Hyeok-Ki Shin*, Woomyo Lee, Jeong-Han Yun and HyoungChun Kim The Affiliated Institute of ETRI Daejeon, South Korea
01 Introduction 02 HAI Testbed 03 HAI Security Dataset 04 Conclusion & Future Works
• Essential to develop ICS security research based on AI techniques • A labeled time series data that is collected on both normal & abnormal situations of ICS General ral Sc Scheme for A r AI-bas based d securi rity y res researc arch Training Stage Validation Stage Testing Stage • Tuning the hyper parameters • Prediction and evaluation of the • Extraction of the ICS features • Selection of the best model • Training to fit a model using training data model using various metric t 0 t f ICS Security Dataset labeled as normal or abnormal Labeled Dataset an complete normal behaviors abnormal behaviors Training Dataset Testing Dataset user’ selection Training Validation Testing 3/13 t
HAI 1.0 focused on Training dataset : normal behaviors Process augmentation 1 with a HIL simulator • Over vercomin ming the e pr proces ess simpl implic icit ity of lab-scale e tes estbeds beds • Min inimi imizatio ion of long-ter erm huma man in inter erven ventio ion for norma mal oper peratio ions Unmanned normal 2 Operation Testing dataset : normal & abnormal behaviors Scalable attack tool 3 • Rea ealiz izatio ion of va vario ious & soph phis istic icated ed ICS CS attacks ks on rea eal-world d system em based on process control - Labeling ng anoma omalies s accur curate tely loop - Mainta ntaini ning ng consiste nsistenc ncy y fo for replicate cates - Being ng able to syste stema mati tically y expand nd the atta tack cks on a larg rge-scale cale syste stem 4/13
• Three ICS testbeds were interconnected via HIL simulator that simulates complex power generation system. • To increase the correlation between signals, not to get precise simulation results P4. HIL Simulator P3. Water Treatment P1. Boiler P2. Turbine 5/13
• Changing the set points for five controllers (PC, LC, FC, TC, LC) - 5 times a day, start with a random delay • Automatic operation 1) Check whether the controller is stabilized at the scheduled time 2) Send a new SP command within operational range NTP Trender DB SCADA Unmanned Operator Auto OPC GW ICS Attack Tool Emerson GE FESTO (Level 2) Supervisory Control EWS OPC Server OWS OPC Server OWS EWS EWS Historian Historian (Level 1) DCS DCS PLC PLC Process (Emerson Ovation) (GE Mark VIe) (Siemens S7-1500) (Siemens S7-300) Control Remote I/O Rack Remote I/O Rack (Level 0) Field Devices Boiler Turbine Water-Treatment HIL Simulation /IOs Process Process Process Manual Ethernet TCP/IP Vendor-specific bus Hard wired 6/13
• Attack targets: PCLs = {‘LC’, ‘FC’, ‘PC’, ‘SC’, ‘LC’} x Variables:{‘SP’, ‘PC’, ‘CO’} • Changing the SP, PV, CO values by modifying the parameters of Function Block(FB) - Calibration FB: 𝑧 = 𝑏𝑦 + 𝑐 𝑦−𝑏 - Normalization FB: 𝑧 = 𝑐−𝑏 Historian HMI - PID control algorithm FB: 𝑧 = 𝑄𝑓 𝑢 + 𝐽 𝑓 𝑢 𝑒𝑢 + 𝐸 𝑒𝑓(𝑢) 𝑒𝑢 , 𝑓(𝑢) = 𝑄𝑊(𝑢) − 𝑇𝑄(𝑢) PV SP Setpoint Algorithm Gains Nomalization Control Algorithm Nomalization Calibration Calibration ADC DAC Controller CO Sensor Actuator 7/13
• Attack instances for a single PCL • Attack scenario = combination of PCL attack primitives Historian HMI • Attack types PV SP Change SP! 1) Response Prevention: hiding abnormal response on PV on HMI Change SP! Change SP! Setpoint 2) SP attack: forcing the SP value to indirectly change the CO value Algorithm Gains 3) CO attack: forcing the CO value directly Nomalization Response Control Prevention!! Algorithm Nomalization Calibration Calibration • For five PCLs (P1.PC, P1.FC, P1.LC, P2. SC, P3.LC) Change CO! Change CO! ADC DAC - 4 SP attacks [1,5,7,11] Change CO! - 4 SP&RP attacks [2,6,8,12] Controller - 2 CO attacks [3,8] CO - 2 CO&RP attacks [4, 10] Sensor Actuator - 2 SP&CO attacks [13,14] 8/13
1. . PCL CL Config iguratio ion SP 2. Attack Configuration 1. PCL Configuration 3. Attack Scheduling Controller - PCL variables {SP=‘B3005’, PV=‘FT01’, CO=‘FCV01’} HMI - FB parameters of the PCL variables 2. . Attack k Config iguratio ion PV (sensor) - Response prevention : replaying PV with a normal snapshot Controller - SP attack : manipulating the SP value hiding SP changes HMI 3. . Attack k Sch Schedu edulin ing - Attack task starts at the scheduled time 4. . Data Data Label belin ing CO (actuator) Controller - Detecting the forced changes of FB parameters - Extracting the attack interval and points (e.g. ‘Boiler -FC – SP’, ‘Boiler -FC- PV’) 9/13
Two Dataset 63 Columns • Dataset A Training dataset (7 days) • Column 01: timestamp ‘ yyyy-MM-dd hh:mm:ss ’ - Training: 7 day • Column 02 ~ 59: - Testing: 28 attacks - 58 data points continuously collected every second over 4 days • Column mn 60: : attack label indicating for any attack • Column mn 61~63: : attack labels for each real system (boiler, turbine, water-treatment) • Data Dataset et B Training dataset (3 days) - Training: 3 days - Testing: 10 attacks over 1.5 days 10/13
HAI HAI 1.0 Securit .0 Security y Da Data taset set Gi GitHub b https://github.com/icsdataset Kagg ggle le https://kaggle.com/icsdataset
• Including all transient sections according to attacks - A transient state identification(TSID) for the correlated PV values PV Response Prevention SP attack SP1 PV1 SP & PV PV2 HAI 1.0 normal abnormal attack label normal abnormal HAI 2.0 12/13
HAICon 2020 Anomaly Detection Contest with HAI 2.0 Dataset Aug. 17 ~ Sep. 29 ₩20,000,000 ($16,000) prize money https://dacon.io Please note that foreign participants must team up with at least one Korean
Recommend
More recommend
