Cyber-Physical Anomaly Detection for Industrial Control Systems: two novel frameworks and an Intrusion Response System

In recent years, Industrial Cyber-Physical Systems (ICPS), integrated into the so-called Industrial Control Systems (ICS), have been facing more and more cyber-attacks due to the increased ICS networked connectivity, to the adoption of open-source industrial protocols, and to the use of off-the-shelf products. Such cyber-attacks can lead to cyber anomalies, such as unauthorized IP addresses infiltrating the ICS network or anomalies in the data flow, which can subsequently cause breakdowns in the physical assets, potentially compromising the entire ICS infrastructure. In this regard, it is crucial to ascertain whether these physical failures stem from cyber anomalies or from malfunctions in the physical components due to factors like aging, insufficient maintenance, or intentional physical sabotage. Cyber-Physical Anomaly Detection (CPAD) algorithms address the joint monitoring of cyber and physical data that result in the detection of cyber, physical, and cyber-physical anomalies over the ICS. Such algorithms are categorized into three different classes based on their detection model, i.e. signature-based, behavior-based (also known as anomaly-based), and specification-based. The first one detects only well-known attacks based on a predefined database; the second one detects anomalies by learning the nominal behavior of the cyber-physical process through data-driven approaches (e.g., machine learning or deep learning algorithms); while the third one detects anomalies by modeling the ICS through the adoption of probabilistic approaches or mathematical control laws. Recently, scientific literature has been investigating more and more the possibility of merging behavior-based and specification-based algorithms in order to reduce the number of false positive events, that are mainly returned by behavior-based approaches, while reducing the computational load related to mathematical and probabilistic modeling, that is the main disadvantage of specification-based algorithms. Nevertheless, there is still little attention on deploying such “hybrid” algorithms to both the cyber and physical domains of the ICS, as the scientific literature mainly focuses on the monitoring of cyber anomalies. Moreover, considering the distributed nature of ICPSs which are mainly deployed in critical infrastructures, like water treatment, smart grids, power distribution systems, and chemical process control, there is a need to provide distributed multi-source and multi-modal CPAD algorithms that can detect anomalies in the different assets of the same infrastructure. Such algorithms may leverage data, feature, and decision fusion techniques that can merge the predictions of multiple, possibly redundant, detectors with the aim of making an agreed decision about an ongoing cyber, physical, or cyber-physcial threat. Nevertheless, decision fusion techniques suffer from the possible presence of faulty detectors which could negatively weigh the final decision. For this reason, there is a need for an explainable decision fusion technique that can give an insight into how many, which, and to what extent possibly faulty detectors contribute to the final decision. This property could be very useful for security operators who are in charge of implementing appropriate countermeasures to secure the ICS. In this regard, scientific literature has demonstrated the need for security systems to automatically prevent or respond against the detected threat based on the distributed CPAD outcomes. Such systems take the name of Intrusion Prevention Systems (IPS) and Intrusion Response Systems (IRS) which respectively generate proactive responses in order to prevent cyber, physical, or cyber-physical anomalies and reactive responses in a timely manner in order to handle anomalies and mitigate their effects on the ICS. Specifically, this latter form of security measure offers several benefits, including minimizing human errors and decreasing the time taken to implement remediation actions upon detecting anomalies. Nevertheless, there is little attention on deploying IRSs for ICPSs due to their criticality in managing both cyber and physical domains. Moreover, the current approaches show weaknesses, such as scalability issues, limited consideration of detection probability, and no consideration of experts’ opinions in the decision-making process. Taking into account the aforementioned limitations of the current scientific literature, this thesis work investigates the security of ICPSs addressing the challenge of detecting and responding to cyber, physical, and cyber-physical anomalies. In more detail, the thesis proposes: (I) a novel cyber-physical dataset from a hardware-in-the-loop Water Distribution Testbed (WDT) in a laboratory environment which has been useful in evaluating different CPAD algorithms and in deploying IPS and IRS solutions, (II) a comparative study of the performance of different supervised machine learning algorithms applied to three different publicly available ICS datasets; (III) a novel hybrid “multi-formalism” CPAD framework for combining the outcomes of unsupervised behavior-based anomaly detectors applied to cyber and physical data through the adoption of a static Bayesian network; (IV) a novel flexible framework for multi-source and multi-modal CPAD which enables the combination of multiple and redundant CPAD detectors by means of a Time-Varying Dynamic Bayesian Network (TV-DBN) implemented as an explainable decision fusion technique; (V) the implementation of Snort, one of the most adopted IPSs on the market, in the WDT infrastructure and the stealth exploitation of two of its configuration vulnerabilities through a novel batch script for Windows Operating Systems; (VI) a novel expert- and risk-based IRS for ICSs that addresses both known and zero-day attacks, considers the detection probability of the detected cyber and physical attacks/anomalies, reduces the scalability issue by providing a set of Bayesian networks within the risk assessment module, and introduces the adoption of experts’ opinions inside the decision-making process. Overall, the research contributes significantly to the field of ICPS security, offering practical solutions and frameworks for enhancing the resilience of ICSs against evolving cyber threats in the era of Industry 4.0.