Deriving invariant checkers for critical infrastructure using axiomatic design principles
Cyber-physical systems (CPSs) in critical infrastructure face serious threats of attack, motivating research into a wide variety of defence mechanisms such as those that monitor for violations of invariants, i.e. logical properties over sensor and actuator states that should always be true. Many app...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2021
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/6050 https://ink.library.smu.edu.sg/context/sis_research/article/7051/viewcontent/axiomatic_design_cyse21.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-7051 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-70512022-11-03T06:35:30Z Deriving invariant checkers for critical infrastructure using axiomatic design principles YOONG, Cheah Huei PALLETI, Venkata Reddy MAITI, Rajib Ranjan SILVA, Arlindo POSKITT, Christopher M. Cyber-physical systems (CPSs) in critical infrastructure face serious threats of attack, motivating research into a wide variety of defence mechanisms such as those that monitor for violations of invariants, i.e. logical properties over sensor and actuator states that should always be true. Many approaches for identifying invariants attempt to do so automatically, typically using data logs, but these can miss valid system properties if relevant behaviours are not well-represented in the data. Furthermore, as the CPS is already built, resolving any design flaws or weak points identified through this process is costly. In this paper, we propose a systematic method for deriving invariants from an analysis of a CPS design, based on principles of the axiomatic design methodology from design science. Our method iteratively decomposes a high-level CPS design to identify sets of dependent design parameters (i.e. sensors and actuators), allowing for invariants and invariant checkers to be derived in parallel to the implementation of the system. We apply our method to the designs of two CPS testbeds, SWaT and WADI, deriving a suite of invariant checkers that are able to detect a variety of single- and multi-stage attacks without any false positives. Finally, we reflect on the strengths and weaknesses of our approach, how it can be complemented by other defence mechanisms, and how it could help engineers to identify and resolve weak points in a design before the controllers of a CPS are implemented. 2021-12-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/6050 info:doi/10.1186/s42400-021-00069-7 https://ink.library.smu.edu.sg/context/sis_research/article/7051/viewcontent/axiomatic_design_cyse21.pdf http://creativecommons.org/licenses/by/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University cyber-physical systems critical infrastructure industrial control systems systematic design framework axiomatic design invariants anomaly detection supervised machine learning Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
cyber-physical systems critical infrastructure industrial control systems systematic design framework axiomatic design invariants anomaly detection supervised machine learning Information Security |
| spellingShingle |
cyber-physical systems critical infrastructure industrial control systems systematic design framework axiomatic design invariants anomaly detection supervised machine learning Information Security YOONG, Cheah Huei PALLETI, Venkata Reddy MAITI, Rajib Ranjan SILVA, Arlindo POSKITT, Christopher M. Deriving invariant checkers for critical infrastructure using axiomatic design principles |
| description |
Cyber-physical systems (CPSs) in critical infrastructure face serious threats of attack, motivating research into a wide variety of defence mechanisms such as those that monitor for violations of invariants, i.e. logical properties over sensor and actuator states that should always be true. Many approaches for identifying invariants attempt to do so automatically, typically using data logs, but these can miss valid system properties if relevant behaviours are not well-represented in the data. Furthermore, as the CPS is already built, resolving any design flaws or weak points identified through this process is costly. In this paper, we propose a systematic method for deriving invariants from an analysis of a CPS design, based on principles of the axiomatic design methodology from design science. Our method iteratively decomposes a high-level CPS design to identify sets of dependent design parameters (i.e. sensors and actuators), allowing for invariants and invariant checkers to be derived in parallel to the implementation of the system. We apply our method to the designs of two CPS testbeds, SWaT and WADI, deriving a suite of invariant checkers that are able to detect a variety of single- and multi-stage attacks without any false positives. Finally, we reflect on the strengths and weaknesses of our approach, how it can be complemented by other defence mechanisms, and how it could help engineers to identify and resolve weak points in a design before the controllers of a CPS are implemented. |
| format |
text |
| author |
YOONG, Cheah Huei PALLETI, Venkata Reddy MAITI, Rajib Ranjan SILVA, Arlindo POSKITT, Christopher M. |
| author_facet |
YOONG, Cheah Huei PALLETI, Venkata Reddy MAITI, Rajib Ranjan SILVA, Arlindo POSKITT, Christopher M. |
| author_sort |
YOONG, Cheah Huei |
| title |
Deriving invariant checkers for critical infrastructure using axiomatic design principles |
| title_short |
Deriving invariant checkers for critical infrastructure using axiomatic design principles |
| title_full |
Deriving invariant checkers for critical infrastructure using axiomatic design principles |
| title_fullStr |
Deriving invariant checkers for critical infrastructure using axiomatic design principles |
| title_full_unstemmed |
Deriving invariant checkers for critical infrastructure using axiomatic design principles |
| title_sort |
deriving invariant checkers for critical infrastructure using axiomatic design principles |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2021 |
| url |
https://ink.library.smu.edu.sg/sis_research/6050 https://ink.library.smu.edu.sg/context/sis_research/article/7051/viewcontent/axiomatic_design_cyse21.pdf |
| _version_ |
1770575773620502528 |