• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ Journal Issues / Cyber Science & Technology at the Army Research Laboratory (ARL) / Security of Cyber-Physical Systems

Security of Cyber-Physical Systems

Published in Journal of Cyber Security and Information Systems
Volume: 5 Number: 1 - Cyber Science & Technology at the Army Research Laboratory (ARL)

Author: Dr. Edward Colbert
Posted: 01/26/2017 | Leave a Comment

Intrusion Detection for Cyber-Physical Systems

Even if the known threats, risk factors and other security metrics are well understood and effectively mitigated, a determined adversary will have non-negligible probability of successful penetration or intrusion of a CPS. Here we use the term “intrusion detection” to refer to a broad range of processes and effects associated with the presence and actions of malicious software and actions against a CPS. Once an intrusion has occurred, the first and necessary step for defeat and remediation is to detect the existence of the intrusion.

In Colbert & Hutchinson (2016), we describe the history of intrusion detection in IT and CPS systems and discuss various methods and Intrusion Detection Systems (IDS). These authors discuss the difficult question of whether insights and approaches intended for information and communications technology (IT) systems can be adapted for CPSs. To answer this question, they explore modern intrusion detection techniques in IT such as host-based techniques and network-based techniques, and the differences and relative advantages of signature-based and non-signature methods.

After approximately 2010, CPS intrusion detection techniques began to focus on knowledge about the processes controlled by the CPSs rather than on direct detection or inference of the malware on the network. The design intent of a CPS is intended to (1) establish appropriate process values to produce desired output and (2) to allow operators to observe aspects of the plant to assure proper operation and safety and quality conditions. The sole purpose and only capability of CPS network traffic control messages is to support the synchronization of the PLC registers and to provide a local, HMI-side copy of these registers, to effect control of the plant processes. IT network traffic has a much wider variety of uses, but is not generally used for process control. While both CPS and IT computers have registers, only a CPS network can change and read register values. Register values directly affect process parameters and hence, the process. Since CPS security is ultimately for safeguarding the process variables and not the network traffic itself, process-oriented designs for monitoring and intrusion detection became of interest.

For example, Hadziosmanovic et al. (2013) attempted to model process variable excursions beyond their appropriate ranges using machine-learning techniques. These authors describe a novel network monitoring approach that utilizes process semantics by (1) extracting the value of process variables from network traffic, (2) characterizing types of variables based on the behavior of time series, and (3) modeling and monitoring the regularity of variable values over time. Approximately 98% of the process control variables used in real-world plans are reliably monitored by their process-oriented method. The remaining 2% of the variables remain challenging to model with this approach. This novel approach demonstrates that process variables can successfully be modeled for ID. However, as they mention, additional work is needed if all of the process variables are to be monitored reliably. Semantic modeling of plant control variables in the control system process became a favorable and presumably effective intrusion detection method for CPS.

Semantic Security Monitoring (SSM) by Hadziomanovic et al. (2013) used analysis of control-bus traffic messages to construct a 3rd copy of the plant-PLC registers for a new purpose: to detect events that suggest that plant operations may be out of specification, out of compliance, or out of a desired safety range. An important caveat of using network data to construct a security model is that the network control messages were never intended for security monitoring. The rates and precision of the information in the control messages are designed to be sufficient to accomplish control to maintain quality output, but they may not be appropriate or sufficient for security and safety monitoring operations.

Figure 2: Three layers of a Cyber Physical System

A second method of semantic modeling, developed at the US Army Research Laboratory, was proposed by Colbert et. al (2016). This method requires plant personnel input to define critical process variable limits instead of inferred input to the security model from network control traffic.

One can view the CPS as a three-layer system to better understand our process-oriented intrusion detection method. As mentioned, CPSs inherently have physical and cyber layers, in which physical machinery and attackers and defenders operate, respectively (see Figure 2). In our model, intrusion detection occurs on a third layer (the “process” layer), in which the system operator and system owner operate. A process diagram, plant policies and procedures, and continuous system monitoring by the system operator determine the critical elements and requirements needed to keep the system operational.

Our CPS intrusion detection research at the Army Research Laboratory (ARL) is based on the assumption that all of the process variables do not need to be monitored for alerting. Rather, there are critical process variables (or, more generically, critical elements of the process) that need to be monitored for alerting. Abnormal values of the remaining variables are not significant enough to harm the underlying plant process. We argue that identifying the critical values and determining the allowed ranges of those critical values is extremely difficult if only network traffic data is used. We use a collaborative approach to constructing the security model which requires plant operator or plant SME input and potentially out-of-band (OOB) sensor data in addition to data from network packets.

Our model recognizes that, just as in IT intrusion detection, reference information from plant sensors, configurations, semantics, and policies (acceptable security/safety value ranges) must be captured, maintained, shared, and made available to the security/safety monitoring analysts in timely, orderly, and priority-relevant means to enhance decision-making. However, it also recognizes that CPS process sampling methods and process control methods (e.g. MODBUS) were never intended to feed security/safety analyses. Thus, as stated earlier, many process parameters seen in network traffic may not be relevant, or may not be sampled at sufficient rate or fidelity. Moreover, there may be other process variables that are indeed critical, but they are not represented in network traffic, i.e. they are out of band. In this case, independent sensing of these parameters would be needed to create sufficient uplift in timeliness, accuracy, and relevance to the security/safety monitoring mission. In the ARL model, the SME defines the critical security model variables based on his knowledge and analysis of the plant processes, and the IDS security engineer implements the appropriate security model. We refer to this model as “collaborative” since the security engineer utilizes human input from the plant operator/SME input for constructing the IDS security model.

Our ARL intrusion detection development platform (e.g. see Long 2004) defines ‘alerting’ as automatic information generation to be sent to a human analyst for further consideration. The analyst then examines the alerts and other relevant information and determines when to send an ‘alarm’ to the system owner. An alarm is a notice of a possible compromise or other insecure situation, as determined by the human analyst, whereas an alert is automatically generated information from a sensor or algorithm.

Our collaborative intrusion detection model was implemented in the ARL intrusion detection development platform in a live testbed at ARL. General findings from our testbed experiments are described in Sullivan & Colbert (2016) and Sullivan, Colbert & Kott (2016). In Figure 3, we show the implemented IDS architecture in our testbed. A network tap (e.g. SPAN port on a switch) provides network capture data to one or more sensor nodes. Some of the data are pre-processed on the sensor nodes into ‘detects’ (detect/alert information) and index data. The Ingest node then forwards that data to a master node, which stores raw data and provides indexed information for analyst web tools. More complicated analytics are executed by the Analysis Node, which again places results back on the Master Node for the web interface to display. The Web Interface contains an HTTP web server with web analytics and web links for execution of additional analysis tools. The Human Analyst then examines alerting information that resides in the system using various analytical tools.

Figure 3: Generic Intrusion Detection Architecture

In our testbed implementation, IDS alerting by the Sensor Node is generated from anomalies on the process layer by monitoring critical process values. As mentioned, critical process variables are those that have been collaboratively defined to signify whether the control system is successfully operational or not. Sensor nodes are modified specifically to monitor the value of all critical process variables. For example, nominal values, and upper and lower limits for critical values, and criticality of the alert are programmed into the sensor node. This process-oriented intrusion detection method is meant to be used in parallel with anomaly-based and signature-based intrusion detection methods that are available for CPSs (see Colbert & Hutchinson 2016).

Pages: Page 1 Page 2 Page 3 Page 4 Page 5

Previous Article:
« Synergistic Architecture for Human-Machine Intrusion Detection
Next Article:
Information Security Continuous Monitoring (ISCM) »

References

  1. Cardenas, A. A., Amin, S., & Sastry, S. (2008, June). “Secure Control: Towards Survivable Cyber-Physical Systems,” in Proceedings of the 28th International Conference on Distributed Computing Systems Workshops-Volume 00, IEEE Computer Society, pp. 495-500
  2. Colbert, E. & Hutchinson, S. (2016) “Intrusion Detection in Industrial Control Systems,” in Cyber-security of SCADA and Other Industrial Control Systems (eds. E. Colbert & A. Kott) (Springer: New York), p. XXX
  3. Colbert, E., Sullivan, D., Hutchinson, S., Renard, K., and Smith, S. (2016) “A Process-Oriented Intrusion Detection Method for Industrial Control Systems,” in Proceedings of the 11th International Conference on Cyber Warfare and Security (ICCWS2016), p. 497
  4. Colbert, E., & Kott, A. (2016) Cyber Security of SCADA and Other Industrial Control Systems (Springer: New York)
  5. Evancich, N., & Li, J. (2016) “Attacks on Industrial Control Systems in Industrial Control Systems,” iIn Cyber-security of SCADA and Other Industrial Control Systems (eds. E. Colbert & A. Kott) (Springer: New York), p. XXX
  6. Hadziosmanovic, D., Sommer, R., Zambon, E., and Hartel, P. (2014) “Through the eye of the PLC,” in Proceedings of the 30th Annual Computer Society Applications Conference (ACSAC 2014), pp. 126-135
  7. Hahn, A. (2016) “Operational Technology and Information Technology in Industrial Control Systems,” in Cyber-security of SCADA and Other Industrial Control Systems (eds. E. Colbert & A. Kott) (Springer: New York), p. XXX
  8. Henry, M. H., Zaret, D. R., Carr, J. R., Gordon, J. D., and Layer, R. M. (2016) “yber Risk in Industrial Control Systems,” in Cyber-security of SCADA and Other Industrial Control Systems (eds. E. Colbert & A. Kott) (Springer: New York), p. XXX
  9. Langner, R. (2011) “Stuxnet: Dissecting a cyberwarfare weapon,” Security & Privacy, IEEE 9.3, pp. 49-51
  10. Long, K. (2004) “Catching the Cyber Spy: ARL’s Interrogator,” in Proc. of the 24th Army Science Conference, Orlando, FL, DTIC report ADA432198
  11. Luders, S. (2005) “Control Systems under Attack?” in 10th ICALEPCS International Conference on Accelerator and Large Epert. Physics Control Systems, Geneva
  12. Luiijf, E. (2016) “Threats in Industrial Control Systems,” in Cyber-security of SCADA and Other Industrial Control Systems (eds. E. Colbert & A. Kott) (Springer: New York), p. XXX
  13. Stouffer, K., Lightman, S., Pillitteri, V., Abrams, M., and Hahn, A. (2015) “Guide to Industrial Control Systems (ICS) Security,” NIST Special Publication 800-82 Rev. 2
  14. Sullivan, D. (2015) “Survey of Malware Threats and Recommendations to Improve Cybersecurity for Industrial Control Systems,” ARL Technical Report ARL-CR-0759 , February
  15. Sullivan, D., Colbert, E., & Kott, A. (2016) MILCOM, “Network Analysis of Reconnaissance and Intrusion of an Industrial Control System,” MILCOM 2016, in press
  16. Sullivan, D., & Colbert, E. (2016) “Network Analysis of Reconnaissance and Intrusion of an Industrial Control System,” ARL Technical Report, in press
  17. US Department of Energy (2002) “21 Steps to Improve Cyber Security of SCADA Networks,” Washington DC: US Department of Energy
  18. US Executive Order No. 13636 (2013) “Improving Infrastructure Cybersecurity”
  19. Weiss, J. (2010) Protecting Industrial Control Systems from Electronic Threats (Momentum Press: New York)
  20. Zetter, K. (2015). Countdown to zero day: Stuxnet and the launch of the world’s first digital weapon, (Crown: New York)
  21. Zhu, Q., & Basar, T. (2015) “Game-theoretic methods for robustness, security, and resilience of cyberphysical control systems: games-in-games principle for optimal cross-layer resilient control systems,” IEEE Control Systems, 35(1), pp. 46-65.

Author

Dr. Edward Colbert
Dr. Edward Colbert
Dr. Edward Colbert leads security research on methods for defending Army control systems and Internet of Things (IoT) systems in the Network Science Division at the US Army Research Laboratory (ARL). Before working at ARL, Dr. Colbert performed telecommunications research for the Department of Defense, Verizon, and the Johns Hopkins University Applied Physics Laboratory. Dr. Colbert received the Bachelor of Science degree in Engineering Physics from the University of Illinois (1987), the Master of Science in Physics from the University of Illinois (1988), the Master of Science in astronomy from the University of Maryland (1993), and the Ph.D. In Astronomy from the University of Maryland (1997). Dr. Colbert holds a research professorship at the Catholic University of America in Washington, DC, and is currently advising several Ph.D. Students at various local institutions. He is also manages the Cyber-security research alliance at ARL, which is a joint academic research program between Army, industry, and academic partners. Dr. Colbert has over 50 publications in refereed journals, and is editor of a recent book by Springer entitled Cyber Security of SCADA and Other Industrial Control Systems.

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

Data Privacy Day - Jan 28

Data Privacy Day is January 28th

You can help create a global community that respects privacy, safeguards data, and enables trust. You can help teach others about privacy at home, at work, and in your community.

Learn How

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • Privacy Impact Assessment: The Foundation for Managing Privacy Risk Series: The CSIAC Podcast
  • Agile Condor: Supercomputing at the Edge for Intelligent Analytics Series: CSIAC Webinars
  • Securing the Supply Chain: A Hybrid Approach to Effective SCRM Policies and Procedures Series: The CSIAC Podcast
  • DoD Vulnerability Disclosure Program (VDP) Series: CSIAC Webinars
  • 5 Best Practices for a Secure Infrastructure Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Wed 27

Enterprise Data Governance Online 2021

January 27 @ 08:00 - 13:30 EST
Organizer: DATAVERSITY
Thu 28

Data Privacy Day

January 28
Jan 28

Data Privacy Day

January 28, 2022
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.