A fundamental problem in the realm of cyber-physical security of smart water networks is attack detection, a key step towards designing adequate countermeasures. This task is typically carried out by algorithms that analyze time series of process data. However, the nature of the data available to develop these algorithms limits their capabilities: by relying on process data only, one cannot distinguish a cyber-attack from the failure of a system’s component or identify the root cause of an attack. Here, we show that these limitations can be addressed through the joint analysis of process and network data—with the latter representing the information exchanged between the components constituting the Industrial Control System, such as sensors and Programmable Logic Controllers (PLCs). For this purpose, we utilize a dataset generated by digital hydraulic simulator (DHALSIM)—a numerical modelling platform built on a two-way interaction between EPANET version 2.2 and a network emulation tool—which is extended here to include a framework for launching cyber-physical attacks. This paper presents a dataset with realistic network information of a smart water network under cyber-physical attacks and presents an analysis of how that information can enable the development of better intrusion detection systems that can localize and identify attacks. Through this analysis, the dataset provided here, and the open-source availability of DHALSIM, our work paves the way to a novel class of analytics for actionable detection.@en

Recently, reconstruction-based anomaly detection was proposed as an effective technique to detect attacks in dynamic industrial control networks. Unlike classical network anomaly detectors that observe the network traffic, reconstruction-based detectors operate on the measured sensor data, leveraging physical process models learned a priori. In this work, we investigate different approaches to evade prior-work reconstruction-based anomaly detectors by manipulating sensor data so that the attack is concealed. We find that replay attacks (commonly assumed to be very strong) show bad performance (i.e., increasing the number of alarms) if the attacker is constrained to manipulate less than 95% of all features in the system, as hidden correlations between the features are not replicated well. To address this, we propose two novel attacks that manipulate a subset of the sensor readings, leveraging learned physical constraints of the system. Our attacks feature two different attacker models: A white box attacker, which uses an optimization approach with a detection oracle, and a black box attacker, which uses an autoencoder to translate anomalous data into normal data. We evaluate our implementation on two different datasets from the water distribution domain, showing that the detector's Recall drops from 0.68 to 0.12 by manipulating 4 sensors out of 82 in WADI dataset. In addition, we show that our black box attacks are transferable to different detectors: They work against autoencoder-, LSTM-, and CNN-based detectors. Finally, we implement and demonstrate our attacks on a real industrial testbed to demonstrate their feasibility in real-time.@en

Numerical simulation models are a fundamental tool for planning and managing smart water networks—an evolution of water distribution systems in which physical assets are monitored and controlled by information and communication technologies. While simulation models allow us to understand the interactions between physical processes and abstract control strategies, they ignore key implementation aspects of distributed control systems, such as the required communication over digital links. As a result, the effects of anomalies and faults in the communication on the process control cannot be investigated with existing tools. In this work, we fill this gap by introducing DHALSIM (Digital HydrAuLic SIMulator), a numerical modelling platform combining EPANET-based process simulation with a network and host emulation environment, offering a high-fidelity representation of the processes occurring in the cyber domain. We illustrate DHALSIM’s key functionalities by implementing it on a benchmark water distribution system, present case studies of simulated network traffic, and demonstrate how anomalies in the behavior of the communication network affect the process data received by the supervisory control and data acquisition (SCADA) server. In a companion paper, we further illustrate how DHALSIM enables research opportunities in the domain of cyber-physical security. The easily customizable and open source DHALSIM provides a “workbench” for studying smart water networks, developing digital twins, and designing a broad spectrum of engineering solutions.@en

Modern Industrial Control Systems (ICSs) allow remote communication through the Internet using industrial protocols that were not designed to work with external networks. To understand security issues related to this practice, prior work usually relies on active scans by researchers or services such as Shodan. While such scans can identify publicly open ports, they cannot identify legitimate use of insecure industrial traffic. In particular, source-based filtering in Network Address Translation or Firewalls prevent detection by active scanning, but do not ensure that insecure communication is not manipulated in transit.In this work, we compare Shodan-only analysis with largescale traffic analysis at a local Internet Exchange Point (IXP), based on sFlow sampling. This setup allows us to identify ICS endpoints actually exchanging industrial traffic over the Internet. Besides, we are able to detect scanning activities and what other type of traffic is exchanged by the systems (i.e., IT traffic). We find that Shodan only listed less than 2% of hosts that we identified as exchanging industrial traffic, and only 7% of hosts identified by Shodan actually exchange industrial traffic. Therefore, Shodan does not allow to understand the actual use of insecure industrial protocols on the Internet and the current security practices in ICS communications. We show that 75.6% of ICS hosts still rely on unencrypted communications without integrity protection, leaving those critical systems vulnerable to malicious attacks.@en

In recent years, several schemes have been proposed to detect anomalies and attacks on Cyber-Physical Systems (CPSs) such as Industrial Control Systems (ICSs). Based on the analysis of sensor data, unexpected or malicious behavior is detected. Those schemes often rely on (implicit) assumptions on temporally stable sensor data distributions and invariants between process values. Unfortunately, the proposed schemes often perform not optimally with Recall scores lower than 70% (e.g., missing 3 alarms every 10 anomalies) for some ICS datasets, with unclear root issues. In this work, we propose a general framework to check whether a given ICS dataset has specific properties (stable sensor distributions in normal operations, potentially state-dependent), which then allows to determine whether certain Anomaly Detection approaches can be expected to perform well. We apply our framework to three datasets showing that the behavior of actuators and sensors are very different between Training set and Test set. In addition, we present high-level guides to consider when designing an Anomaly Detection System. @en

Cheap commercial off-the-shelf (COTS) drones have become widely available for consumers in recent years. Unfortunately, they also provide low-cost capabilities for attackers. Therefore, effective methods to detect the presence of non-cooperating rogue drones within a restricted area are highly required. Approaches based on detection of control traffic have been proposed but were not yet shown to work against other benign traffic, such as that generated by wireless security cameras. In this work, we propose a novel drone detection framework based on a Random Forest classification model. In essence, the framework leverages specific patterns in video traffic transmitted by drones. The patterns consist of repetitive synchronization packets (denoted as pivots) which we use as features in the proposed machine learning classifier. We show that our framework can achieve up to 99% detection accuracy over an encrypted WiFi channel using only 20 packets originated from the drone. Our system is able to identify drone transmissions even among very similar WiFi transmission (such as a security camera video stream) and in a noisy scenario with background traffic. @en