Thanks to the availability of the testbeds at iTrust, researchers are able to test and validate their defence mechanisms. Through launching cyber attacks and cyber exercises, the researchers can also investigate and fine tune the responses of the mechanisms to those attacks. Below are the technologies developed by iTrust researchers over the years.

Argus

Argus is a variant of Distributed Attack Detection (DAD; see other technology). It has same detection capability as DAD but relies on data from the Historian instead of the PLC. In addition, Argus can be deployed on a separate server for an added defence layer towards orthogonal defence.

Argus leverages on the same principle of process invariants and uses the same algorithms employed in DAD. The difference is that Argus takes in data from Historian of a CPS instead. In this manner, Argus is still able to detect process abnormalities when the PLC has been compromised by hackers. Argus is useful in operational legacy systems since legacy systems might not be able to support the deployment requirements for DAD.

Developer: Siddhant Shrivastava
Advisor: Prof Aditya Mathur

BlockOps

BlockOps uses blockchain technology and redundancy capabilities to ensure operational and network traffic data stored in an industrial control system (ICS) is secure and can be trusted. By constantly validating the data integrity in the background, it is able to generate an alert when data has been tampered (modified or deleted), and enable its recovery. All these functions can be managed through a user-friendly graphical user interface. An advantage of the BlockOps technology is that it can be easily integrated into existing ICS and work alongside the historian without affecting its data flow.

The BlockOps technology is an end-to-end prototype which has been implemented the Secure Water Treatment (SWaT) testbed. A patent has also been filed for the technology.

Developer: Aung Maw
Advisor: Prof Aditya Mathur

Distributed Attack Detection (DAD)

Distributed Attack Detection (DAD) is a patented attack detection system. Throughout the course of its development, DAD was iteratively improved through extensive experimentation in Secure Water Treatment (SWaT) testbed.

DAD can be considered as a host-based intrusion detection system (HIDS). Specifically, it collects data on the various sensor measurements of processes, such as water pH value, water level and flow indicator, for analysis and process anomaly detection. By using all 52 sensor values of SWaT, it can detect single-stage multipoint and multi-stage multi-point cyber-attacks in a distributed control system.

DAD uses “security by design” for many basic and advanced attacker models. Based on the rules of physics, it directly verifies the process variables of the CPS within the distributed PLCs to check for abnormal behaviour. Process variables are time-dependent and interrelated within the entire plant process. Hence, their values are constrained by the relationship they have with the other process variables, as governed by the fundamental laws of physics and/or chemistry. The relationships among these constrained variables lead to process invariants – DAD’s rule-based algorithms.

The invariants are embedded in PLCs as well as special hardware devices known as intelligent checkers (ICs) with wired interfaces to sensors and actuators. The invariants are checked constantly to ensure the underlying processes are behaving as intended. When an invariant is violated, the underlying CPS process has diverged from its intended behaviour and an alarm is triggered.

Developer: Sridhar Adepu
Advisor: Prof Aditya Mathur

GARX

GARX is a defence mechanism based on the refinement of auto-regression and cumulative sum techniques. It detects anomalies for continuous systems in SWaT through streamlined regression. In one step, GARX can predict the change in the endogenous variable (whose value is determined by other variables in the system as the endogenous variable) based on a single delay for each exogenous variable (whose value is determined by variables outside the system.)

The value of the fitness function is between zero and one. A high value, for instance 0.98, indicates that the invariant model fits well with the observed data. When a change is detected the value is set to the sum variable that is added cumulatively. If an alarm is raised, its due to exceeding of threshold of the strategy used.  

Developer: Dr Andrew Yoong
Advisor: Prof Aditya Mathur

HybMonitor

HybMonitor tool is a black-box modelling approach to detect cyber-attacks in Cyber-Physical systems. It uses the model of the system under analysis to predict future behaviours. It is able to detect behaviours that diverge from expected.

HybMonitor relies on two different tools: HybModeller and HybMonitor. HybModeller uses historical data (from plant historian) and creates a model of the normal behaviour of the system. The second component (HybMonitor) uses the system’s models and predicts ‘normal’ behaviour of the system under test. It reads the actual state of the system, identifies the operational mode and predicts next values in sensor readings. HybMonitor can predict transitions of control strategy based on prior knowledge.

Developer: John Henry Castellanos
Advisor: Prof Prof Jianying Zhou

Multi-layer Perceptron (MLP) Neural Network Based Anomaly Detector

Multi-layer perceptron (MLP) neural network-based anomaly detector was developed for the real time detection of process anomalies in the Secure Water Treatment (SWaT) testbed.

MLP is an unsupervised, host-based intrusion detection system which relies on the sensor measurements for anomaly detection. Values of state variables are time dependent during the SWaT’s operation. Bu treating it as a time series prediction problem the temporal dependences are captured by the MLP model for predicting their future values. During the training process, parameters such as hidden layers, learning rate and momentum of MLP are fined tuned using the data collected from the normal operation of plant to achieve minimal prediction error. Further, a window-based cumulative sum and percentile approach is used to detect abnormal deviations between the observed and predicted sensor values for the identification of anomalies with the least false alarms.

Developer: Dr Gauthama Raman Mani Iyer Ramani
Advisor: Prof Aditya Mathur

NoisePrint

NoisePrint is an attack detection scheme to detect data integrity attacks on sensors in Cyber-Physical Systems. It uses a fingerprinting approach that is based on sensor and process noise.

NoisePrint combines both the fingerprint for sensor and process noise that is created during the normal operation of the system. Under sensor spoofing attack, noise pattern deviates from the fingerprinted pattern enabling the proposed scheme to detect attacks. To extract the noise (difference between expected and observed value) a representative model of the system is derived. A Kalman filter is used for the purpose of state estimation. By subtracting the state estimates from the real system states, a residual vector is obtained. It is observed that in steady state the residual vector is a function of process and sensor noise. A set of time domain and frequency domain features is extracted from the residual vector. Feature set is provided to a machine learning algorithm to identify the sensor and process.

Developer: Dr Mujeeb Chuadhry
Advisor: Prof Jianying Zhou

PlantViz

Over the years, researchers in iTrust have used various defence techniques to develop a variety of novel anomaly detection mechanisms (ADM). These detection mechanisms include Distributed Attack Detection (DAD), Generalised Auto-Regressive model with eXogenous input (GARX), noise-based detection (NoisePrint), and various models using AI techniques. With each ADM, a separate Graphical User Interface (GUI) is usually designed to assist operators in making sense of the information received from the operational plant as well as the ADMs.

To consolidate the GUIs of the individual ADMs, we have developed SWaT PlantViz, an integrated and feature-rich GUI for current and future ADMs. PlantViz is a robust and dynamic web application that enables users to view the state of the plant in real-time as well as the anomalies detected by the ADMs registered with the visualiser. 

The default data source is the Operational Historian in SWaT testbed, which receives measurements from sensors in real-time. Users are also able to retrieve historical data sources such as CSV files containing past measurements. Multi-plot and predicted values for tags.

The GUI can accommodate up to four subplots. This allows users to monitor and focus on a specific stage of the plant network, or multiple stages at any time. The predicted state of these plots against actual state may also be shown, when a predictor is registered.

Developer: Muhammad Syuqri Bin Johanna
Advisor: Prof Aditya Mathur

Virtual and Mixed Reality for Security of Critical City-Scale Cyber-Physical Systems

VVateR is a virtual three -dimensional world for visualising Cyber-Physical Systems such as a city-wide water treatment and water distribution plant.

A key novelty of VVateR is its ability to enable visualization of cyber- attacks, the resulting process anomalies, and whether or not the anomaly is detected. VVateR is currently operational in iTrust. It is connected to two plants, namely a water treatment plant named SWaT, and a water distribution plant named WADI. Both SWaT and WADI are fully operational plants.

VVateR is accessed by wearing a virtual reality headset where the user/gamer can move about and interact with the plant in the virtual space. This opens up the plants for remote worldwide research collaboration and aids in capturing context from the plant that Mixed Reality promises to bring to industrial settings. VVateR helps visualise the interconnectedness of various infrastructures and the effects of cyber-physical attacks through complex and dangerous scenarios that can be safely tested in a virtual setting. Observing slow historical plant operation and path of attacks at varying timelapse rates makes the process of reconnaissance and incident-analysis arguably faster and more visually engaging than an analysis of the database logs.

By acting as a Digital Twin when connected to a simulator, one can come up with numerous attack/defense scenarios and serious gamified challenges for training purposes. All these factors increase the preparedness of operators, policymakers, governments, and other relevant stakeholders in strengthening their cities and Critical Infrastructures through security by design.

Developer: Siddhant Shrivastava
Advisor: Prof Aditya Mathur