Abstract
Owing to its integration with cyber, Industrial Internet of Things (IIoT) is susceptible to integrity attacks, thereby inflicting fatal consequences both in industrial and economic domains. Compared to traditional networks, IIoT based on Software Defined Network (SDN) provides various network security enhancements thereby decreasing the effects of the integrity attacks. In an industrial process, anomaly detection with negligible false positives is the ideal intrusion detection mode, where the prerequisite of storing the attack patterns or acquiring the exhaustive knowledge of the devices in IIoT is not required. This research is an extension of our previous work, which employed a hybrid of specification and anomaly detection methods to recognize anomalies of critical components from a water treatment test bed at the Singapore University of Technology and Design (SUTD). The proposed work defines invariants for all the processes of the test bed. Any conflict from the invariants is notified as an intrusion and the compromised device is identified. The validation is done through Mininet tool with the testbed dataset. Out of the 30 successful attacks, this effort discovers 29 attacks with the detection rate of 96.5% and false positive rate of 6.5%.
Introduction
Proprietary communication protocols dominate the Industrial Control Systems (ICS) that includes Programmable Logic Controllers (PLC), Supervisory Control and Data Acquisition (SCADA) structures and Human Machine Interfaces. These architectures are conceived to be secure when operated in a detached environment [1]. However, after its association with the Internet Protocol (IP) and similar related standards, it is now coined under different terms such as Industrial Internet of Things (IIoT), Industrie 4.0, Cyber-Manufacturing Systems, Factories of the Future and Monozukuri. Though the potential growth of IIoT is overwhelming with the evolutions in areas like data collection, situational and prognostic analysis, the critical aspect of security is still deficient [2]. The qualities of IIoT is different from Information Technology (IT) systems as the impact is noticed in the physical world like causing damage to health and safety of human, disrupting industries and thereby the economy of a country. The consequences of attacks on industrial infrastructure lead to immense loss as witnessed in the intentional attack on the German steel mill, Internet-facing control systems and Iranian nuclear plant, which also reveals the typical myths related to instigating assaults in IIoT [1] and the framework of NIST affirms it [3].
Orthodox IP networks are vertically structured, proprietary and sluggish in terms of inventions. Therefore, it has become complicated and difficult to meet the demands of IIoT such as priority, network management monitoring, bandwidth constraints and fulfilling latency requirements. The remedial to this issue is to utilize SDN, which with its programmatic approach satisfies the prerequisites of IIoT and is shaping up as its backbone network. The basic functionalities of the SDN are decoupling data and control plane, moving the logic to control plane, building flow-based decisions and establishing the switches as data forwarding planes. The most prominent features of SDN that could alleviate the transition to IIoT are scalability, virtually logical networks and use of widely accepted open programmable interface such as OpenFlow (OF) protocol [4]. It offers a straightforward approach in realizing the essence of security concepts such as access control, authentication, availability and data integrity through applications in the management plane. Further, it adapts itself dynamically to variable functioning conditions and renders better management by isolating network based on security policies, detects an anomalous event for better attack detection and prevention. Besides IIoT framework established over SDN can be fine-tuned effortlessly to meet the requirements for modifications when in demand [5] and one such concept of detecting integrity attacks in IIoT driven by SDN is furnished in [6].
Firewall, authentication, and security certificates are utilized as the first line of defense. For sophisticated and elaborate attacks, the second line of defense such as an Intrusion Detection System (IDS) is essential. Based on detection techniques, the IDS in hierarchical Cyber Physical Systems (CPS) or IIoT is widely categorized as anomaly-based and knowledge-based. Anomaly-based IDSs employ machine-learning techniques which are inclined to significant false positives. Knowledge-based IDSs utilize established attack classes as references and hence cannot discover anonymous and zero-day exploits. Further, a class of anomaly-based IDS that is recognized as specification-based IDS determines the normal routine operations through rules assigned, and whatever deviation from it will be judged as malevolent action. In spite of posing less false positives, the specification-based IDS call for an exhaustive understanding of the functioning of the devices that makes up the system. Considering the fact that IIoT largely comprises of legacy devices, assigning rules for these elements are burdensome. Alongside this, in real-world circumstances the behavior of components, though within its specification provided in datasheets can still lead to integrity attacks [7]. The criteria here is to design an IDS that does not need to know the specifics of the devices involved and detect abnormal functionalities with inconsequential false positives.
An invariant is a property of a system that does not change with dynamic nature of the system. The precise and stable operation of all the devices in the IIoT environment can be represented with the logical invariants design. Aberrations in conjunction with the developed invariants are termed as abnormal, and necessary actions are performed.
DPI, which involves extracting necessary header and payload information, is classified based on a) port that is utilized by the application b) specific protocol followed c) statistical analysis of the payload and d) pattern matching algorithms. Existing DPI tools like Snort and Bro apply pattern matching seek for an accurate match with the known database comprising signatures of intrusions such as virus, trojans and malware and hence cannot detect unknown or zero-day attacks that target payload [8]. Instances of attacks on payload such as integrity attacks on sensor and actuators in IIoT is the most decisive as it is difficult to notice it from the in-stream data of IIoT. It can bring down the whole system suddenly or degrade the performance of the devices without being noted.
In view of the aforementioned details and to the best of our knowledge, it is evident that defining invariants that discovers the anomaly in the industrial operations with SDN as its network platform is still not exercised as a mode for intrusion detection in IIoT. Although the focus of this article is to formulate an IDS based on invariants on a water treatment process, the methodology can be applied to IIoT in general.
This work is the extension of our earlier work [9] [consented for publication in the Journal of Intelligent and Fuzzy Systems via ISTA-2017 conference proceedings] that developed an IDS to detect integrity attacks on sensor and actuators. The accepted work detected attacks on one component from each process in a water treatment test bed with data taken for a period of 8 hours. Whenever a transition occurs on the component under testing or devices in the next stages, the relative time taken between the transitions, the incremental or decremental range of values or the transition of the testing component is taken into account for devising the heuristics. These rules are validated during the testing period. In this proposed work, the developed IDS detect integrity attacks on every component (not just a single one) from all the processes of the water treatment testbed utilizing invariants. For evaluation, the complete dataset consisting of 30 attacks and 6 days of normal and attack data is taken into consideration.
The stages involved in the proposed IDS are
Training - Extracting the data flow patterns Framing Invariants - Designing invariants from the data obtained during the training phase Testing - Detect anomaly and identifying the compromised component
Throughout the training duration, data flow pattern from all devices in an industrial process comprising of values from sensor and commands to actuator are extracted by the software switch of the SDN. Invariants are constructed from the patterns to which the input from the testing period is given for validation. Framing the invariants forms the nucleus of the devised IDS in detecting attacks concerning the payload and identifying the attacked component. Mininet [10], a Linux based open source network emulator for SDN is used in this research. Real-time multivariate dataset [11] comprising both normal and attack data affecting the payload from a water processing facility acquired from iTrust, a research hub is actualized in this effort.
Specific features of the projected IDS are
The developer or user does not have to know about the organization of the system or specifics about the elements in the network. From input data stream, the developed algorithm residing in OpenFlow switch will spontaneously find the configuration of the network taken up for analysis Devising invariants for all the components or features of the system Identification of the compromised devices
The performance of the proposed IDS is assessed through a range of integrity attacks such scaling, ramp and random.
The organization of the remainder of the paper is: Section 2 provides a summary of the recent and significant literature comparable to this research effort. Section 3 details the problem that is addressed. Section 4 elaborates the projected work along with the invariants. Section 5 specifies the Mininet simulation setup on which the experiment is carried out, and empirical results are listed in Section 6. Eventually, Section 7 sums up the future directions of this work.
Related work/literature overview
Applicable to nature this effort, the most substantial, relevant and contemporary findings are abstracted here. It covers developing IDS through various techniques for industrial applications. Further, it summarizes the contribution of SDN in IIoT, applications of DPI and invariants in IIoT.
a) Specification methodology
Mitchell and Chen propose intrusion detection approaches from the specification-rules that relied on the behavior of the devices in Smart Grid [12], Unmanned Air Vehicles [13] and medical equipment [14]. A thorough knowledge of the operating conditions of the devices in the system is necessary for describing the behavior rules which is not the case in this work. The crux of these works is the translating the typical behavior-rules to state machines and expressing the identified attack states into conjunctive normal form. The beta distribution compliance degree for the devices is calculated which establishes the variation of the devices from the constructed state machines. In both [12, 14], three devices are used, and on the foundation of the rules defined, a trustee device monitors the functioning of other devices against any abnormal behavior from the certain rules. In [12], devices are selected based on the area it covers like home, neighbor, and wide space. The parameters observed are packets that are sourced, received and dropped from the SG network. In [14], the deviations from the compliance degree are found through distance measurements techniques to detect abnormal behavior.
b) Statistical methodology
Y. Yang and co-authors [15] create whitelists containing reference patterns for attributes like access-control, communication protocol adopted in SCADA and the behavior of components such as relays in a smart-grid testbed. Variations from the whitelists are noted as malicious, and both internal and external attacks are discovered. However, attacks on the payload are not considered. Kang in [16] report attacks concerning random access and source address spoofing that are related to the network protocol and unpredictable Modbus/TCP commands. The whitelists are generated during the analysis stage. Various filters like controlling access based on a header tuple, commands that are specific to Modbus/TCP are employed from a stream of data intake out of a traffic generator to find diversions from the whitelists. Notwithstanding the affirmation that the entire inbound data is processed, no metrics regarding the performance of the work in detecting attacks are discussed. Also, only simulated data is applied.
A chemical reactor plant consisting of actuators, a valve and pump are evaluated by W. Li. The commands to these devices follow a chronological pattern. The accurate flow is represented as states and deviation in comparison with the flow are termed as malicious. Nevertheless, just a pair of actuators are operated and as revealed in the work the integrity attacks on data from the sensors are not considered [17].
c) Anomaly methodology
Ntalampiras [18, 19] apply experimental dataset on an SG environment rather than actual dataset which is employed in this work. In [18], two heterogeneous models in temporal and functional repetitions are utilized. Repetitions in time are modeled through measurement of the data from a particular sensor over a period. Repetitions in function are modeled by a specific variable that is obtained from several homogeneous nodes or a variable from heterogeneous nodes that is correlated to the specific variable. It is shown that nonlinear fusion of time and functional models provide satisfactory result compared to individual models. In [19], detection, isolation, and identification of integrity attacks are carried out. It follows feature extraction, detecting the anomaly and recognizing patterns. Random Forests (RF), HMM and Reservoir (RN) are employed for pattern recognition, and a confusion matrix based on these schemes is utilized for identifying a range of attack scenarios. Almalawi et al. [20] through unsupervised learning, typical and critical states or outliers of a multivariate process are isolated into micro-clusters based on a criticality score threshold. The criticality score is calculated using local, global and k-nearest neighborhood procedures. Proximity-based detection rules are extracted and trained iteratively to determine the critical states as attacks. But, the computational time for training is high in the order of O (n2).
C. Zhou et al. [21] developed two multi-model IDSs to detect anomaly for industrial automation. In the first model, the industrial components in communication, software, and control engineering are created by a thorough understanding of the associated processes involved. Then, the field layer in the process automation is modeled to detect the anomaly in the control systems in both time and space domains. To improve the detection rate Hidden Markov Model (HMM) is employed. The developed IDS is evaluated in Tennessee Eastman Process (TEP) model and not on a testbed or real-time dataset. Adepu and Mathur in [22] investigate the effects of single-point cyber-attacks on elements in the SWaT (Secure Water Treatment) testbed with models for the attack and attacker. The behavior of the system in response to the assaults emphasize that the timing of the attacks is a significant factor in bringing down the entire testbed. It concludes that it is imperative to design a form of mechanism to counter the attacks in both single and multi-point attacks in the SWaT system which is the focus of this paper.
Shitharth and Winston [23] simulated a dataset by designing a network with 100 nodes using Network Simulator-2 tool. The attributes of the dataset are rearranged, clustered, and feature extraction is done through an optimization method after which a variant of Neural Network (HNN) is employed in discovering DoS and spoofing attacks. Testing is carried out in simulated data only. Miciolino et al. [24] trained two modules namely Fault Diagnosis (FD) and Network Anomaly Detector (NAD) where FD is the variance between the error signal and experimented threshold on a linear time-invariant (LTI) water treatment model. For NAD, the mean and standard deviation (SD) is calculated from ten iterations of normal operation data from a FACIES testbed during the training period which notably increases the time and effort for the training. During the actual run, an alert is raised if the change in value between the current one and the mean is greater than the SD.
d) Invariants and DPI
Adepu and Mathur in [25] exploit process invariants for the testbed that is being taken up in this work. However, only one of the six processes are taken into account and deviation in sensor values is calculated through mean and standard deviation over several runs and the logical invariants are programmed into PLC that requires additional task of dealing with power failure situations. Besides, quantitative results are not presented. Further, the design-centric and associated rule mining techniques of defining the invariants for the process [26] does not detect the attacks generated through the test bed.
Cho [27] apply string-matching algorithm that is inherent in Snort with a set of libraries for computing incoming packets quickly. When a predefined string is found, the match is recorded in a log server as a flow rule. A monitoring application periodically inquiries the log server and when a new policy is recognized, the flow entry is updated to allow that particular string pattern thereafter. Vlatudu [28] exercise tracking techniques in conventional networks that entrusts payload for traffic classification, which is fulfilled by using statistical properties of payload and header. Edmonds [29] effects n-gram byte frequency along and a genetic algorithm for spotting unusualness and Trabelsi [30] implements DPI as a means of IDS for the IT network by using splay filters and statistics of the network traffic.
e) SDN in IIoT
Liu [31] discuss the issues presently confronted by the urban area in the acquisition, transmission, and processing of the sensor data. It illustrates how an SDN based IoT architecture with its built-in features provides the much-needed solution to such issues. Sensor data are collected, transmitted and processed through various IoT architectures with, traditional network, dynamic sensor configuration, and SDN network. Quantitative analysis under different scenarios indicates that the maximum link load is significantly less in SDN based IoT network compared to traditional networks and dynamic sensor networks. Ahmed in [32] and Jararweh et al. in [33] propose frameworks for SDN based networks. In the first, the industry protocol PROFINET communicates with SDN controller through OF Switches in a CPS environment while storage and security features with a generic workflow description of IoT middleware layer is portrayed in the later. Yoon et al. [34] carried out the two intrusion detection methods active and passive in SDN. Active detection is achieved through a firewall as IDPS (Intrusion Detection and Prevention System). Passive detection is done through IDS via knowledge and the anomaly methods. Both methods are simulated and implemented in the application layer of the SDN switches. Also, stateful firewall for the file transfer protocol applications and redirecting malevolent packets to a honeypot are tested. However, only the framework and qualitative results are presented with no details of test data or any quantitative results.
Antonioli and Tippenhauer [35] develop MiniCPS, a simulation tool for elements in CPS such as PLC, HMI, and switches, utilize physical layer API with Mininet. It presents the idea of physical-layer interaction with API’s and presents two common attack scenarios with a theoretical solution to it. Sood, Yu and Xiang [36] explicate the growth of SDN, its superiority, opportunities it renders, the research works, protocols, testbed and simulation tools. It explores the SDN in wireless and hybrid architecture, testing OF enabled IoT products, and the challenges of IoT that SDN can resolve. It mentions security being the most critical research challenge entity followed by scalability, DPI not supported by OF protocols and the packet drops at access points.
Analysis of security features and the potential attacks on the SDN is exhaustively detailed in [37]. The vulnerabilities in the SDN are unauthorized access, data leakage, modification of data, compromising applications, DoS and configuration issues. Diverse research works have already been in progress in providing a solution to all of the vulnerabilities except data modification and data leakage. Implementing security in SDN is mature now, and still, work has to be done on this part. Solution to the yet unattended data modification issue is adapted in this research.
Problem definition
The problem to be resolved is presented in the context of Fig. 1. The specific problem that is being addressed in this research is the damage to the infrastructure, interrupting service and loss of revenue caused by the evil intent of attackers, disgruntled employers or response to unexpected situations. These are encountered if the integrity of the data is compromised and the focus of this work is to provide the system, the ability to counter this decisive attack. Detection is achieved by finding abnormal activities that pose threats to the system no matter whether the malevolence is known or unknown. The premise here is that the assailant has complete access to the infrastructure for a long time and capable of hijacking or altering the data, eventually performing a man-in-the-middle attack. Some of the scenarios in which the integrity of the data is compromised are
Reverse Osmosis water treatment plant in a typical IIoT architecture. A motor that should ideally be closed (1), can be made to open (2) by sending valve tag to PLC by the attacker posing as a genuine HMI. This causes the water to be higher than the typical level and still go unnoticed. An attacker could make the reading from the sensor to show maximum value while in reality its low thereby stopping the water inflow. Modify the chemical dosing of the RO water thus rendering it useless without affecting any components or process.
The emphasis here is to provide an apt solution for detecting anomalies with ideal detection rate and insignificant false positives and to determine the attacked component.
This research work adapts the Reverse Osmosis (RO) water treatment facility at iTrust. It’s a 6-stage process that enables purification of raw water. The single RO process combines all the processes of individual stages. The elaborate process is depicted in [11]. The first stage commences with the storage of the raw water into the tank. The second stage performs the chemical dosing followed by chlorination after which the water passes through to the Ultrafiltration (UF) that forms the third stage. The water is then pushed to RO water tank from UF at the fourth stage, where the chlorine is separated from the water by making it flow through UV rays. The water void of chlorine passes through a 2-stage RO purification unit in the fifth stage. A permeate tank is used to hold the filtered water, and UF Backwash (BW) tank is used to collect the rejected water. The BW tank water is pumped again to the UF unit. Ultrasonic sensors for tank’s water level and other sensors for the measurement of parameters such as pH, pressure and chemical dosing is exercised.
IIoT architecture (refer to Fig. 1) can be used to concisely model the entire RO plant, in which one PLC is used for each stage and all the 6 PLC’s are linked to a switch. The most important entity in the water treatment is the flow of water which follows a sequential pattern. Logically classified distinct levels constitute a hierarchical IIoT model in which Level 1 comprises of sensors, actuators and their respective physical links to corresponding PLC’s. The Input-Output interface for the sensors and actuators are either wired or wireless, that provides communication compatibility with the PLC’s. Capturing of physical devices is the primary focus of attacks at this level, which is highly unlikely in IIoT and hence not taken into account any further in this work. The attacks encountered at Layers 2–5 are on the integrity of data that includes deception, black hole, and modification which forms the primary focus of this research.
Conventional switches are used for operating the legacy devices of the SCADA network. SDN is in a position to supersede the formal networking owing to its eminent characteristics. With this in view, the experiment is carried out using the SDN backbone network.
Figure 2 illustrates the operational blocks of this work.
Functional blocks of testing and training phase.
Conventionally, the design of an application is based on the data flow of a finite industrial procedure with many sub-processes. The engineers and system architects will have a thorough knowledge of the data flow which can be linear or non-linear, static or dynamic, sequential or unordered. As stated earlier, the processes and sub-processes involved in the water treatment plant are represented as a deterministic, sequential, non-linear and dynamic model is used in this research work. Here, driving an actuator in either the same process or some other process is determined by one or more sensor values and on the mode the process is designed.
The work is categorized into training phase, framing invariants and testing phase.
During the training period, the sensors, and actuators in the IIoT setting are discovered by analyzing the data flow in all the SDN switches. In general, any data flow contains a source address, destination address, sensor and actuator data along with the optional timestamp values. Hence, it is easy to identify both linear as well as nonlinear data flow procedure from one stage to subsequent stage or any other stage. Furthermore, all the information obtained at a level are logged and ordered from which relevant details are manifested. Sensed data that resulted in triggering an event is observed in synchronization with the timestamp. The procedure of extracting payload from critical sensors and actuators proceeds in an unsupervised fashion until a definite timeout interval is attained or the bounded industrial process finishes the required number of cycles.
Water tank treatment process
Graphics of the all the processes (Process 1 to 6) associated with a water treatment establishment taken for training are depicted from Figs. 3–8. This provides an easy way of understanding the entire process. In this process, data from sensor and commands to actuators are collected once per second and logged into the historian. Table 1 provides the conventions used for identifying the components.
Process 1 – Raw water storage.
Process 2 – Chemical dosing.
Process 3 – Ultrafiltration.
Process 4 – Dechlorination.
Process 5 – RO filtration unit.
Process 6 – RO water flow.
Notations of components in water treatment plant
For devising the invariants, the factors considered are the graphical representation of the processes and all the potential system parameters from the normal dataset. Graphics and normal dataset are checked for consistency to avoid redundancy and incorrectness for the classifying normal and attack data. Table 2 gives the invariants for all the process in the water treatment plant. The transition of the motor and flow rate sensor from close to open and vice versa takes around ten seconds. So, for transitions involving motor or flow sensor, a window of 15 seconds is provided. The threshold, for no change in data, the rate of change, the difference of current and previous value and out of bound values are different for the various sensors and are characterized by the associated operations.
Centralized monitoring
The invariant algorithm is integrated into software-based SDN switch. The monitoring algorithm is performed in a centralized manner, and local monitoring is not considered in this article. The factors that lead to this decision are It is not possible to accommodate the developed algorithm into PLC without changing its firmware The algorithm can be implemented to a system connected to the PLC. But it adds to the cost and communication overhead from PLC to the system and alters the established architecture
Contemplating these constraints, transmitting the local data of PLC to switch through a medium, which in most cases is a wired Ethernet with a transfer rate of Gigabits per second is manageable. Also, as witnessed from the results an anomaly, if any is detected with a latency that is trivial to induce any harm to the system, which emphasizes the benefits of implementing a centralized monitoring scheme.
Testing phase
The devised invariants are tested with are integrated into SDN switches offline. Subsequently, the invariant rules are validated with the in-stream data from the normal and attack dataset and classification of data is carried out. The tag of the affected device is also noted.
Invariants for the processes in the water treatment plant
Invariants for the processes in the water treatment plant
An open source tool based on Linux-platform, Mininet is used to emulate the SDN network that comprises of switches, hosts, and links. It provides support for testing and verifying OpenFlow protocol-based switches. The simulation uses Open vSwitch and Modbus/TCP protocol the link between switches and hosts. A PLC’s functionality is mimicked with the hosts. The simulation setup is shown in Fig. 9 in which solid lines represent links and communication between switch and controller are represented in dotted lines. Hosts h1 to h6 corresponds to PLC’s on which the processes are imitated to which an IPv4 or IPv6 address is assigned.
Star topology.
Operations that concerns getting sensor values or driving actuators that are connected to the devices of the same host it is exercised in the host itself. When a value is received from a sensor/actuator which is linked to a different host, vSwitch forwards the value to the communicating hosts. A unique IPv4 address addresses the hosts and the switches. The switches are used to exchange data across hosts. The formulated algorithm is delimited to switches and hosts and executed in star and hierarchical topologies. The star topology is shown in Fig. 9.
For a system in the IIoT scenario, typically half a dozen PLC’s are connected through a single conventional switch. Star and Hierarchical topology are used for evaluating the scalability and reusability of the aforementioned IIoT architecture. In case of the star topology, all the PLC’s (from h1 to h6) connected to a single switch are modeled as hosts. On contrary the hierarchical topology makes use of 3 switches of which hosts (h1 to h3) are connected to switch s2, hosts (h4 to h6) are connected to switch s3. On the next level, s2 and s3 communicate via switch s1.
The test facility is similar to the setup depicted in Fig. 1, where the only difference is replacing the traditional switch with the SDN switch because of the rewards it yields. A pragmatic approach is used to examine the algorithm in order to account for the demand of scalability in the future, for which a hierarchical is employed for experimental evaluation. The packet capture rate for two topologies tree and hierarchical are found to be almost similar. Tree topology switches captured 8910 packets whereas hierarchical topology captured 8890. In a complicated system, it is expected that the capture pace of hierarchical model tends to be slower than that of the tree structure.
Attack definition
Attack classification
The types of integrity attacks that are launched in the water treatment plant Scaling: For this type of attack normal values are scaled based on the scaling factor Ramp: A ramp function that gradually increases or decreases the typical value of a sensor Random: Random change in data of sensors and commands to the actuator
The attack scenarios from the dataset are categorized in Tables 3, 4 lists the number of attacks for each class taken up for validation.
Validation of all components in the system
Validation of all components in the system
Data from about six days comprising of both normal and attack data is taken for validation. Table 5 details the validation results while Table 6 tabulates the distribution of attacks and Table 7 the worst-case detection latencies for all the components in the system respectively.
Distribution of attacks
Distribution of attacks
Detection latency of the components
True Positive Rate (TPR) = TP/(TP+FN) = 96.5%
False Positive Rate (FPR) = FP/(FP+TN) = 6.5%
False Negative Rate (FNR) = FN/(FN+TP) = 3.4%
Conclusion
In this article, the data-driven approach employing invariants for anomaly detection is developed and applied in detecting and identifying integrity attacks in the water treatment testbed. The factors required for the invariants are the graphic representation of the processes involved and all the possible parameters of the water purification system. The invariants are formulated by verifying the consistency of the graphs and the normal data from the dataset. During the testing period, the formulated invariants are exercised over both the normal and attack data to detect the anomalies. Though this work is carried out without an expert assistance, guidance from an expert is required when dealing with large-scale architecture. This is necessary to fine tune the invariants and interpret the logical relationships among the devices in the processes. The results obtained are noteworthy considering the minimal effort and time needed to devise the invariants.
There is always a scope for improvement and in that regard this work can be enhanced in areas like a) automating the process of constructing the rules to a general form which will reduce human effort to a great extent, b) exploring means to incorporate the IDS in PLC’s with minor changes in firmware thus enabling multi-level protection, c) developing a mathematical model to estimate the quantitative behavior of the system and d) extending the work to other applications of industrial automation such as smart grid, oil refining, and chemical manufacturing.
Footnotes
Acknowledgments
The authors would like to acknowledge SASTRA University for their immense support and iTrust, Centre for Research in Cyber Security, Singapore University for providing us the dataset.