Thanks to the availability of the testbeds at iTrust, researchers are able to test and validate their defence mechanisms. Through launching cyber attacks and cyber exercises, the researchers can also investigate and fine tune the responses of the mechanisms to those attacks. Below are the technologies developed by iTrust researchers over the years.

AEGIS

AEGIS (Automatic Extensible Generic Invariant-based Security) is an attack detection mechanism for the protection of cyber-physical systems (CPS). It comprises of an algorithm that is designed to be generic and universal for various types of CPS such as water treatment plants, power distribution grids, etc.

The algorithm reads the CAD files and/or P&IDs of the system to obtain the connections between the components. Based on encoded fundamental principles, the algorithm automatically generates the rules that the associated sensor-actuator sets must follow for the proper operation of the system. These rules are called invariants, and they are created using similar logic as followed by DAD.

The actual system behaviour is then matched against this expected performance to check for any process anomalies. The detector employs several generalised design parameters and device-specific constants that allow users to customise the tool for their particular systems.

Developer: Athalye Surabhi Sachin 
Advisor: Prof Aditya Mathur

AICrit

AICrit for anomaly detection in Industrial Control Systems (ICS) is a unified framework for real-time process monitoring with a goal to preserve the control behavior integrity of the ICS. It precisely learns the normal spatio-temporal relationship among the set of highly correlated components through the application of machine learning algorithms (data-centric approach) and with a considerable amount of design knowledge (design-centric approach). The process involved in the design of the unsupervised detector presented here is of two-folds. One is modeling the normal behavior of continuous-valued state variables (sensors) through the temporal dependencies to forecast their behavior with minimal error. Second is modeling the higher-order and non-linear correlation among the discrete and continuous type state variables (cross-correlation among the sensors and actuators) during the normal plant operation. By combining these two, the functional dependencies of the sensors and actuators are monitored continuously, which increases the confidence in discovering and reporting a wide range of anomalies during the discrepancies in the expected and actual behavior of ICS.

Developer: Dr Gauthama Raman Mani Iyer Ramani
Advisor: Prof Aditya Mathur

M.R. Gauthama Raman, Wenjie Dong, Aditya Mathur, “Deep Autoencoders as Anomaly Detectors: Method and Case Study in a Distributed Water Treatment Plant,” Computers & Security (2020), doi: https://doi.org/10.1016/j.cose.2020.102055

Argus

Argus is a variant of Distributed Attack Detection (DAD; see other technology). It has same detection capability as DAD but relies on data from the Historian instead of the PLC. In addition, Argus can be deployed on a separate server for an added defence layer towards orthogonal defence.

Argus leverages on the same principle of process invariants and uses the same algorithms employed in DAD. The difference is that Argus takes in data from Historian of a CPS instead. In this manner, Argus is still able to detect process abnormalities when the PLC has been compromised by hackers. Argus is useful in operational legacy systems since legacy systems might not be able to support the deployment requirements for DAD.

Developer: Siddhant Shrivastava
Advisor: Prof Aditya Mathur

Sridhar Adepu; Siddhant Shrivastava; Aditya Mathur, “Argus: An Orthogonal Defense Framework to Protect Public Infrastructure against Cyber-Physical Attacks,” IEEE Internet Computing >Volume: 20 Issue: 5. https://ieeexplore.ieee.org/abstract/document/7676148?

BlockOps

BlockOps uses blockchain technology and redundancy capabilities to ensure operational and network traffic data stored in an industrial control system (ICS) is secure and can be trusted. By constantly validating the data integrity in the background, it is able to generate an alert when data has been tampered (modified or deleted), and enable its recovery. All these functions can be managed through a user-friendly graphical user interface. An advantage of the BlockOps technology is that it can be easily integrated into existing ICS and work alongside the historian without affecting its data flow.

The BlockOps technology is an end-to-end prototype which has been implemented the Secure Water Treatment (SWaT) testbed. A patent has also been filed for the technology.

Developer: Aung Maw
Advisor: Prof Aditya Mathur
Publications:

Maw, Aung, Sridhar Adepu, and Aditya Mathur. “ICS-BlockOpS: Blockchain for operational data security in industrial control system.” Pervasive and Mobile Computing 59 (2019): 101048. https://www.sciencedirect.com/science/article/pii/S1574119218307041

CoToRu

CoToRu is a toolchain that takes in the PLC’s code to automatically generate a comprehensive set of IDS rules. CoToRu comprises (1) an analyser that parses PLC code to build a state transition table for modeling the PLC’s behavior, and (2) a generator that instantiates IDS rules for detecting deviations in PLC behavior. The generated rules can be imported into Zeek IDS to detect various attacks. CoToRu has been applied to a power grid testbed and results show that the generated rules provide superior performance compared to existing IDSes, including those based on statistical analysis, invariant-checking, and machine learning. CoToRu’s prototype generated rules provide sub-millisecond detection latency, even for complex PLC logic.

Developer:  Heng Chuan Tan, Carmen Cheh
Advisor: Assoc Prof Binbin Chen

Heng Chuan Tan, Carmen Cheh, Binbin Chen, “CoToRu: Automatic Generation of Network Intrusion Detection Rules from Code,” IEEE INFOCOM 2022 – IEEE Conference on Computer Communications. https://ieeexplore.ieee.org/document/9796697

Cyber Twins

Development of the cyber-twin began in 2017 as a personal project  in iTrust aimed at creating a software version of an existing water treatment plant, namely, SWaT. Gradually, the Cyber Twin grew in complexity and feature-set with a usable version available in 2020. This Cyber Twin is intended to be rapidly configurable within a domain, e.g., for different water utilities, as well as across different domains, such as for gas pipelines and electric power grids. At the time of this writing, the Cyber Twin has been configured to mimic the behaviour of an operational water treatment plant (SWaT), a virtual gas pipeline (GASP), and an enhanced version of an operational electric power grid (SHOCK). See more here.

Developer: Prof Aditya Mathur

Distributed Attack Detection (DAD)

Distributed Attack Detection (DAD) is a patented attack detection system. Throughout the course of its development, DAD was iteratively improved through extensive experimentation in Secure Water Treatment (SWaT) testbed.

DAD can be considered as a host-based intrusion detection system (HIDS). Specifically, it collects data on the various sensor measurements of processes, such as water pH value, water level and flow indicator, for analysis and process anomaly detection. By using all 52 sensor values of SWaT, it can detect single-stage multipoint and multi-stage multi-point cyber-attacks in a distributed control system.

DAD uses “security by design” for many basic and advanced attacker models. Based on the rules of physics, it directly verifies the process variables of the CPS within the distributed PLCs to check for abnormal behaviour. Process variables are time-dependent and interrelated within the entire plant process. Hence, their values are constrained by the relationship they have with the other process variables, as governed by the fundamental laws of physics and/or chemistry. The relationships among these constrained variables lead to process invariants – DAD’s rule-based algorithms.

The invariants are embedded in PLCs as well as special hardware devices known as intelligent checkers (ICs) with wired interfaces to sensors and actuators. The invariants are checked constantly to ensure the underlying processes are behaving as intended. When an invariant is violated, the underlying CPS process has diverged from its intended behaviour and an alarm is triggered.

Developer: Sridhar Adepu
Advisor: Prof Aditya Mathur
Publications:

DNAttest

DNAttest is a Digital-twin-based Noninvasive Attestation solution to attest PLC behaviors in near-real time. DNAttest requires minimal ICS infrastructure changes and does not interfere with normal ICS operations. It detects PLC deviations by replicating all input messages for a PLC to its digital twin and comparing their output messages. Due to transient uncertainty in the PLC’s internal processing state, DNAttest may output an incorrect comparison. To generate all plausible output values for comparison, we instantiate multiple emulated PLCs by replicating input messages with different timing profiles. DNAttest is demonstrated on a close-to-real-world power grid testbed and is shown to provide a timely detection of a wide range of attacks non-invasively and accurately. DNAttest solution is lightweight and scalable.

Developer: Wei Lin, Heng Chuan Tan
Advisor: Assoc Prof Binbin Chen

Wei Lin, Heng Chuan Tan, Binbin Chen, Fan Zhang, “DNAttest: Digital-twin-based Non-intrusive Attestation under Transient Uncertainty,” 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10202620

GURU

GURU is an integrated platform for instructors to deliver an engaging active learning experience for students in an in-person lab environment or via a remote online classroom. A subset of GURU, called GURU CPS, is applied in the field of Operational Technology (OT) Cyber-Physical systems (CPS) with specific OT tools (such as a digital twin of a water treatment plant). GURU CPS stands for- Guided Universal Resource for Understanding Cyber-Physical Security. GURU CPS is based on the digital twin of Secure Water Treatment System (SWaT), which is a physical testbed system located at the iTrust. SWaT is used to launch and study cyber-physical attacks and defenses in a realistic water treatment plant in conjunction with lesson plans that focus on learning by doing.

The GURU Instructor Module uses custom tools for running digital twins, attack launchers, anomaly detectors, and open-source tools to create, manage, and monitor the online classroom. The open-source tools used are Veyon for classroom management, Tutor/OpenEdX for the web-based Learning/Course Management System, and Windows/Linux Virtual Machines as the computing platform. Besides that, the tools designed at iTrust which are customized for GURU are: the SWaT Digital Twin (known as GURU Twin with a Human-Machine Interface), a dedicated OT attack launcher (known as the GURU Attack Desk), an attack detector that uses Artificial Intelligence and design-based anomaly detection.

By using GURU CPS, the instructor can create an engaging and interactive learning environment for their students. The instructor-student interaction includes quizzes, static and dynamic course content, open discussion forums, live attack launchers, and blue teaming exercises to detect the source of the attack and defend against it. The instructor can also simulate various attack scenarios on SWaT and test the students’ skills and knowledge in OT security as they monitor their screens. GURU can connect to both a simulated digital twin as well as the physical SWaT testbed allowing students to experience the realism of a physical water distribution plant as well as the speed and other benefits of a twin.

See a demo of GURU here.

Developer: Siddhant Shrivastava
Advisor: Prof Aditya Mathur

HybMonitor

HybMonitor tool is a black-box modelling approach to detect cyber-attacks in Cyber-Physical systems. It uses the model of the system under analysis to predict future behaviours. It is able to detect behaviours that diverge from expected.

HybMonitor relies on two different tools: HybModeller and HybMonitor. HybModeller uses historical data (from plant historian) and creates a model of the normal behaviour of the system. The second component (HybMonitor) uses the system’s models and predicts ‘normal’ behaviour of the system under test. It reads the actual state of the system, identifies the operational mode and predicts next values in sensor readings. HybMonitor can predict transitions of control strategy based on prior knowledge.

Developer: John Henry Castellanos
Advisor: Prof Prof Jianying Zhou
Publications:

Castellanos, J. H., & Zhou, J. (2019, June). A modular hybrid learning approach for black-box security testing of CPS. In International Conference on Applied Cryptography and Network Security (pp. 196-216). Springer, Cham. https://dl.acm.org/doi/abs/10.1007/978-3-030-21568-2_10

NoisePrint

NoisePrint is an attack detection scheme to detect data integrity attacks on sensors in Cyber-Physical Systems. It uses a fingerprinting approach that is based on sensor and process noise.

NoisePrint combines both the fingerprint for sensor and process noise that is created during the normal operation of the system. Under sensor spoofing attack, noise pattern deviates from the fingerprinted pattern enabling the proposed scheme to detect attacks. To extract the noise (difference between expected and observed value) a representative model of the system is derived. A Kalman filter is used for the purpose of state estimation. By subtracting the state estimates from the real system states, a residual vector is obtained. It is observed that in steady state the residual vector is a function of process and sensor noise. A set of time domain and frequency domain features is extracted from the residual vector. Feature set is provided to a machine learning algorithm to identify the sensor and process.

Developer: Dr Mujeeb Chuadhry
Advisor: Prof Jianying Zhou
Publications:

PAS-II

PAS-II analyzes log discrepancies to detect anomalies in ICS. It compares logs from a primary system (unpatched) and a secondary “shadow” system (patched) to identify unexpected differences. This approach helps flag potential security issues in ICS. PAS-II uses five analytical modules to process and analyze log data. Initial results show that when patches are acceptable the algorithm consistently produces fidelity scores above 95%.

Developer: Jit Biswas
Advisor: Prof David Yau

Jit Biswas, David K. Y. Yau, Li Zihao, Yu Ming, Kon Ih Lunn, Tan Keng Nan, Zhang Zhimin, Jimmy Chua, Tso Wai Ann, Heng Yong Kean, “Reliability assessment of patched SCADA EMS/DMS servers through similarity matching,” 2022 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT). https://ieeexplore.ieee.org/document/9817486

PlantIO

PlantIO is a suite of tools that can be used by anyone working on anomaly detection mechanisms (ADM), visualisation tools or simulation tools which require visualisation. It provides a backbone which simplifies the process of retrieving, storing, publishing, and replaying data over a network. ADMs which have implemented the required PlantIO packages can make use of the PlantViz GUI, or any other visualisation tools, to display their alerts and predictions.

The default data source for PlantIO is the Operational Historian in SWaT testbed, which receives measurements from sensors in real-time. Users are also able to retrieve historical data sources such as CSV files containing past measurements or even use it in tandem with DigitalTwins or other data players.

Developer: Muhammad Syuqri Bin Johanna
Advisor: Prof Aditya Mathur

PlantViz

Over the years, researchers in iTrust have used various defence techniques to develop a variety of novel anomaly detection mechanisms (ADM). These detection mechanisms include Distributed Attack Detection (DAD), Generalised Auto-Regressive model with eXogenous input (GARX), noise-based detection (NoisePrint), and various models using AI techniques. With each ADM, a separate Graphical User Interface (GUI) is usually designed to assist operators in making sense of the information received from the operational plant as well as the ADMs.

To consolidate the GUIs of the individual ADMs, we have developed SWaT PlantViz, an integrated and feature-rich GUI for current and future ADMs. PlantViz is a robust and dynamic web application that enables users to view the state of the plant in real-time as well as the anomalies detected by the ADMs registered with the visualiser.

The GUI can accommodate up to four subplots. This allows users to monitor and focus on a specific stage of the plant network, or multiple stages at any time. The predicted state of these plots against actual state may also be shown when a predictor is registered.

Developer: Muhammad Syuqri Bin Johanna
Advisor: Prof Aditya Mathur

Virtual and Mixed Reality for Security of Critical City-Scale Cyber-Physical Systems

VVateR is a virtual three -dimensional world for visualising Cyber-Physical Systems such as a city-wide water treatment and water distribution plant.

A key novelty of VVateR is its ability to enable visualization of cyber- attacks, the resulting process anomalies, and whether or not the anomaly is detected. VVateR is currently operational in iTrust. It is connected to two plants, namely a water treatment plant named SWaT, and a water distribution plant named WADI. Both SWaT and WADI are fully operational plants.

VVateR is accessed by wearing a virtual reality headset where the user/gamer can move about and interact with the plant in the virtual space. This opens up the plants for remote worldwide research collaboration and aids in capturing context from the plant that Mixed Reality promises to bring to industrial settings. VVateR helps visualise the interconnectedness of various infrastructures and the effects of cyber-physical attacks through complex and dangerous scenarios that can be safely tested in a virtual setting. Observing slow historical plant operation and path of attacks at varying timelapse rates makes the process of reconnaissance and incident-analysis arguably faster and more visually engaging than an analysis of the database logs.

By acting as a Digital Twin when connected to a simulator, one can come up with numerous attack/defense scenarios and serious gamified challenges for training purposes. All these factors increase the preparedness of operators, policymakers, governments, and other relevant stakeholders in strengthening their cities and Critical Infrastructures through security by design.

Developer: Siddhant Shrivastava
Advisor: Prof Aditya Mathur