Professional Documents
Culture Documents
Abstract— This paper presents an optimization framework, directions, mapping them on the "prevent, detect, mitigate"
based on Genetic Algorithms, for the control of the "security paradigm for security. In the context of the project ATENA,
level" of a Cyber-Physical System (CPS). The security level is a the partners proposed several solutions for adverse event
quantity that has been studied in several industrial standards,
among which we selected the Open Source Security Testing mitigation [28], attack and anomaly detection [29], [30], and
Methodology Manual (OSSTMM). The proposed optimization for the secure design of CI sub-systems [31], [32].
solution is validated on scenarios representative of real opera- The project ATENA was designed having in mind the
tions of a security evaluator, and numerical simulations report distinction between two different processes for the secure
the performances obtained by the algorithm. operation of CPS:
Keywords: Security, Cyber-Phisycal systems, Optimal • Risk Mitigation, i.e., the process of reconfiguring a
Planning CI in order to mitigate "risk", a quantity that captures
I. INTRODUCTION the likelihood of having a service disruption caused by
detected adverse events or attacks;
In recent years, the study of Cyber-Physical Systems
• Vulnerability Management, i.e., the process of addres-
(CPSs) has become a topic of great interest for control
sing the known vulnerabilities affecting protected sy-
system researchers, as CPSs bring together problems derived
stem so that an eventual attacker would face a secured
from classical control theory with concerns related to com-
system.
puter science and cyber-security [1]. In their most general
The present work deals with the process of vulnerability
definition, CPSs can be considered as interconnected systems
management, and proposes an optimization framework to
that integrate both physical capabilities and computing power
control what we will define as the security level of the
[2] and have found application in several fields, spacing from
protected CI.
manufacturing [3], healthcare [4], telecommunication [5]–[7]
The idea of measuring the security of a system is a concept
and transportation [8] networks, power systems [9], [10] and
that is already broadly investigated by industrial standards,
aerospace [11].
as the Common Vulnerability Scoring System (CVSS) [33],
Several works available in literature focus on real-time
[34] and the Common Criteria for Information Technology
control of CPSs [12]–[14], and their real-time monitoring
Security Evaluation (CC) [35]. The modalities applied and
[15], [16], in order to detect attacks or anomalies that
quantities measured in these various industrial standards
may be affecting the system dynamics. Consequently, a
are different, but they all share a common idea: security
significant amount of effort was spent for identifying suitable
is something that should evaluate a frozen "snapshot" of
models and modelling frameworks by the authors and other
the system, without taking into account ongoing attacks or
researchers in the field [17]–[21].
threats that affect it.
Another research direction in the field of CPSs is the
Among the various industrial standards, the one that is
one related to their security assurance [22], as, for such
the most suitable for the purpose of evaluating the security
complex systems, assuring their controlled operation may not
of a CPS in its wholeness was identified by the consortium
be sufficient to protect them against engineered attacks, such
of the ATENA project in the Open Source Security Testing
as data-altering attacks that corrupt/delay sensor readings or
Methodology Manual (OSSTMM) [36], a methodology that
control signals [23]–[25] or attacks that target the system
identifies a procedure, along with several security-related
control logic itself, as stuxnet [26].
quantities, that is recognized by the industry as a proper
The H2020 project ATENA [27], in which this work was
method for security assessment. The whole methodology
developed, deals with Critical Infrastructures (CIs) protec-
behind OSSTMM is built around the simple concept of
tion and focuses on both of the aforementioned research
having a balance between the number of interaction points
1 A. Giuseppi, A. Tortorelli, R. Germanà, F. Liberati and A. present in the system (e.g., a PLC that interacts with a field
Fiaschetti are with the Department of Computer, Control, and Ma- sensor thought a communication bus), their limitations (e.g.,
nagement Engineering "Antonio Ruberti" at "La Sapienza" Universi-
ty of Rome, Via Ariosto, 25, 00185 Rome, Italy, e-mail: {giusep- the vulnerabilities and weaknesses affecting a encrypted
pi,tortorelli,germana,liberati,fiaschetti}@diag.uniroma1.it. communication channel between a SCADA server and a
This work has been carried out in the framework of the ATENA project RTU) and the number of active security controls (e.g., data
[Grant Agreement 700581] partially funded by the EU. This work reflects
only the authors’ view, the EU Commission is not responsible for any use integrity checks conducted by a PLC before actuating its
that may be made of the information it contains. controls) put in place to address the identified limitations.
51
rity metrics characterised by a more complex mathematical Note that the inequality constraint in the definition of S
structure than OSSTMM. shares the nonlinearity with the cost function. Finally, exam-
In the following section we are going to formulate the pro- ples of additional requirements imposed by the client and
blem of optimal vulnerability management in an optimisation included in the set D are listed below:
form that is compliant with the application of GAs. • a maximum number nmax of active controls, i.e.,
III. P ROBLEM F ORMULATION xT x ≤ nmax ;
• the presence of at least a control from a specific set K,
The problem of security assessment is usually conducted P
i.e., i∈K xi ≥ 1;
by a certified security evaluator who follows a strict proce- the mutual exclusivity
dure, analysing and reporting on checklists and spreadsheets
•
P of two or more controls from a
specific set H, i.e., i∈H xi ≤ 1;
various characteristics and properties of the studied CPS. • a maximum configuration cost Cmax , i.e., costT x <
In order to offer a Decision Support System, driven Cmax in which cost is the vector of the N costs of the
by an optimization solution, to the evaluators, the crucial corresponding controls.
requirements that the proposed algorithm should be able
to meet should be identified. In general, whichever is the Several other requirements can be included in the proposed
methodology selected for assessing the security level of the framework, under the sole condition that they can be
CPS, what the security evaluator seeks is a way to increase captured with a constraint that depends on the security
the measured value by an amount that it considers to be configuration x.
satisfactory for the needs of the client and also attainable
with the available controls. Furthermore, the client may have Being the problem formulated so far an heavily constrai-
several specifications to meet, as, for example, the maximum ned one, we decided to follow the approach presented in
deployment cost of the new controls or the need of having [44], that consists in modifying the cost function F (x) so
a particular type of control device in place in order to meet that it captures also the constraint violation of the various
a certification. configurations x. The augmented cost function assumes the
On the ground of these considerations, the optmization form:
problem that is required to be solved assumes the following
structure: (
F (x), if x ∈ D ∩ S
max F (x) Fm (x) = w
PL , (2)
x∈X fm + j=1 Dj (x) otherwise
s.t. (1)
x∈S∩D
where Dj (x) is an increasing penalty function related to the
where x ∈ X = {0, 1}N represents a decision vector formed violation of the j-th constraint/requirement, L is the number
by N binary variables indicating whether the corresponding of constraints, m is the current generation of the algorithm
available control is to be deployed or not; the cost function and
F : X → R represents the selected metric for the security
level assessment; S is the subset of X that contains all
(
the security configurations that have a security level, for minx∈X m ∩S∩D F (x), if X m ∩ S ∩ D 6= ∅
w
the selected metric, above the desired one, denoted with fm = . (3)
0 otherwise
desired_level; D is the set containing all the configurations
that meet additional requirements that may be imposed by
the client.
w
The vector x can be considered as the security In other words, fm represents the worst fitness value attained
configuration of our system, containing a complete by the feasible configurations of generation m. The described
description of controls already present in the system (whose approach reduces the probability of reproduction of the
corresponding variables are set to 1) along with the new configurations that violate some constraints by penalising
controls which can be activated. X is then the set of all their fitness values.
possible security configurations. Hereinafter, we will denote The associated selection procedure is "Tournament Selec-
the i-th element of vector x with xi and with X m ⊂ X tion". The mutation rate follows a fixed probability of 2%
the population at the m-th iteration. For the cost function for the switch of each component xi of the configurations
F (x), we selected in the study the Actual Security and True x. The crossover mixes the components of the parents,
Protection metrics from OSSTMM - in general, it can be picking either of their values for xi with equal probability.
any of the quantities identified by OSSTMM or a compliant The parameters were tuned after several testings, but as a
industrial standard. The set S is defined as general consideration, it is desired to keep the mutation rate
relatively high so that the exploration of the scenario, whose
S = {x ∈ X|F (x) ≥ desired_level}. dimension is exponential in the number of available controls,
is encouraged.
52
Fig. 1. First generation room, facility located at the dam.
53
Fig. 5. Complete Hydroelectric system
54
Fig. 11. 5x Hydroelectric scenario
55
[9] S. Sridhar, A. Hahn, M. Govindarasu, et al., “Cyber-physical system [30] I. Frazão, P. Henriques Abreu, T. Cruz, H. Araujo, and P. Simoes,
security for the electric power grid.” Proceedings of the IEEE, vol. “Denial of service attacks: Detecting the frailties of machine learning
100, no. 1, pp. 210–224, 2012. algorithms in the classification process:,” 12 2018, pp. 230–235.
[10] A. Di Giorgio, F. Liberati, R. Germanà, M. Presciuttini, L. R. Celsi, [31] M. Panfili, A. Giuseppi, A. Fiaschetti, H. B. Al-Jibreen, A. Pietrabissa,
and F. Delli Priscoli, “On the control of energy storage systems and F. Delli Priscoli, “A game-theoretical approach to cyber-security of
for electric vehicles fast charging in service areas,” in 2016 24th critical infrastructures based on multi-agent reinforcement learning,”
Mediterranean Conference on Control and Automation (MED). IEEE, in 2018 26th Mediterranean Conference on Control and Automation
2016, pp. 955–960. (MED). IEEE, 2018, pp. 460–465.
[11] D. Winter and B. P. Works, “Cyber physical systems-an aerospace [32] A. Fiaschetti, V. Suraci, and F. D. Priscoli, “The shield fra-
industry perspective,” Boeing Management Company, Seattle, WA, mework: How to control security, privacy and dependability in com-
USA, 2008. plex systems,” in 2012 Complexity in Engineering (COMPENG).
[12] T. Facchinetti and M. L. Della Vedova, “Real-time modeling for direct Proceedings. IEEE, 2012, pp. 1–4.
load control in cyber-physical power systems,” IEEE Transactions on [33] “Cvssv3.0,” 2015. [Online]. Available: https://www.first.org/cvss/
Industrial Informatics, vol. 7, no. 4, pp. 689–698, 2011. [34] “CVE-2014-0160.” 2013. [Online]. Available: http://cve.mitre.org/cgi-
[13] A. Giuseppi, R. Germanà, and A. Di Giorgio, “Risk adverse virtual bin/cvename.cgi?name=CVE-2014-0160
power plant control in unsecure power systems,” in 2018 26th Me- [35] “Common criteria v3.1. release 5,” 2017. [Online]. Available:
diterranean Conference on Control and Automation (MED). IEEE, https://www.commoncriteriaportal.org
2018, pp. 1–9. [36] ISECOM, “Osstmm 3 - the open source security testing methodology
[14] H. Fawzi, P. Tabuada, and S. Diggavi, “Secure estimation and control manual (2010).”
for cyber-physical systems under adversarial attacks,” IEEE Tran- [37] Y. Xi, T. Chai, and W. Yun, “Survey on genetic algorithm,” Control
sactions on Automatic Control, vol. 59, no. 6, pp. 1454–1467, June theory and applications, vol. 13, no. 6, pp. 697–708, 1996.
2014. [38] M. Srinivas and L. M. Patnaik, “Genetic algorithms: A survey,”
computer, vol. 27, no. 6, pp. 17–26, 1994.
[15] F. Pasqualetti, F. Dörfler, and F. Bullo, “Attack detection and identi-
[39] F. Valdez, P. Melin, and O. Castillo, “An improved evolutionary
fication in cyber-physical systems,” IEEE Transactions on Automatic
method with fuzzy logic for combining particle swarm
Control, vol. 58, no. 11, pp. 2715–2729, Nov 2013.
optimization and genetic algorithms,” Appl. Soft Comput.,
[16] R. Mitchell and I.-R. Chen, “A survey of intrusion detection techniques vol. 11, no. 2, pp. 2625–2632, Mar. 2011. [Online]. Available:
for cyber-physical systems,” ACM Computing Surveys (CSUR), vol. 46, http://dx.doi.org/10.1016/j.asoc.2010.10.010
no. 4, p. 55, 2014. [40] R.-C. David, R.-E. Precup, E. M. Petriu, M.-B. Rădac, and
[17] A. Di Giorgio and F. Liberati, “A bayesian network-based approach S. Preitl, “Gravitational search algorithm-based design of fuzzy
to the critical infrastructure interdependencies analysis,” IEEE Systems control systems with a reduced parametric sensitivity,” Information
Journal, vol. 6, no. 3, pp. 510–519, 2012. Sciences, vol. 247, pp. 154 – 173, 2013. [Online]. Available:
[18] ——, “Interdependency modeling and analysis of critical infrastructu- http://www.sciencedirect.com/science/article/pii/S0020025513004222
res based on dynamic bayesian networks,” in 2011 19th Mediterranean [41] S. Vrkalovic, E.-C. Lunca, and I.-D. Borlea, “Model-free sliding mode
Conference on Control & Automation (MED). IEEE, 2011, pp. and fuzzy controllers for reverse osmosis desalination plants,” Int. J.
791–797. Artif. Intell, vol. 16, no. 2, pp. 208–222, 2018.
[19] E. Lee, “The past, present and future of cyber-physical systems: A [42] J. Saadat, P. Moallem, and H. Koofigar, “Training echo state neural
focus on models,” Sensors, vol. 15, no. 3, pp. 4837–4869, 2015. network using harmony search algorithm,” Int. J. Artif. Intell, vol. 15,
[20] P. Derler, E. A. Lee, and A. S. Vincentelli, “Modeling cyber–physical no. 1, pp. 163–179, 2017.
systems,” Proceedings of the IEEE, vol. 100, no. 1, pp. 13–28, Jan [43] C. Bruni, F. Delli Priscoli, G. Koch, A. Pietrabissa, and L. Pimpinella,
2012. “Network decomposition and multi-path routing optimal control,”
[21] A. Fiaschetti, F. Lavorato, V. Suraci, A. Palo, A. Taglialatela, A. Mor- Transactions on Emerging Telecommunications Technologies, vol. 24,
gagni, R. Baldelli, and F. Flammini, “On the use of semantic tech- no. 2, pp. 154–165, 2013.
nologies to model and control security, privacy and dependability in [44] K. Deb, “An efficient constraint handling method for genetic algori-
complex systems,” in International Conference on Computer Safety, thms,” Computer methods in applied mechanics and engineering, vol.
Reliability, and Security. Springer, 2011, pp. 467–479. 186, no. 2-4, pp. 311–338, 2000.
[22] A. Cardenas, S. Amin, B. Sinopoli, A. Giani, A. Perrig, S. Sastry, [45] [Online]. Available: https://www.atena-h2020.eu/wp-
et al., “Challenges for securing cyber physical systems,” in Workshop content/uploads/2019/04/Composer-User-Manual_v1.1_CRAT.pdf
on future directions in cyber-physical systems security, vol. 5, 2009.
[23] G. Hug and J. A. Giampapa, “Vulnerability assessment of ac state
estimation with respect to false data injection cyber-attacks,” IEEE
Transactions on Smart Grid, vol. 3, no. 3, pp. 1362–1370, 2012.
[24] M. Mattioni, S. Monaco, and D. Normand-Cyrot, “Nonlinear discrete-
time systems with delayed control: A reduction,” Systems & Control
Letters, vol. 114, pp. 31–37, 2018.
[25] A. Mercurio, A. Di Giorgio, and P. Cioci, “Open-source implementa-
tion of monitoring and controlling services for ems/scada systems by
means of web services—iec 61850 and iec 61970 standards,” IEEE
Transactions on Power Delivery, vol. 24, no. 3, pp. 1148–1153, 2009.
[26] S. Karnouskos, “Stuxnet worm impact on industrial cyber-physical
system security,” in IECON 2011 - 37th Annual Conference of the
IEEE Industrial Electronics Society, Nov 2011, pp. 4490–4494.
[27] F. Adamsky, M. Aubigny, F. Battisti, M. Carli, F. Cimorelli, T. Cruz,
A. Di Giorgio, C. Foglietta, A. Galli, A. Giuseppi, et al., “Integrated
protection of industrial control systems from cyber-attacks: the atena
approach,” International Journal of Critical Infrastructure Protection,
2018.
[28] C. Foglietta, D. Masucci, C. Palazzo, R. Santini, S. Panzieri, L. Rosa,
T. Cruz, and L. Lev, “From detecting cyber-attacks to mitigating risk
within a hybrid environment,” IEEE Systems Journal, pp. 1–12, 2018.
[29] V. Graveto, L. Rosa, T. Cruz, and P. Simões, “A
stealth monitoring mechanism for cyber-physical systems,”
International Journal of Critical Infrastructure Protection,
vol. 24, pp. 126 – 143, 2019. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S1874548218300672
56