With the advent of Industry 4.0, water treatment systems (WTSs) are recognized as typical industrial cyber-physical systems (iCPSs) that are connected to the open Internet. Advanced information technology (IT) benefits the WTS in the aspects of reliability, efficiency, and economy. However, the vulnerabilities exposed in the communication and control infrastructure on the cyber side make WTSs prone to cyber attacks. The traditional IT system oriented defense mechanisms cannot be directly applied in safety-critical WTSs because the availability and real-time requirements are of great importance. In this paper, we propose an entropy-based intrusion detection (EBID) method to thwart cyber attacks against widely used controllers (e.g., programmable logic controllers) in WTSs to address this issue. Because of the varied WTS operating conditions, there is a high false-positive rate with a static threshold for detection. Therefore, we propose a dynamic threshold adjustment mechanism to improve the performance of EBID. To validate the performance of the proposed approaches, we built a high-fidelity WTS testbed with more than 50 measurement points. We conducted experiments under two attack scenarios with a total of 36 attacks, showing that the proposed methods achieved a detection rate of 97.22% and a false alarm rate of 1.67%.
随着工业4.0的发展, 水处理系统作为一种典型工业信息物理系统逐渐接入互联网。先进的信息技术使水处理系统在可靠性、效率和经济性方面受益。然而, 网络和基础设施中潜在的漏洞使水处理系统很容易遭受网络攻击。由于水处理系统对于实时性和可用性的严苛要求, 传统的面向信息系统的防御机制无法直接应用于水处理系统。本文提出一种基于熵的入侵检测方法来抵御针对系统中控制器(如可编程逻辑控制器)的攻击。由于水处理系统运行条件的变化, 在模型采用静态阈值进行检测时会产生较高误报率。因此本文提出一种动态阈值调整机制来提高所提方法的检测性能。为验证所提方法, 我们建立了一个包含超过50个测量点的高保真水处理系统测试平台。在两种攻击场景下进行实验, 共涵盖了36次攻击。结果表明, 所提方法能够实现97.22%的检测率和1.67%的误报率。
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Price excludes VAT (USA)
Tax calculation will be finalised during checkout.
Barbosa RRR, Sadre R, Pras A, 2012. Towards periodicity based anomaly detection in SCADA networks. Proc 17th IEEE Int Conf on Emerging Technologies & Factory Automation, p.1–4. https://doi.org/10.1109/ETFA.2012.6489745
Bereziński P, Jasiul B, Szpyrka M, 2015. An entropy-based network anomaly detection method. Entropy, 17(4):2367–2408. https://doi.org/10.3390/e17042367
Carcano A, Coletta A, Guglielmi M, et al., 2011. A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans Ind Inform, 7(2):179–186. https://doi.org/10.1109/TII.2010.2099234
Cover TM, Thomas JA, 2012. Elements of Information Theory. John Wiley & Sons, New York, USA, p.250–252.
Farwell JP, Rohozinski R, 2011. Stuxnet and the future of cyber war. Survival, 53(1):23–40. https://doi.org/10.1080/00396338.2011.555586
Feng C, Reddy Palleti V, Mathur A, et al., 2019. A systematic framework to generate invariants for anomaly detection in industrial control systems. Proc Network and Distributed Systems Security Symp, p.1–22. https://doi.org/10.14722/ndss.2019.23265
Formby D, Srinivasan P, Leonard A, et al., 2016. Who’s in control of your control system? Device fingerprinting for cyber-physical systems. Proc Network and Distributed Systems Security Symp, p.1–15. https://doi.org/10.14722/ndss.2016.23142
Fovino IN, Coletta A, Carcano A, et al., 2012. Critical state-based filtering system for securing SCADA network protocols. IEEE Trans Ind Electron, 59(10):3943–3950. https://doi.org/10.1109/TIE.2011.2181132
Geng YY, Wang Y, Liu WW, et al., 2019. A survey of industrial control system testbeds. IOP Conf Ser Mater Sci Eng, 569(4):042030. https://doi.org/10.1088/1757-899x/569/4/042030
Goldenberg N, Wool A, 2013. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. Int J Crit Infrastruct Protect, 6(2):63–75. https://doi.org/10.1016/j.ijcip.2013.05.001
Hadeli H, Schierholz R, Braendle M, et al., 2009. Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration. Proc IEEE Conf on Emerging Technologies & Factory Automation, p.1–8. https://doi.org/10.1109/ETFA.2009.5347134
Hu Y, Li H, Luan TH, et al., 2020. Detecting stealthy attacks on industrial control systems using a permutation entropy-based method. Fut Gener Comput Syst, 108:1230–1240. https://doi.org/10.1016/j.future.2018.07.027
ICS-CERT, 2016. ICS-CERT Annual Assessment Report. Technical Report. NCCIC/ICS-CERT, Washington DC, USA.
Kaspersky ICS CERT, 2019. Threat Landscape for Industrial Automation Systems. H2 2018. Kaspersky. Available from https://ics-cert.kaspersky.com/publications/reports/2019/03/27/threat-landscape-for-industrial-automation-systems-h2-2018/ [Accessed on Jan. 1, 2021].
Kaspersky ICS CERT, 2020a. Targeted Attacks on Israeli Water Supply and Wastewater Treatment Facilities. Available from https://ics-cert.kaspersky.com/news/2020/04/29/israel-water-cyberattacks/ [Accessed on Jan. 1, 2021].
Kaspersky ICS CERT, 2020b. Threat Landscape for Industrial Automation Systems. Vulnerabilities Identified in 2019. Kaspersky. Available from https://ics-cert.kaspersky.com/reports/2020/04/24/threat-landscape-for-industrial-automation-systems-vulnerabilities-identified-in-2019/ [Accessed on Jan. 1, 2021].
Khraisat A, Gondal I, Vamplew P, et al., 2019. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity, 2:20. https://doi.org/10.1186/s42400-019-0038-7
Kleinmann A, Wool A, 2014. Accurate modeling of the Siemens S7 SCADA protocol for intrusion detection and digital forensics. J Dig Forens Secur Law, 9(2):37–50. https://doi.org/10.15394/jdfsl.2014.1169
Lee R, Slowik J, Miller B, et al., 2017. Industroyer/Crashoverride: Zero Things Cool about a Threat Group Targeting the Power Grid. Technical Report. Black Hat, USA.
Lin H, Slagell A, di Martino C, et al., 2013. Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol. Proc 8th Annual Cyber Security and Information Intelligence Research Workshop, p.1–4. https://doi.org/10.1145/2459976.2459982
Linda O, Manic M, Vollmer T, et al., 2011a. Fuzzy logic based anomaly detection for embedded network security cyber sensor. Proc IEEE Symp on Computational Intelligence in Cyber Security, p.202–209. https://doi.org/10.1109/CICYBS.2011.5949392
Linda O, Manic M, Alves-Foss J, et al., 2011b. Towards resilient critical infrastructures: application of type-2 fuzzy logic in embedded network security cyber sensor. Proc 4th Int Symp on Resilient Control Systems, p.26–32. https://doi.org/10.1109/ISRCS.2011.6016083
Ma RK, Cheng P, Zhang ZY, et al., 2019. Stealthy attack against redundant controller architecture of industrial cyber-physical system. IEEE Int Things J, 6(6):9783–9793. https://doi.org/10.1109/JIOT.2019.2931349
Maglaras LA, Jiang JM, 2014. Intrusion detection in SCADA systems using machine learning techniques. Proc Science and Information Conf, p.626–631. https://doi.org/10.1109/SAI.2014.6918252
Mathur AP, Tippenhauer NO, 2016. SWaT: a water treatment testbed for research and training on ICS security. Proc Int Workshop on Cyber-Physical Systems for Smart Water Networks, p.31–36. https://doi.org/10.1109/CySWater.2016.7469060
Morris T, Vaughn R, Dandass Y, 2012. A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems. Proc 45th IEEE Hawaii Int Conf on System Sciences, p.2338–2345. https://doi.org/10.1109/HICSS.2012.78
Navaz ASS, Sangeetha V, Prabhadevi C, 2013. Entropy based anomaly detection system to prevent DDoS attacks in cloud. Int J Comput Appl, 62(15):42–47. https://doi.org/10.5120/10160-5084
Nelson T, Chaffin M, 2011. Common Cybersecurity Vulnerabilities in Industrial Control Systems. Technical Report. The U.S. Department of Homeland Security (DHS) National Cyber Security Division, Washington DC, USA.
Ponomarev S, Atkison T, 2016. Industrial control system network intrusion detection by telemetry analysis. IEEE Trans Depend Sec Comput, 13(2):252–260. https://doi.org/10.1109/TDSC.2015.2443793
Qian Q, Che HY, Zhang R, 2009. Entropy based method for network anomaly detection. Proc 15th IEEE Pacific Rim Int Symp on Dependable Computing, p.189–191. https://doi.org/10.1109/PRDC.2009.38
Sample C, Schaffer K, 2013. An overview of anomaly detection. IT Prof, 15(1):8–11. https://doi.org/10.1109/MITP.2013.7
SecurityWeek, 2016. Attackers Alter Water Treatment Systems in Utility Hack: Report. Available from https://www.securityweek.com/attackers-alter-water-treatment-systems-utility-hack-report [Accessed on Jan. 1, 2021].
Song ZW, Liu ZH, 2019. Abnormal detection method of industrial control system based on behavior model. Comput Secur, 84:166–178. https://doi.org/10.1016/j.cose.2019.03.009
Stouffer K, Pillitteri V, Lightman S, et al., 2011. Guide to Industrial Control Systems (ICSs) Security. NIST Special Publication 800-82. https://doi.org/10.6028/NIST.SP.800-82r2
Tate RF, 1954. Correlation between a discrete and a continuous variable. Point-biserial correlation. Ann Math Stat, 25(3):603–607. https://doi.org/10.1214/aoms/1177728730
Ten CW, Manimaran G, Liu CC, 2010. Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans Syst Man Cybern A, 40(4):853–865. https://doi.org/10.1109/TSMCA.2010.2048028
Terai A, Abe S, Kojima S, et al., 2017. Cyber-attack detection for industrial control system monitoring with support vector machine based on communication profile. Proc IEEE European Symp on Security and Privacy Workshops, p.132–138. https://doi.org/10.1109/EuroSPW.2017.62
The Wall Street Journal’s San Francisco Bureau, 2015. Iranian Hackers Infiltrated New York Dam in 2013. Available from https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559 [Accessed on Jan. 1, 2021].
Vollmer T, Manic M, 2009. Computationally efficient neural network intrusion security awareness. Proc 2nd Int Symp on Resilient Control Systems, p.25–30. https://doi.org/10.1109/ISRCS.2009.5251357
Vollmer T, Alves-Foss J, Manic M, 2011. Autonomous rule creation for intrusion detection. Proc IEEE Symp on Computational Intelligence in Cyber Security, p.1–8. https://doi.org/10.1109/CICYBS.2011.5949394
Walton B, 2016. Water Sector Prepares for Cyberattacks. Available from https://www.circleofblue.org/2016/world/water-sector-prepares-cyberattacks [Accessed on Jan. 1, 2021].
Wang YS, Fan KF, Lai YX, et al., 2017. Intrusion detection of industrial control system based on Modbus TCP protocol. Proc 13th IEEE Int Symp on Autonomous Decentralized System, p.156–162. https://doi.org/10.1109/ISADS.2017.29
Wikipedia, 2020a. Critical Infrastructure. Available from https://en.wikipedia.org/wiki/Critical_infrastructure [Accessed on Jan. 1, 2021].
Wikipedia, 2020b. Water Treatment. Available from https://en.wikipedia.org/wiki/Water_treatment [Accessed on Jan. 1, 2021].
Yu W, Wang X, Xuan D, et al., 2006. Effective detection of active worms with varying scan rate. Proc Securecomm and Workshops, p.1–10. https://doi.org/10.1109/SECCOMW.2006.359549
Zhang F, Kodituwakku HADE, Hines JW, et al., 2019. Multilayer data-driven cyber-attack detection system for industrial control systems based on network, system, and process data. IEEE Trans Ind Inform, 15(7):4362–4369. https://doi.org/10.1109/TII.2019.2891261
Project supported by the National Natural Science Foundation of China (No. 61833015)
Ke LIU and Mufeng WANG designed the research. Qiang WEI helped design the research. Ke LIU processed the data. Ke LIU and Mufeng WANG drafted the paper. Rongkuan MA, Zhenyong ZHANG, and Qiang WEI helped organize the paper. Ke LIU and Mufeng WANG revised and finalized the paper.
Compliance with ethics guidelines
Ke LIU, Mufeng WANG, Rongkuan MA, Zhenyong ZHANG, and Qiang WEI declare that they have no conflict of interest.
About this article
Cite this article
Liu, K., Wang, M., Ma, R. et al. Detection and localization of cyber attacks on water treatment systems: an entropy-based approach. Front Inform Technol Electron Eng 23, 587–603 (2022). https://doi.org/10.1631/FITEE.2000546
- Industrial cyber-physical system
- Water treatment system
- Intrusion detection
- Abnormal state
- Detection and localization
- Information theory