Daejeon, South Korea 01 Introduction 02 HAI Testbed 03 HAI - - PowerPoint PPT Presentation

Hyeok-Ki Shin*, Woomyo Lee, Jeong-Han Yun and HyoungChun Kim The Affiliated Institute of ETRI Daejeon, South Korea

01 02 03 04 Introduction HAI Testbed HAI Security Dataset Conclusion & Future Works

3/13 ICS Security Dataset Training Dataset Testing Dataset Labeled Dataset Training Testing Validation t t0 tf

labeled as normal or abnormal an complete normal behaviors user’ selection abnormal behaviors

• Essential to develop ICS security research based on AI techniques
• A labeled time series data that is collected on both normal & abnormal situations of ICS
• Extraction of the ICS features
• Training to fit a model using training data
• Tuning the hyper parameters
• Selection of the best model

Training Stage Validation Stage Testing Stage

• Prediction and evaluation of the

model using various metric

General ral Sc Scheme for A r AI-bas based d securi rity y res researc arch

4/13

HAI 1.0 focused on

Training dataset : normal behaviors Testing dataset : normal & abnormal behaviors

• Over

vercomin ming the e pr proces ess simpl implic icit ity of lab-scale e tes estbeds beds

• Min

inimi imizatio ion of long-ter erm huma man in inter erven ventio ion for norma mal oper peratio ions

• Rea

ealiz izatio ion of va vario ious & soph phis istic icated ed ICS CS attacks ks on rea eal-world d system em

• Labeling

ng anoma

• malies

s accur curate tely

• Mainta

ntaini ning ng consiste nsistenc ncy y fo for replicate cates

• Being

ng able to syste stema mati tically y expand nd the atta tack cks on a larg rge-scale cale syste stem

Process augmentation with a HIL simulator 1 Unmanned normal Operation 2 Scalable attack tool based on process control loop 3

5/13

• Three ICS testbeds were interconnected via HIL simulator that simulates complex power generation system.
• To increase the correlation between signals, not to get precise simulation results
• P1. Boiler
• P2. Turbine
• P3. Water Treatment
• P4. HIL Simulator

6/13

(Level 2) Supervisory Control

Hard wired Vendor-specific bus

EWS OWS OPC Server Historian EWS OWS Historian EWS HIL Simulation (Level 1) Process Control (Level 0) Field Devices /IOs DCS (Emerson Ovation) DCS (GE Mark VIe) Remote I/O Rack Remote I/O Rack PLC (Siemens S7-300) Water-Treatment Process PLC (Siemens S7-1500) OPC GW Unmanned Operator OPC Server Trender Emerson GE FESTO Boiler Process Turbine Process ICS Attack Tool

Ethernet TCP/IP

SCADA DB NTP

Manual

• Changing the set points for five controllers (PC, LC, FC, TC, LC)
• 5 times a day, start with a random delay
• Automatic operation

1) Check whether the controller is stabilized at the scheduled time 2) Send a new SP command within operational range

Auto

7/13

• Calibration FB: 𝑧 = 𝑏𝑦 + 𝑐
• Normalization FB: 𝑧 =

𝑦−𝑏 𝑐−𝑏

• PID control algorithm FB: 𝑧 = 𝑄𝑓 𝑢 + 𝐽 ׬ 𝑓 𝑢 𝑒𝑢 + 𝐸𝑒𝑓(𝑢)

𝑒𝑢 , 𝑓(𝑢) = 𝑄𝑊(𝑢) − 𝑇𝑄(𝑢) ADC Calibration Setpoint Algorithm Calibration DAC SP PV Control Algorithm CO

HMI Sensor Actuator

Nomalization

Historian

Gains Nomalization

Controller

• Attack targets: PCLs = {‘LC’, ‘FC’, ‘PC’, ‘SC’, ‘LC’} x Variables:{‘SP’, ‘PC’, ‘CO’}
• Changing the SP, PV, CO values by modifying the parameters of Function Block(FB)

8/13

ADC Calibration Setpoint Algorithm Calibration DAC SP PV Control Algorithm CO

HMI Sensor Actuator

Nomalization

Historian

Gains Nomalization

Controller

Response Prevention!! Change SP! Change SP! Change SP! Change CO! Change CO! Change CO!

• Attack instances for a single PCL
• Attack scenario = combination of PCL attack primitives
• Attack types

1) Response Prevention: hiding abnormal response on PV on HMI 2) SP attack: forcing the SP value to indirectly change the CO value 3) CO attack: forcing the CO value directly

• For five PCLs (P1.PC, P1.FC, P1.LC, P2. SC, P3.LC)
• 4 SP attacks [1,5,7,11]
• 4 SP&RP attacks [2,6,8,12]
• 2 CO attacks [3,8]
• 2 CO&RP attacks [4, 10]
• 2 SP&CO attacks [13,14]

9/13

• 1. PCL Configuration
• 2. Attack Configuration

1. . PCL CL Config iguratio ion

• PCL variables {SP=‘B3005’, PV=‘FT01’, CO=‘FCV01’}
• FB parameters of the PCL variables

2. . Attack k Config iguratio ion

• Response prevention : replaying PV with a normal snapshot
• SP attack: manipulating the SP value hiding SP changes

3. . Attack k Sch Schedu edulin ing

• Attack task starts at the scheduled time

4. . Data Data Label belin ing

• Detecting the forced changes of FB parameters
• Extracting the attack interval and points

(e.g. ‘Boiler-FC– SP’, ‘Boiler-FC-PV’)

• 3. Attack Scheduling

Controller HMI SP PV (sensor) CO (actuator) Controller HMI Controller

10/13

• Column 01: timestamp ‘yyyy-MM-dd hh:mm:ss’
• Column 02 ~ 59:
• 58 data points continuously collected every second
• Column

mn 60: : attack label indicating for any attack

• Column

mn 61~63: : attack labels for each real system (boiler, turbine, water-treatment)

• Dataset A
• Training: 7 day
• Testing: 28 attacks
• ver 4 days
• Data

Dataset et B

• Training: 3 days
• Testing: 10 attacks
• ver 1.5 days

Two Dataset 63 Columns

Training dataset (3 days) Training dataset (7 days)

HAI HAI 1.0 Securit .0 Security y Da Data taset set

Gi GitHub b https://github.com/icsdataset Kagg ggle le https://kaggle.com/icsdataset

12/13

attack label HAI 1.0

SP & PV

SP attack PV Response Prevention

PV1 PV2 SP1

abnormal normal abnormal normal

• Including all transient sections according to attacks
• A transient state identification(TSID) for the correlated PV values

HAI 2.0

HAICon 2020

Anomaly Detection Contest with HAI 2.0 Dataset

• Aug. 17 ~ Sep. 29

₩20,000,000 ($16,000) prize money https://dacon.io

Please note that foreign participants must team up with at least one Korean