Cyber Security of Water SCADA Systems—Part I: Analysis and Experimentation of Stealthy Deception Attacks
01 Sep 2013-IEEE Transactions on Control Systems and Technology (IEEE)-Vol. 21, Iss: 5, pp 1963-1970
TL;DR: The deception attack presented here can enable remote water pilfering from automated canal systems and is reported on a field-operational test attack on the Gignac canal system located in Southern France.
Abstract: This brief aims to perform security threat assessment of networked control systems with regulatory and supervisory control layers. We analyze the performance of a proportional-integral controller (regulatory layer) and a model-based diagnostic scheme (supervisory layer) under a class of deception attacks. We adopt a conservative approach by assuming that the attacker has knowledge of: 1) the system dynamics; 2) the parameters of the diagnostic scheme; and 3) the sensor-control signals. The deception attack presented here can enable remote water pilfering from automated canal systems. We also report a field-operational test attack on the Gignac canal system located in Southern France.
Citations
More filters
TL;DR: An overview of recent advances on security control and attack detection of industrial CPSs is presented, and robustness, security and resilience as well as stability are discussed to govern the capability of weakening various attacks.
663 citations
TL;DR: This technical note investigates how an attacker should schedule its Denial-of-Service (DoS) attacks to degrade the system performance.
Abstract: Security of Cyber-Physical Systems (CPS) has gained increasing attention in recent years. Most existing works mainly investigate the system performance given some attacking patterns. In this technical note, we investigate how an attacker should schedule its Denial-of-Service (DoS) attacks to degrade the system performance. Specifically, we consider the scenario where a sensor sends its data to a remote estimator through a wireless channel, while an energy-constrained attacker decides whether to jam the channel at each sampling time. We construct optimal attack schedules to maximize the expected average estimation error at the remote estimator. We also provide the optimal attack schedules when a special intrusion detection system (IDS) at the estimator is given. We further discuss the optimal attack schedules when the sensor has energy constraint. Numerical examples are presented to demonstrate the effectiveness of the proposed optimal attack schedules.
427 citations
TL;DR: Previous work on physics-based anomaly detection based on a unified taxonomy that allows us to identify limitations and unexplored challenges and to propose new solutions is reviewed.
Abstract: Monitoring the “physics” of cyber-physical systems to detect attacks is a growing area of research. In its basic form, a security monitor creates time-series models of sensor readings for an industrial control system and identifies anomalies in these measurements to identify potentially false control commands or false sensor readings. In this article, we review previous work on physics-based anomaly detection based on a unified taxonomy that allows us to identify limitations and unexplored challenges and to propose new solutions.
383 citations
Cites background from "Cyber Security of Water SCADA Syste..."
...[3, 4], the attacker launches physical attacks to the system (physically stealing water from water distribution systems), while at the same time it launches a cyber-attack (compromised sensors send false data masking the effects of the physical attack)....
[...]
TL;DR: The purpose of the address problem is to design an observer-based distributed controller such that the closed-loop multiagent system achieves the prescribed consensus in spite of the lossy sensors and cyber-attacks.
Abstract: In this paper, the observer-based event-triggering consensus control problem is investigated for a class of discrete-time multiagent systems with lossy sensors and cyber-attacks. A novel distributed observer is proposed to estimate the relative full states and the estimated states are then used in the feedback protocol in order to achieve the overall consensus. An event-triggered mechanism with state-independent threshold is adopted to update the control input signals so as to reduce unnecessary data communications. The success ratio of the launched attacks is taken into account to reflect the probabilistic failures of the attacks passing through the protection devices subject to limited resources and network fluctuations. The purpose of the address problem is to design an observer-based distributed controller such that the closed-loop multiagent system achieves the prescribed consensus in spite of the lossy sensors and cyber-attacks. By making use of eigenvalues and eigenvectors of the Laplacian matrix, the closed-loop system is transformed into an easy-to-analyze setting and then a sufficient condition is derived to guarantee the desired consensus. Furthermore, the controller gain is obtained in terms of the solution to certain matrix inequality which is independent of the number of agents. An algorithm is provided to optimize the consensus bound. Finally, a simulation example is utilized to illustrate the usefulness of the proposed controller design scheme.
365 citations
Cites background from "Cyber Security of Water SCADA Syste..."
...Accordingly, as highlighted in [8], [25], [27], and [30], the security challenges have recently become emerging topics of research and some preliminary results have been reported with regard to various cyber-attacks, for example, Denial of service (DoS) attacks [1], [22], deception attacks [2], [10], [27], and replay attacks [41]....
[...]
TL;DR: This paper is concerned with the security control problem with quadratic cost criterion for a class of discrete-time stochastic nonlinear systems subject to deception attacks, and proposes an easy-solution version on above inequalities to obtain both the controller gain and the upper bound.
Abstract: This paper is concerned with the security control problem with quadratic cost criterion for a class of discrete-time stochastic nonlinear systems subject to deception attacks A definition of security in probability is adopted to account for the transient dynamics of controlled systems The purpose of the problem under consideration is to design a dynamic output feedback controller such that the prescribed security in probability is guaranteed while obtaining an upper bound of the quadratic cost criterion First of all, some sufficient conditions with the form of matrix inequalities are established in the framework of the input-to-state stability in probability Then, an easy-solution version on above inequalities is proposed by carrying out the well-known matrix inverse lemma to obtain both the controller gain and the upper bound Furthermore, the main results are shown to be extendable to the case of discrete-time stochastic linear systems Finally, two simulation examples are utilized to illustrate the usefulness of the proposed controller design scheme
364 citations
Cites methods from "Cyber Security of Water SCADA Syste..."
...Furthermore, via the techniques of dynamic programming or Lyapunov stability theory, some preliminary results concerning security control problems have been reported in [1], [12], and [22] for the case of DoS attacks and [2], [26], and [34] for the case of deception attacks....
[...]
References
More filters
TL;DR: In this article, a new class of attacks, called false data injection attacks, against state estimation in electric power grids is presented and analyzed, under the assumption that the attacker can access the current power system configuration information and manipulate the measurements of meters at physically protected locations such as substations.
Abstract: A power grid is a complex system connecting electric power generators to consumers through power transmission and distribution networks across a large geographical area. System monitoring is necessary to ensure the reliable operation of power grids, and state estimation is used in system monitoring to best estimate the power grid state through analysis of meter measurements and power system models. Various techniques have been developed to detect and identify bad measurements, including interacting bad measurements introduced by arbitrary, nonrandom causes. At first glance, it seems that these techniques can also defeat malicious measurements injected by attackers.In this article, we expose an unknown vulnerability of existing bad measurement detection algorithms by presenting and analyzing a new class of attacks, called false data injection attacks, against state estimation in electric power grids. Under the assumption that the attacker can access the current power system configuration information and manipulate the measurements of meters at physically protected locations such as substations, such attacks can introduce arbitrary errors into certain state variables without being detected by existing algorithms. Moreover, we look at two scenarios, where the attacker is either constrained to specific meters or limited in the resources required to compromise meters. We show that the attacker can systematically and efficiently construct attack vectors in both scenarios to change the results of state estimation in arbitrary ways. We also extend these attacks to generalized false data injection attacks, which can further increase the impact by exploiting measurement errors typically tolerated in state estimation. We demonstrate the success of these attacks through simulation using IEEE test systems, and also discuss the practicality of these attacks and the real-world constraints that limit their effectiveness.
2,064 citations
09 Nov 2009
TL;DR: A new class of attacks, called false data injection attacks, against state estimation in electric power grids are presented, showing that an attacker can exploit the configuration of a power system to launch such attacks to successfully introduce arbitrary errors into certain state variables while bypassing existing techniques for bad measurement detection.
Abstract: A power grid is a complex system connecting electric power generators to consumers through power transmission and distribution networks across a large geographical area. System monitoring is necessary to ensure the reliable operation of power grids, and state estimation is used in system monitoring to best estimate the power grid state through analysis of meter measurements and power system models. Various techniques have been developed to detect and identify bad measurements, including the interacting bad measurements introduced by arbitrary, non-random causes. At first glance, it seems that these techniques can also defeat malicious measurements injected by attackers.In this paper, we present a new class of attacks, called false data injection attacks, against state estimation in electric power grids. We show that an attacker can exploit the configuration of a power system to launch such attacks to successfully introduce arbitrary errors into certain state variables while bypassing existing techniques for bad measurement detection. Moreover, we look at two realistic attack scenarios, in which the attacker is either constrained to some specific meters (due to the physical protection of the meters), or limited in the resources required to compromise meters. We show that the attacker can systematically and efficiently construct attack vectors in both scenarios, which can not only change the results of state estimation, but also modify the results in arbitrary ways. We demonstrate the success of these attacks through simulation using IEEE test systems. Our results indicate that security protection of the electric power grid must be revisited when there are potentially malicious attacks.
1,592 citations
"Cyber Security of Water SCADA Syste..." refers background in this paper
...While recent efforts have focused on applying IT security solutions to NCS, these solutions do not directly address the risks due to an intelligent attacker who is capable of compromising sensor-control data [3],[4]....
[...]
TL;DR: This note presents a simple method to design a full-order observer for linear systems with unknown inputs and the necessary and sufficient conditions for the existence of the observer are given.
Abstract: This note presents a simple method to design a full-order observer for linear systems with unknown inputs. The necessary and sufficient conditions for the existence of the observer are given. >
780 citations
"Cyber Security of Water SCADA Syste..." refers methods in this paper
...We build on past results on the design of unknown input observers [13], [14], and utilize delay-dependent stability conditions for timedelay systems [15]....
[...]
22 Mar 2011
TL;DR: By incorporating knowledge of the physical system under control, this paper is able to detect computer attacks that change the behavior of the targeted control system and analyze the security and safety of the mechanisms by exploring the effects of stealthy attacks, and by ensuring that automatic attack-response mechanisms will not drive the system to an unsafe state.
Abstract: In the last years there has been an increasing interest in the security of process control and SCADA systems. Furthermore, recent computer attacks such as the Stuxnet worm, have shown there are parties with the motivation and resources to effectively attack control systems.While previous work has proposed new security mechanisms for control systems, few of them have explored new and fundamentally different research problems for securing control systems when compared to securing traditional information technology (IT) systems. In particular, the sophistication of new malware attacking control systems--malware including zero-days attacks, rootkits created for control systems, and software signed by trusted certificate authorities--has shown that it is very difficult to prevent and detect these attacks based solely on IT system information.In this paper we show how, by incorporating knowledge of the physical system under control, we are able to detect computer attacks that change the behavior of the targeted control system. By using knowledge of the physical system we are able to focus on the final objective of the attack, and not on the particular mechanisms of how vulnerabilities are exploited, and how the attack is hidden. We analyze the security and safety of our mechanisms by exploring the effects of stealthy attacks, and by ensuring that automatic attack-response mechanisms will not drive the system to an unsafe state.A secondary goal of this paper is to initiate the discussion between control and security practitioners--two areas that have had little interaction in the past. We believe that control engineers can leverage security engineering to design--based on a combination of their best practices--control algorithms that go beyond safety and fault tolerance, and include considerations to survive targeted attacks.
749 citations
19 Mar 2007
TL;DR: This paper examines the response to the 2000 SCADA security incident at Maroochy Water Services in Queensland, Australia and the lessons learned are useful for establishing academic and industry-based research agendas inSCADA security as well as for safeguarding critical infrastructure.
Abstract: Supervisory control and data acquisition (SCADA) systems are widely used to monitor and control operations in electrical power distribution facilities, oil and gas pipelines, water distribution systems and sewage treatment plants. Technological advances over the past decade have seen these traditionally closed systems become open and Internet-connected, which puts the service infrastructures at risk. This paper examines the response to the 2000 SCADA security incident at Maroochy Water Services in Queensland, Australia. The lessons learned from this incident are useful for establishing academic and industry-based research agendas in SCADA security as well as for safeguarding critical infrastructure
637 citations
"Cyber Security of Water SCADA Syste..." refers background in this paper
...Targeted attacks to NCS are the most serious class of attacks because the attackers tailor their strategies toward damaging NCS components [5],[6]....
[...]