Cyber-physical Systems (CPSs) have become the core components of safety-critical infrastructures such as smart grid, Building Automation Networks (BANs) and water/sewage plants.
CPSs bridge the cyber and the physical worlds by integrating the computing and communication capabilities of the former to monitor, model, control, and analyze processes in the latter.
The communication networks employed in such Supervisory Control and Data Acquisition Systems are normally termed as SCADA networks. A number of different protocols such as DNP3, Modbus, BACnet, and other protocols are employed in these networks.
Often, they either lack of security protection, or the corresponding security protocols deployed in such systems are not corresponding with their criticality.
Due to the criticalness of the infrastructures in which CPSs are deployed, they have become a ripe target for cyber-attacks. Hackers caused the massive Ukraine power outage in December 2015, by sabotaging the control system and remotely opening the breakers. This incident affected about 230,000 people and was regarded as the first high severity cyber-attack that caused power outage.
The Building Automation Networks (BANs) of the Sochi Arena, which supported the 2014 Winter Olympics, was found online and accessible without a password. BANs provide HVAC control, lighting control, as well as fire detection and security for an “intelligent building”, and they employ BACnet as its standard protocol.
As of June 2018, 17,823 BACnet devices and 78,000 SCADA devices were exposed to the internet. Without sufficient security protections, attackers from the other side of the world are potentially able to access a BAN, causing damage across long distance.
Not only industrial controllers, general Internet-of-Things (IoTs) such as IP cameras, printers, and home routers are also vulnerable to cyber-attacks. The infamous Mirai attack brute-forced IoT devices using factory default usernames and passwords, and logged into them to infect these IoT devices with the Mirai malware.
It hijacked nearly half a million internet connected devices, and resulted in the inaccessibility of several high-profile websites such as GitHub, Twitter, Reddit, Netflix, Airbnb and many others. The scale of the attack was unprecedented, and the exploitation of IoT devices to launch this DDoS attack may lead to more cyber-attacks in an even larger scale in the future.
Recent research work has been focused to protect CPS and IoT devices from different perspectives, mainly using anomaly detection and Intrusion Detection Systems (IDS), and devising innovative security solutions to improve system resilience, and device-level security management.
CPS Anomaly Detection and IDS
IDS and anomaly detectors are typically used in detecting suspicious network traffic and they have been proven to be very effective. Signature-based IDS identifies packets which match to a known attack signature, and is effective to detect known attacks with high accuracy.
Digital Bond published a collection of Snort IDS rules for common CPS network protocols, while Lin et. al developed a specification-based intrusion detection framework based on Bro, a runtime network traffic analyzer.
Since IDS relies on the dataset of known attack signatures, they are not effective to detect zero-day attacks whose attack signatures are unseen before. Anomaly detectors, however, leverage machine learning techniques to monitor and model the healthy network traffic behavior, and identify the anomalous traffic which does not conform to the model.
The challenging issue of anomaly detectors is to lower the false alarm rate and improve the accuracy. Zimmer et. al developed a timing-based detector for CPS; Goldenberg et. al developed a Modbus network traffic into finite states and develop a state-based anomaly detector. Zheng et. al recently developed “THE-driven” anomaly detector for Building Automation Networks (BANs).
These observe the BACnet traffic as a combination of multiple flow-service streams that belong to “THE-driven” categories: time-driven, human-driven, and event-driven. Time-driven traffic follows periodic patterns, regular patterns, or on/off models. Human-driven and event-driven traffic present non-periodic patterns.
Based on the traffic patterns, THE-Driven Anomaly Detector adopts different mechanisms for each category of traffic. The proposed anomaly detector can effectively detect suspicious traffic in BANs with a small false alarm rate. This work greatly helps to combat malicious attacks against the BANs.
Improving System Resilience
While we strive to prevent cyber-attacks from happening, it is also important to improve the resiliency of CPS so that the system can continue to operate safely while under cyber-attacks. Adaptive Commensurate Response (CR) and Path Redundancy are effective solutions and fall into this category.
Since current protocols and applications in CPSs allow significant changes to a system to take place within a short time or small network footprint, which can be exploited by attackers to cause a great impact on the physical systems. Adaptive Commensurate Response (CR) is developed to narrow down the asymmetry between the cost of attacks and their impact through enforcing command footprints to be commensurate with their impact on the system.
Such impact is measured by the change of the setpoint (change-driven CR) or the distance between the operating state and the critical state (criticality-driven CR).
A larger change of the setpoint corresponds to a larger response time; also, the system slows down the response as it approaches the critical state. They demonstrate the technique on automobile cruise control and show that CR can effectively improve the system resilience and attack survivability while satisfying QoS requirements.
In addition, Path Redundancy explores path diversity in SCADA networks and improves data validity. Germanus et al. proposed a P2P overlay network on top of SCADA network, which provides path redundancy and data replication. The data replicas in the P2P network are used to validate the original message from the SCADA network.
Their approach can protect SCADA from node crashes and data integrity attacks that are located between the source and destination, but cannot detect malicious controllers colluding on behalf of an adversary.
Different from Germanus et al, Zheng et al leverage existing embedded controllers in a SCADA network to create data replication. Their solution is shown to be able to effectively prevent data integrity attacks and detect false command attacks from a single compromised path or controller. Their solution has been adopted in some critical infrastructures.
Protect IoT Devices in Home Network
To counter Mirai-like attacks and protect IoT devices, Norton Core focuses on securing IoT devices at the network level, leaving firmware and configuration vulnerabilities on the end devices.
However, IoTAegis framework focuses on the problem at the device level. It can automatically manage device configurations and security updates of IoT devices. The solution works for any size network, ranging from small home networks to large campus or enterprise networks. It is shown to be effective, scalable, lightweight, and deployable in different forms and network types.
Critical infrastructure networks and IoT devices have shown to be vulnerable to cyber-attacks. This is a challenging research area due to the increasingly sophisticated attack vectors and the limited computing and processing capability of the embedded controllers.
The above work can greatly help to protect the CPS and IoT devices. We hope to bridge the gap between the academia and the industry by encouraging more facilities and industrial partners to take advantage of these solutions to better protect their network.