zone is intruded and attacks are concealed, the effects appear in other zones. In this paper, an automatic cyber-attacks detection system using PCA (Principal ...
Available online at www.sciencedirect.com
ScienceDirect Procedia Computer Science 22 (2013) 727 – 736
17th International Conference in Knowledge Based and Intelligent Information and Engineering Systems KES2013
Detection of Cyber-Attacks with Zone Dividing and PCA T. Morita, S. Yogo, M. Koike, T. Hamaguchi, S. Jung, I. Koshijima, Y. Hashimoto Nagoya Institute of Technology, Gokiso-cho, Showa-ku, Nagoya, 466-8555, Japan
Abstract Recently cyber-attacks become serious threats even for control systems. For process control, not only security but also safety must be assured. For safety assurance, the effects of cyber-attacks such as concealed remote operation and maneuvering must be evaluated. We proposed a securing method to divide field networks into plural zones. Even when a zone is intruded and attacks are concealed, the effects appear in other zones. In this paper, an automatic cyber-attacks detection system using PCA (Principal Component Analysis) is proposed. There are many kinds of relationships among variables included plural zones. Cyber-attacks change some of them. PCA is effective to detect the changes. © © 2013 2013 The The Authors. Authors. Published Published by by Elsevier Elsevier B.V. B.V. Open access under CC BY-NC-ND license. Selection Selection and and peer-review peer-review under under responsibility responsibility of of KES KES International. International Keywords: Cyber-security; Concealment; Detection; Zone; PCA
1. Introduction Recently cyber-attacks become serious threats even for control systems. In 2010, an epoch making malware, Stuxnet, was discovered. It was a virus targeting centrifuge controllers in the Iran nuclear fuel factory. After its discovery subspecies have been developed. Although Stuxnet had a specific target, indiscriminate attacks can be committed by them. When control systems are intruded, not only their dysfunction but also serious accidents such as explosion or spill of dangerous substances might occur. Industrial control systems (ICS) require highly reliable security and safety services with urgent priority. In information networks security measures are frequently taken. Databases of anti-virus software are updated every day. Various security patches are sent from product developers almost every day. However, in control networks anti-virus software is not utilized or security patches are not applied. Because they increase computation load and change link libraries, they might make controllers stop or be in ill conditions. Therefore, vulnerability of control networks is much less than one of information networks. Even in information networks, successes of cyber-attacks are reported frequently. The relationship of cyber-attacks and security measures is a cat-and-mouse game. In order to assure the safety of ICS against cyber-attacks, the relationships between safety and cyber-security must be considered and the t characteristics of the plant must be taken advantages to develop security measures.
1877-0509 © 2013 The Authors. Published by Elsevier B.V. Open access under CC BY-NC-ND license. Selection and peer-review under responsibility of KES International doi:10.1016/j.procs.2013.09.154
728
T. Morita et al. / Procedia Computer Science 22 (2013) 727 – 736
Accidents can be analyzed in the viewpoints of material, equipment and procedures. The seriousness of the effects of cyber-attacks such as remote operation and concealment can be evaluated via safety assessment. Zone division is designed to decrease it [1-4]. Many kinds of relationships must be observed to detect the concealed cyber-attacks. It is impossible for operators to care the all possibility. We propose automatic detection system using principal component analysis (PCA) in this study. The variables which are monitored by PCA (Principal Component Analysis) are selected considering zones. In order to illustrate the scheme, a simple plant is utilized. In the next section the plant is explained. 2. Sample System for Discussion Figure 1 shows a simple plant in which hot water is circulated between two tanks. It can be regarded as an example of integrated plants. For each tank, SCADA (Supervisory Control And Data Acquisition) and operators are assigned. If some trouble occurs in one of the tanks, the effects appear in the other tank. LM1 and LM2 are level sensors. TM1 and TM2 are thermometers. PM is a pressure sensor. FM is a flow meter. The valve 1 and 2 are automatic valves and valve 3 is a manual valve. Valve 4 serves as a safety valve. H is heater. There are three controllers. FC, LC1 and TC1. Figure 2 shows the picture of the experimental plant.
F1 㻸㻳 䠎
㻱㼘㼑㼏㼠㼞㼕㼏 㼏㼛㼚㼠㼞㼛㼘 㼢㼍㼘㼢㼑
㻲㼕㼑㼘㼐 㼕㼚㼟㼠㼞㼡㼙㼑㼚㼠
㻮㼍㼘㼘 㼢㼍㼘㼢㼑
㻼㼕㼜㼑
㻿㼍㼒㼑㼠㼥 㼢㼍㼘㼢㼑
㻲㼘㼍㼚㼓㼑
㼀㼞㼍㼚㼟㼙㼕㼠㼠㼑㼞
㻸㻹 㻞
㼀㼍㼚㼗㻞
㼀㻹 㻞
F2
㼂㼍㼘㼢㼑㻠
㻸㻯 㻯㻝
㼂㼍㼘㼢㼑㻞 F4 F5
㻲㻯
㼂㼍㼘㼢㼑 㻟
㻸㻳 㻝
㼀㻯 㻯㻝 㻲㻹
㼂㼍㼘㼢㼑㻝
㻿㼛㼏㼗㼑㼠
䠤
㻼㻹 㼀㻹 㻝
㼀㼍㼚㼗㻝
㼆㼛㼚㼑 㼑㻝㻌㼇㻌㻸㻹㻝 㼀㻹㻝 㻼㻹 㼂㼍㼘㼢㼑㻞 㻴㼑㼍㼠㼑㼞㼞㼉 㻼㼁㻹㻼 㼃 㼆㼛㼚㼑 㼑㻞㻌㼇㼇㻌㻸㻹㻞 㼀㻹㻞 㻲㻹 㼂㼍㼘㼢㼑㻝 㻼㼡㼙㼜㼜㻌㼉
F3
㻸㻹 㻝
Fig. 1. Example system
3. Network configuration of Experimental Plant The control networks are divided into two zones. Each zone has an OPC (OLE for Process Control) server and SCADA. SCADAs correspond to the observed areas by operators. It is normal that the zones correspond to the observed areas by operators. However, the control network zones are nested. The information contained in the other zone is necessary for SCADA. Another OPC server is utilized in the upper network as shown in
T. Morita et al. / Procedia Computer Science 22 (2013) 727 – 736
729
Figure 3. Every data of each zone is collected by its OPC server and is sent to OPC server in the upper network. Any data can be copied from the upper OPC server. If another zone is intruded, the copied data might be inaccurate. Inconsistency might be able to be detected by observing the plural zones. Its detection must be carried out not by operators but by computers. The detection system should be assigned in every zone. When abnormality is detected in the zone which survived from cyber-attacks, the alarm corresponding to the inconsistency is sent to the operators. PCA is applicable to detect abnormality. By combining zone division and PCA the inconsistency caused by cyber-attacks might be detected. The procedure is explained in the fourth section.
Fig. 2. Pictures of the equipment 㻵㼚㼑㼠㼞㼚 㼚㼑㼠
㻵㼚㼒㼛㼞㼙㼍㼠㼕㼛㼚㻌 㼟㼥㼟㼠㼑㼙㻌㼍㼞㼑㼍 㼃㻱㻮 㼟㼑㼞㼢㼑㼞㻒㻿㻽㻸 㼟㼑㼞㼢㼑㼞 㼃㼕㼚㼐㼛㼣㼟 㻞㻜㻜㻟 㼟㼜㻞
㻳㼍㼠㼑㼃㼍㼥㻝
㻻㻼㻯 㻰㼍㼠㼍 㻿㼑㼞㼢㼑㼞
㻴㼡㼎㻝
㻱㼍㼏㼔 㻻㻼㻯 㻿㼑㼞㼢㼑㼞 㼟㼑㼚㼐 㼠㼔㼑 㼢㼍㼞㼕㼍㼎㼘㼑㼟 㼕㼚㼒㼛㼞㼙㼍㼠㼕㼛㼚 㻳㼍㼠㼑㼃㼍㼥㻞
㻳㼍㼠㼑㼃㼍㼥㻟 㻴㼡㼎㻞
㻴㼡㼎㻟
cyber-attacks detection system 㻻㻼 㻼㻯㻝
cyber-attacks detection system 㻻㻼 㻼㻯㻞
㼆㻻㻺㻱㻝 㻯㼛㼚㼠㼞㼛㼘㼘㼑㼞 㻿㻯㻭㻰㻭㻝
㻹㼛㼚㼕㼠㼛㼞㼕㼚㼓㻌 㼍㼚㼐㻌㼏㼛㼚㼠㼞㼛㼘
㻲㼕㼑㼘㼐㻌 㼕㼚㼟㼠㼞㼡㼙㼑㼚㼠
㼆㼛㼚㼑㻝
㼆㻻㻺㻱㻞 㻯㼛㼚㼠㼞㼛㼘㼘㼑㼞 㻿㻯㻭㻰㻭㻞
Fig. 3 Zone configuration of control network
㼆㼛㼚㼑㻞
730
T. Morita et al. / Procedia Computer Science 22 (2013) 727 – 736
4. Safety Analysis considering Cyber Attacks Cyber-security problems were information leakage or falsification. However, for ICS accidents caused by remote operation and concealment are serious problems. Safety assurance is the most important for ICS. Therefore, how the safety is collapsed by cyber-attacks must be analyzed. Because new kinds of cyber-attacks will be developed, safety measures cannot be discussed based on the cyber-attack procedures. However, safety can be analyzed based on the plant and networks. Figure 4 shows the fault tree whose top event is “Fire or breakage of tank1 heater”. To improve safety the condition of AND gates are important. If the prevention of one of the conditions is succeeded, the accident can be avoided. To achieve fire or breakage of the heater, continuity of heating until temperature is increased to the dangerous point is necessary. To prevent detection of overheat before fire or breakage of the heater, concealment is necessary for cyber-attackers. To achieve overheat making the heater on and making the tank empty are necessary. If the temperature controller and level controller of tank1 are divided into other zones, concealment and remote operation of the both controllers become difficult. Zone division can be designed based on FTA and its effectiveness can be evaluated using FTA. Plants usually have many control loops and sensors. There might be huge number of variation of their zone division. Therefore, computer aided design system is necessary for control network zone division. 㻲㼕㼞㼑㻌㼛㼞㻌㼎㼞㼑㼍㼗㼍㼓㼑㻌 㼛㼒㻌㼠㼍㼚㼗㻝㻌㼔㼑㼍㼠㼑㼞
㻿㼑㼏㼡㼞㼑㻌㼠㼕㼙㼑㻌㼡㼚㼠㼕㼘㻌 㼠㼔㼑㻌㼠㼛㼜㻌㼑㼢㼑㼚㼠㻌 㼛㼏㼏㼡㼞㼟
㻰㼛㼚䇻㼠㻌㼞㼑㼙㼕㼚㼐㻌㼛㼜㼑㼞㼍㼠㼛㼞㻌 㼠㼔㼍㼠㻌㼀㼍㼚㼗㻝㻒㻞㻌㼘㼑㼢㼑㼘㻌㼕㼟㻌 㼍㼎㼚㼛㼞㼙㼍㼘
㻯㼞㼑㼍㼠㼑㻌㼟㼕㼠㼡㼍㼠㼕㼛㼚㻌 㼠㼛㻌㼘㼑㼍㼐㻌㼠㼛㻌㼠㼔㼑㻌 㼠㼛㼜㻌㼑㼢㼑㼚㼠
㻰㼛㼚䇻㼠㻌㼞㼑㼙㼕㼚㼐㻌㼛㼜㼑㼞㼍㼠㼛㼞㻌 㼠㼔㼍㼠㻌㼀㼍㼚㼗㻝㻒㻞㻌 㼠㼑㼙㼜㼑㼞㼍㼠㼡㼞㼑㻌㼕㼟㻌 㼍㼎㼚㼛㼞㼙㼍㼘
㻯㼛㼚㼏㼑㼍㼘㻌 㼀㼍㼚㼗㻝㻌 㼠㼑㼙㼜㼑㼞㼍㼠㼡㼞㼑㻌 㼍㼟㻌㼕㼒㻌㼕㼠㻌㼕㼟㻌 㼚㼛㼞㼙㼍㼘
㻼㼞㼑㼢㼑㼚㼠 㻌㼀㼍㼚㼗㻝㻌㼘㼑㼢㼑㼘 㻸㼛㼣㻌㼍㼘㼍㼞㼙
㻯㼛㼚㼏㼑㼍㼘㻌 㼀㼍㼚㼗㻝㻌㼘㼑㼢㼑㼘㻌 㼟㼑㼠㼜㼛㼕㼚㼠㻌㼍㼟㻌㼕㼒㻌 㼕㼠㻌㼕㼟㻌㼚㼛㼞㼙㼍㼘
㻯㼛㼚㼏㼑㼍㼘㻌 㼀㼍㼚㼗㻝㻌㼘㼑㼢㼑㼘㻌 㼍㼟㻌㼕㼒㻌㼕㼠㻌㼕㼟㻌 㼚㼛㼞㼙㼍㼘
㻯㼛㼚㼏㼑㼍㼘㻌 㼀㼍㼚㼗㻞㻌 㼠㼑㼙㼜㼑㼞㼍㼠㼡㼞㼑㻌 㼍㼟㻌㼕㼒㻌㼕㼠㻌㼕㼟㻌 㼚㼛㼞㼙㼍㼘
㻯㼛㼚㼏㼑㼍㼘㻌 㼀㼍㼚㼗㻞㻌㼘㼑㼢㼑㼘㻌 㼍㼟㻌㼕㼒㻌㼕㼠㻌㼕㼟㻌 㼚㼛㼞㼙㼍㼘
㼀㼍㼚㼗㻝㻌 㼠㼑㼙㼜㼑㼞㼍㼠㼡㼞㼑㻌 㻴㼕㼓㼔
㼀㼍㼚㼗㻝㻌㼘㼑㼢㼑㼘㻌 㻸㼛㼣
㻼㼞㼑㼢㼑㼚㼠 㼀㻝㼕㻌㻴㼕㼓㼔㻌 㼍㼘㼍㼞㼙㻌
㻼㼞㼑㼢㼑㼚㼠 㻸㻞㼕㻌㻴㼕㼓㼔 㻭㼘㼍㼞㼙
㻲㼍㼕㼘㻌㼠㼔㼑㻌㼀㼍㼚㼗㻝㻌㻌 㼘㼑㼢㼑㼘㻌㼏㼛㼚㼠㼞㼛㼘
㻸㼛㼣㼑㼞㻌 㼀㼍㼚㼗㻝㻌㻌㼘㼑㼢㼑㼘㻌 㼟㼑㼠㼜㼛㼕㼚㼠
㻴㼑㼍㼠㼑㼞㻌 㼏㼛㼚㼠㼞㼛㼘㼘㼑㼞 㻭㼡㼠㼛䊻 㻹㼍㼚㼡㼍㼘
㻴㼑㼍㼠㼑㼞 㻾㼑㼘㼑㼍㼟㼑㻌㼠㼔㼑㻌 㼜㼛㼣㼑㼞㻌㻴㼕㼓㼔㻌 㼕㼚㼠㼑㼞㼘㼛㼏㼗
㼀㼍㼚㼗㻝㻌㼘㼑㼢㼑㼘㻌 㻯㼘㼛㼟㼑㻌㼠㼔㼑㻌 㼏㼛㼚㼠㼞㼛㼘㼘㼑㼞 㼕㼚㼒㼘㼛㼣㻌㼢㼍㼘㼢㼑㻌 㻭㼡㼠㼛䊻 㼛㼒㻌㼀㼍㼚㼗㻝 㻹㼍㼚㼡㼍㼘
Fig. 4. Fault tree considering cyber-attacks
5. Zone Design using Cause Effect matrices If the temperature sensors of the both tanks in Figure 1 are included in the identical zone and the zone is intruded, remote control and concealment of the temperature controllers cannot be detected. The zone division should be designed to make concealment difficult. A zone division design procedure using cause effect (CE) matrices were proposed [3]. The relationships between variables of the plant and the controller are expressed with Boolean matrices.
T. Morita et al. / Procedia Computer Science 22 (2013) 727 – 736
Figure 5 shows the CE matrix of the plant. The difference between the process variables and observed variables is generated by sensor trouble or concealment. The local manipulated variables, V3 and V4, are the actuators which cannot be operated by cyber-attackers. Binary manipulated variables, W, are the switch which can be changed via networks. Automatic manipulated variables, V1, V2 and H, are control valves which are remote operable. The ones (1) in Figure 5 show the relationships such that the control valve V1 can affect the flow rate F1 and F1 can affect L2(the level of tank2), T2(temperature of the water of tank2), P(Pressure).
㻼 㼞㼛㼏㼑㼟㼟㻌㼂㼍㼞㼕㼍㼎㼘㼑㼟 㻸㻝 㻲㻝 㻲㻞 㻲㻟 㻲㻠 㻲㻡 㼀㻝 㻸㻞 㼀㻞 㻼 㼂㻟 㼂㻠 㼃 㼂㻝 㼂㻞 㻴 㻸㻝㼕 㻸㻞㼕 㻲㻝㼕 㼀㻝㼕 㼀㻞㼕 㼂㻝㼕 㼂㻞㼕 㻼㼕 㻴㼕 㼃㼕
㻸㻝 㻲㻝 㻲㻞 㻲㻟 㻲㻠 㻲㻡 㼀㻝 㻸㻞 㼀㻞 㻼 㻝 㻜 㻝 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻝 㻝 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻝 㻜 㻜 㻝 㻜 㻜 㻜 㻝 㻜 㻝 㻜 㻜 㻝 㻝 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻝 㻜 㻝 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜
Fig. 5. Matrix P (26x26) 㻹 㼍㼚㼕㼜㼡㼘㼍㼠㼑㼐㻌㼂㼍㼞㼕㼍㼎㼘㼑㼟 㻻 㼎㼟㼑㼞㼢㼑㼐㻌㼂㼍㼞㼕㼍㼎㼘㼑㼟 㻸 㼛㼏㼍㼘 㻹 㼍㼚 㼚 㼡㼍㼘 㻭 㼡㼠㼛 㼂㻟 㼂㻠 㼃 㼂㻝 㼂㻞 㻴 㻸㻝㼕 㻸㻞㼕 㻲㻝㼕 㼀㻝㼕 㼀㻞㼕 㼂㻝㼕 㼂㻞㼕 㻼㼕 㻴㼕 㼃㼕 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻜 㻝
The relationships between PVs and MVs in controllers are indicated in Matric C shown in Table 2. Matrix C is a square matrix as large as Matrix P. All of its diagonal elements are 1. Figure 6 shows a part of Matrix C, which indicates the controller loop configuration such that F1 is PV and V1 is MV.
㼂㻟 㼂㻠 㼃 㼂㻝 㼂㻞 㻴
㻹 㼍㼚㼕㼜㼡㼘㼍㼠㼑㼐㻌㼂㼍㼞㼕㼍㼎㼘㼑㼟 㻸 㼛㼏㼍㼘㻹㼍㼚㼡㼍㼍 㼘 㻭 㼡㼠㼛 㼂㻟 㼂㻠 㼃 㼂㻝 㼂㻞 㻴 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻜 㻜 㻝
㻻 㼎㼟㼑㼞㼢㼑㼐㻌㼂㼍㼞㼕㼍㼎㼘㼑㼟 㻸㻝㼕 㻜 㻜 㻜 㻜 㻝 㻜
㻸㻞㼕 㻜 㻜 㻜 㻜 㻜 㻜
㻲㻝㼕 㻜 㻜 㻜 㻝 㻜 㻜
㼀㻝㼕 㻜 㻜 㻜 㻜 㻜 㻝
㼀㻞㼕 㻜 㻜 㻜 㻜 㻜 㻜
㼂㻝㼕 㻜 㻜 㻜 㻝 㻜 㻜
Fig. 6. A part of Matrix C (26x26)
㼂㻞㼕 㻜 㻜 㻜 㻜 㻝 㻜
㻼㼕 㻜 㻝 㻜 㻜 㻜 㻜
㻴㼕 㼃㼕 㻜 㻜 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻜 㻝 㻜
731
732
T. Morita et al. / Procedia Computer Science 22 (2013) 727 – 736
Concealment and remote operation are also expressed with Boolean matrices. When cyber-attacks are succeeded in some zones, all variables in them can be concealed and manipulated variables and set-points can be operated. Concealment matrix corresponds to zone division. Figure 7 shows the concealment matrix of zone2, S2. The observations of changes in zone 2 are deleted. Figure 8 shows the remote operation in zone 2, M2. Figure 9 shows the observation in survival zones, O1.
Fig. 8. Remote operation matrix M2 (26x3).
Fig. 9. Survival matrix O1 (26x26) Fig. 7. Concealment Matrix S2 (26x26)
Detectability matrix D12 shows the detectability of the cyber-attacks to zone 2 with the observation of zone 1. It can be calculated with the following equation. ܦଵଶ ሺ݊ሻ ൌ ܱଵ σሺܵଶ ή ܲ ή ܥሻ ή ܵଶ ή ܲ ή ܯଶ (1) The number in the brackets of detectability matrix shows the number of propagation stages. Although the quantitative time constants are not dealt with in Eq. (1), the number is a measure of propagation speed. Figure 10 shows that the remote operation of heater, H, can be concealed with the zone division, because the all elements of the column corresponding to H are zeros.
㻸㻝 㼕 㼂㻞 㼕 㻼㼕
㻸 㻝 㼕 㼂㻞 㼕 㻼 㼕 㻝 㻜 㻜 㻜 㻝 㻜 㻜 㻜 㻝
Fig. 11. False signal matrix A1 (26x3) Fig. 10. Detectability Matrix ܦଵଶ ሺλሻ
The zone division is expressed as the entries of zeros in the diagonal elements of concealment matrix, remote operation matrix and survival matrix. If the temperature sensor T1i is included in other zones, S2 is changed from Figure 7. Then the detectability matrix in Figure 10 is changed. T1 appears as a row of D12 and the element corresponding to H and T1i becomes 1. It means that the remote operation of TC1 (T2 is PV and H is MV) can be detected by observation of T1. By using CE matrices P and C, the candidates of zone division can be generated d Fig. 12. Reachability matrix R1 automatically and its detectability can be judged. CE matrices are also available to evaluate the effect of the impersonation. Although the real plant is normal, false alarm might be generated. Operators or controller might generate unnecessary actions and it might cause some troubles. The generation of false signals in zone 1 is illustrated by A1 in Figure 11. The effects of the false signals to whole zones can be evaluated by calculating reachability matrix R1 in Figure 12. ܴଵ ሺ݊ሻ ൌ σሺܲ ή ܥሻ ܣଵ (2) The seriousness of the effects is evaluated using FTA and the reachability matrix R1.
T. Morita et al. / Procedia Computer Science 22 (2013) 727 – 736
733
6. Detection of Abnormality Although the calculation results of CE matrices show the detectability of remote operation and concealment, how to detect them is another problem. Even if the relationships among the variables in the intruded zone look normal, the effects of the remote operation appear in the survival zones. It causes inconsistency of the relationships between the variables in the intruded zone and the survival one. Because there are many kinds of relationships among the variables, the identification of each relationships are very troublesome. In this paper, a procedure using principal component analysis (PCA) is proposed. To illustrate the principle of the method, data distribution of three variables is shown in Figure 13. If an equation is satisfied among three variables, the freedom is two. In this case, the two top principal component scores have values. The last principal component score must be zero. All data are distributed on a hyper-plain. If some of relationships are changed, data might be generated outside the hyper-plain. It can be detected as the changes of the principal component scores, which were zero. The principal component scores which were zero are sensitive to the changes of the relationships. Even for the cases in which the changes by cyber-attack maintain on the hyper-plain, principal component scores are effective to detect the changes. PCA can express the distribution of normal data by choosing a suitable orthogonal coordinate. The rectangular ranges of the principal component scores distribution are more suitable to express the normal data distribution than the ones of the original orthogonal coordinate of the sensed and actuated variables.
x3 Second component f(x1, x2 , x3)=0 First component
f’(x1, x2 , x3)=0 x2 Third component score is zero.
.
x1 Fig. 13. Observation of changes based on PCA.
Fig. 14. Cumulative contribution ratios of the principal components for normal data
6.1. Example Scenarios of Cyber Attacks k We assume that the normal operation data have been logged. For a numerical example, experimental data including many kinds of set-point changes of level control and flow rate control were logged using the plant shown in Fig. 2. To the data PCA had been applied and the principal components had been determined. The cumulative contribution ratios of the principal components for the normal data are shown in Fig. 14. The top four principal components can express almost all behaviors of the all of thirteen variables. For monitoring the abnormality principal component scores are calculated online using the determined principal components. There are many kinds of combination of different zone variables. Therefore, many monitoring systems can be built. In this paper, the results using all of the thirteen process variables for PCA are shown for an example. And two scenarios of cyber-attacks are shown to evaluate the detection capability of PCA. The first one is the detection of the remote operation and concealment by a cyber-attacker shown in Fig. 15. The set-point of the level of tank1 was decreased. The magnitude of the operation was popular and similar to
734
T. Morita et al. / Procedia Computer Science 22 (2013) 727 – 736
data contained in the normal operation data. The attacker concealed the changes in the attacked zone. However, the changes in other zones were monitored. Therefore, the relationships between variables in other zones were collapsed. The target of the first example is detection of the concealment. Figure 17 shows the principal component scores for the monitored data in Figure 15. The two lines in each graph indicate the maximum and minimum scores for the learned normal data. The bands of the top three principal component scores are wide and the next ten bands are very narrow compared to the three. The small deviation of the principle component score means the existence of constraints among the thirteen variables. Because the magnitude of the remote operation was not large, the changes in the top three scores were maintained in the band widths. However, the other scores departed from the upper or lower limits. These changes can be regarded as the effects of the relationship change caused by concealment. The next example is a large magnitude change by remote operation, which was not concealed. Figure 16 shows the changes in the levels of the two tanks. At time 360 Tank 1 became empty. Such situation was not included in the normal data. Figure 18 shows the principal component score changes corresponding to the changes in Figure 16. Because the changes were not concealed, the relationships among the variables were not collapsed even after the attack, which caused at time 250. Therefore, the scores of the 4th and later principal components were maintained in the bands of the normal data after time 250. At time 360, flow rate control was collapsed because Tank1 became empty. This collapse could be detected in these score changes. The large magnitude change generated outer data from the normal data distribution bands in the top three principal components before time 360. These results show that PCA is effective to detect abnormal situations. PCA can be applied to any kinds of plants if normal operation data are available. Therefore, many abnormality detection systems can be constructed for real industrial plants. It is still difficult to distinguish the causes of the abnormal situation as cyber-attack. However, the detection is very important especially because concealment is included cyber-attack procedures. The combination of zone division and automatic abnormal detection using PCA can be an effective security measure. 㻔㼍㻕㻯㼛㼚㼏㼑㼍㼘㼑㼐 㼀㼍㼚㼗㻝 㼘㼕㼝㼡㼕㼐 㼘㼑㼢㼑㼘 㻔㼏㻕㻾㼑㼍㼘 㼀㼍㼚㼗㻞 㼘㼕㼝㼡㼕㼐 㼘㼑㼢㼑㼘 䢶䢲䢲
䢶䢲䢲
䢵䢷䢲
䢵䢷䢲
䢵䢲䢲
䢵䢲䢲
䢴䢷䢲
䢴䢷䢲
䢴䢲䢲
䢴䢲䢲
䢳䢷䢲
䢳䢷䢲
䢳䢲䢲
䢳䢲䢲
䢷䢲
䢷䢲
䢲
䢲
䢳䢲䢲
䢴䢲䢲
䢵䢲䢲
䢶䢲䢲
䢷䢲䢲
䢸䢲䢲
䢹䢲䢲
䢲
䢲
䢳䢲䢲
䢴䢲䢲
䢵䢲䢲
㻔㼎㻕㻾㼑㼍㼘 㼀㼍㼚㼗㻝 㼘㼕㼝㼡㼕㼐 㼘㼑㼢㼑㼘 䢵䢷䢲
䢵䢲䢲
䢴䢷䢲
䢴䢲䢲
䢳䢷䢲
䢳䢲䢲
䢷䢲
䢲
䢳䢲䢲
䢴䢲䢲
䢵䢲䢲
䢶䢲䢲
䢷䢲䢲
䢸䢲䢲
䢷䢲䢲
䢸䢲䢲
䢹䢲䢲
Fig. 16. Second example of cyber-attacks
䢶䢲䢲
䢲
䢶䢲䢲
䢹䢲䢲
Fig. 15. First example of cyber-attacks
735
T. Morita et al. / Procedia Computer Science 22 (2013) 727 – 736
㻝㼟㼠㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢴䢷䢲
㻞㼚㼐㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢴䢲䢲
䢴䢲䢲
䢳䢷䢲
䢳䢷䢲
㻟㼞㼐㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢸䢲
㻢㼠㼔㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢳䢲 䢲
䢶䢲
䢯䢳䢲
䢳䢲䢲
䢴䢲
䢳䢲䢲
䢯䢴䢲 䢷䢲 䢲
䢷䢲
䢯䢵䢲
䢲 䢲
䢯䢴䢲
䢯䢶䢲
䢯䢷䢲 䢯䢷䢲
䢯䢸䢲 䢯䢸䢲
䢯䢳䢷䢲
䢯䢳䢷䢲
䢯䢹䢲 䢯䢺䢲
䢯䢴䢲䢲
䢯䢴䢲䢲 䢯䢴䢷䢲
䢯䢷䢲
䢯䢶䢲 䢯䢳䢲䢲
䢯䢳䢲䢲
䢲
䢳䢲䢲
䢴䢲䢲
䢵䢲䢲
䢶䢲䢲
䢷䢲䢲
䢸䢲䢲
䢹䢲䢲
㻣㼠㼔㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢷䢲
䢯䢴䢷䢲
䢲
䢳䢲䢲
䢴䢲䢲
䢵䢲䢲
䢶䢲䢲
䢷䢲䢲
䢸䢲䢲
䢹䢲䢲
㻥㼠㼔㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢵䢰䢷
䢯䢳䢲䢲
䢳䢶
䢵
䢳䢴
䢴䢰䢷
䢳䢲
䢴
䢺
䢯䢺䢲
䢲
䢳䢲䢲
䣺䢢䢳䢲
䢴䢲䢲
䢵䢲䢲
䢶䢲䢲
䢷䢲䢲
䢸䢲䢲
䢹䢲䢲
㻝㻝㼠㼔㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢯䢳䢳
䢯䢻䢲
䢴
䢲
䢳䢲䢲
䣺䢢䢳䢲
䢯䢳䢵
䢴䢲䢲
䢵䢲䢲
䢶䢲䢲
䢷䢲䢲
䢸䢲䢲
䢹䢲䢲
㻝㻟㼠㼔㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢳
䢶䢲
䢲 䢵䢲 䢯䢳 䢴䢲
䢳䢰䢷
䢸
䢳
䢶
䢲䢰䢷
䢴
䢲
䢲
䢯䢴 䢳䢲 䢯䢵 䢲
䢯䢳䢲
䢲
䢳䢲䢲
䢴䢲䢲
䢵䢲䢲
䢶䢲䢲
䢷䢲䢲
䢸䢲䢲
䢹䢲䢲
䢯䢲䢰䢷
䢲
䢳䢲䢲
䢴䢲䢲
䢵䢲䢲
䢶䢲䢲
䢷䢲䢲
䢸䢲䢲
䢹䢲䢲
䢯䢴
䢯䢶
䢲
䢳䢲䢲
䢴䢲䢲
䢵䢲䢲
䢶䢲䢲
䢷䢲䢲
䢸䢲䢲
䢹䢲䢲
䢯䢷
䢲
䢳䢲䢲
䢴䢲䢲
䢵䢲䢲
䢶䢲䢲
䢷䢲䢲
䢸䢲䢲
䢹䢲䢲
Fig. 17. A part of Principal component scores for a little manipulated and not concealed data
㻝㼟㼠㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢵䢲䢲
㻞㼚㼐㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢴䢲䢲
䢸䢲
䢳䢷䢲
䢴䢲䢲
㻟㼞㼐㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
㻠㼠㼔㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢳䢲䢲
䢶䢲 䢺䢲
䢳䢲䢲 䢴䢲
䢳䢲䢲
䢷䢲 䢸䢲 䢲
䢲
䢲
䢯䢷䢲
䢯䢴䢲
䢶䢲
䢯䢳䢲䢲 䢯䢳䢲䢲
䢯䢶䢲 䢴䢲
䢯䢳䢷䢲
䢯䢴䢲䢲
䢯䢸䢲 䢯䢴䢲䢲 䢲
䢯䢵䢲䢲
䢯䢺䢲
䢯䢴䢷䢲 䢯䢶䢲䢲
䢲
䢷䢲
䢳䢲䢲
䢳䢷䢲
䢴䢲䢲
䢴䢷䢲
䢵䢲䢲
䢵䢷䢲
䢶䢲䢲
䢶䢷䢲
㻥㼠㼔㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢻
䢯䢵䢲䢲
䢲
䢷䢲
䢳䢲䢲
䢳䢷䢲
䢴䢲䢲
䢴䢷䢲
䢵䢲䢲
䢵䢷䢲
䢶䢲䢲
䢶䢷䢲
㻝㻜㼠㼔㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢴
䢯䢳䢲䢲
䢺
䢺
䢲
䣺䢢䢳䢲
䢷䢲
䢳䢲䢲
䢳䢷䢲
䢴䢲䢲
䢴䢷䢲
䢵䢲䢲
䢵䢷䢲
䢶䢲䢲
䢶䢷䢲
㻝㻝㼠㼔㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢯䢳䢳
䢳䢺
䢹
䢯䢳䢵
䢳䢲䢲
䢳䢷䢲
䢴䢲䢲
䢴䢷䢲
䢵䢲䢲
䢵䢷䢲
䢶䢲䢲
䢶䢷䢲
㻝㻟㼠㼔㻌㼜㼞㼕㼚㼏㼕㼜㼍㼘㻌 㼏㼛㼙㼜㼛㼚㼑㼚㼠㻌㼟㼏㼛㼞㼑
䢳䢴
䢷 䢷
䢳䢲
䢯䢶
䢶
䢶
䢺 䢵
䢯䢸
䢵
䢸 䢴
䢴
䢶
䢯䢺 䢳
䢳 䢯䢳䢲
䢲 䢯䢳
䣺䢢䢳䢲
䢷䢲
䢳䢶
䢸 䢯䢴
䢸
䢲
䢳䢸
䢹
䢲
䢯䢴䢲
䢲
䢷䢲
䢳䢲䢲
䢳䢷䢲
䢴䢲䢲
䢴䢷䢲
䢵䢲䢲
䢵䢷䢲
䢶䢲䢲
䢶䢷䢲
䢯䢳䢴
䢴
䢲
䢲
䢷䢲
䢳䢲䢲
䢳䢷䢲
䢴䢲䢲
䢴䢷䢲
䢵䢲䢲
䢵䢷䢲
䢶䢲䢲
䢶䢷䢲
䢯䢳
䢲
䢲
䢷䢲
䢳䢲䢲
䢳䢷䢲
䢴䢲䢲
䢴䢷䢲
䢵䢲䢲
䢵䢷䢲
䢶䢲䢲
䢶䢷䢲
䢯䢴
䢲
䢷䢲
䢳䢲䢲
䢳䢷䢲
䢴䢲䢲
䢴䢷䢲
䢵䢲䢲
䢵䢷䢲
䢶䢲䢲
䢶䢷䢲
Fig. 18. A part of Principal component scores for not concealed data
7. Conclusion In this paper, a design method of control network configuration to improve security and safety is proposed. The network is divided into plural zones. If the security of each zone is set independently, the possibility of the intrusion of the whole area becomes low. How to divide the network and how to detect the abnormality are discussed. Examples of application of zone division and PCA were illustrated. It was shown that the system could detect the relationship changes caused by concealment.
736
T. Morita et al. / Procedia Computer Science 22 (2013) 727 – 736
The proposed system is a just detection system of abnormality. The diagnosis of the cyber-attacks is a challenge in future. For example, it is difficult to distinguish cyber-attack from the sensor failure of the tank2 level using the data in Fig. 15. However, diagnosis cannot be started when detection was missed. PCA is just an example of abnormal detection methods. Many kinds of detection methods should be applied to secure control networks. Zone division is an example of the problems to which the process engineers should address proactively. It is eager that cyber-security will be improved by cooperation of information engineers and process engineers. Acknowledgements This work was supported by JSPS KAKENHI Grant Number 24310119 References [1] Toyoshima, T., J. Sun, I. Koshijima and Y. Hashimoto, 2011, Risk analysis and countermeasure planning against cyber-attacks, J. of Human Factors in Japan, 15, 2,4-9. [2] Uehara, T. , 2011, SCADA system and cyber security, J. of Human Factors in Japan, 15, 2,10-13. [3] Hashimoto Y., T. Toyoshima, S. Yogo, M. Koike, Sun Jung, I. Koshijima, 2012, Conceptual Framework for Security Hazard Management in Critical Infrastructures, Proceedings of PSE 2013, Singapore. [4] Hashimoto Y., T. Toyoshima, S. Yogo, M. Koike, Sun Jung, I. Koshijima, 2013, Safety Securing Approach against Cyber-Attacks for Process Control System, Computers and Chemical Engineering. 10.1016
