normal process.

Device Fingerprinting: We put forth the idea of device fingerprinting using the hardware characteristics of sensors, such as measurement noise from a sensor. An idea called NoiSense boosts the usability for being a passive (non-intrusive) attack detection solution, which is an important requirement for CPS.

Conclusions: Physics-based solutions are effective in the detection of attacks to CPS. However, this approach also has its limitations. There does not exist a silver bullet to tackle all kinds of threats perfectly. Different security solutions may need to be combined to provide holistic protection for CPS.

References