Abstract
With recent advancements in computer and network technologies, cyber-physical systems have become more susceptible to cyber-attacks, with production systems being no exception. Unlike traditional information technology systems, cyber-physical systems are not limited to attacks aimed solely at intellectual property theft, but include attacks that maliciously affect the physical world. In manufacturing, cyber-physical attacks can destroy equipment, force dimensional product changes, or alter a product’s mechanical characteristics. The manufacturing industry often relies on modern quality control (QC) systems to protect against quality losses, such as those that can occur from an attack. However, cyber-physical attacks can still be designed to avoid detection by traditional QC methods, which suggests a strong need for new and more robust QC tools. As a first step toward the development of new QC tools, an attack taxonomy to better understand the relationships between QC systems, manufacturing systems, and cyber-physical attacks is proposed in this paper. The proposed taxonomy is developed from a quality control perspective and accounts for the attacker’s view point through considering four attack design consideration layers, each of which is required to successfully implement an attack. In addition, a detailed example of the proposed taxonomy layers being applied to a realistic production system is included in this paper.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
A system’s attack surface is a term that represents all possible means through which an attacker can access the system and potentially cause harm (Manadhata and Wing 2011).
Quality inspection “are measures aimed at checking, measuring, or testing of one or more product characteristics and to relate the results to the requirements to confirm compliance” (Pan et al. 2017).
References
Albakri, M., Sturm, L., Williams, C. B., & Tarazaga, P. (2017). Impedance-based non-destructive evaluation of additively manufactured parts. Rapid Prototyping Journal, 23(3), 589–601. https://doi.org/10.1108/RPJ-03-2016-0046.
Albright, D., Brannan, P., & Christina, W. (2010). Did Stuxnet take out 1,000 centrifuges at the Natanz enrichment plant? Institute for Science and International Security (ISIS).
Anthem. (2016). How to access and sign up for identity theft repair and credit monitoring services. https://www.anthemfacts.com/cyber-attack. Accessed April 9, 2017.
Assante, M. J., & Lee, R. M. (2015). The industrial control system cyber kill chain. The SANS Technology Institute.
Bayanifar, H., & Kühnle, H. (2017). Enhancing dependability and security of cyber-physical production systems. In L. M. Camarinha-Matos, M. Parreira-Rocha, & J. Ramezani (Eds.), Technological innovation for smart systems: 8th IFIP WG 5.5/SOCOLNET advanced doctoral conference on computing, electrical and industrial systems, DoCEIS 2017, Costa de Caparica, Portugal, May 3–5, 2017, proceedings (pp. 135–143). Cham: Springer International Publishing.
Bayuk, J. L., Cavit, D., Guerrino, E., Mahony, J., McDowell, B., Nelson, W., et al. (2011). Malware risks and mitigation report. Washington, DC: BITS Financial Services Roundtable.
Belikovetsky, S., Solewicz, Y., Yampolskiy, M., Toh, J., & Elovici, Y. (2017). Detecting cyber-physical attacks in additive manufacturing using digital audio signing. arXiv preprint, arXiv:1705.06454.
Belikovetsky, S., Yampolskiy, M., Toh, J., & Elovici, Y. (2016). Dr0wned-cyber-physical attack with additive manufacturing. arXiv preprint, arXiv:1609.00133.
Box, G. E. P., & Woodall, W. H. (2012). Innovation, quality engineering, and statistics. Quality Engineering, 24(1), 20–29. https://doi.org/10.1080/08982112.2012.627003.
Brenner, J. F. (2013). Eyes wide shut: The growing threat of cyber attacks on industrial control systems. Bulletin of the Atomic Scientists, 69(5), 15–20. https://doi.org/10.1177/0096340213501372.
Cárdenas, A., Amin, S., Lin, Z.-S., Huang, Y.-L., Huang, C.-Y., & Sastry, S. Attacks against process control systems: Risk assessment, detection, and response. In 6th ACM symposium on information, computer and communications security (ASIACCS ’11), Hong Kong, 22–24 March 2011 (pp. 355–366). https://doi.org/10.1145/1966913.1966959.
Cárdenas, A., Amin, S., Sinopoli, B., Giani, A., Perrig, A., & Sastry, S. (2009). Challenges for securing cyber physical systems. In Workshop on future directions in cyber-physical systems security, 2009 (pp. 5): DHS.
Castillo, M. (2017). Yahoo’s hack warning comes from third breach, The Company Says. http://www.cnbc.com/2017/02/15/yahoo-sends-new-warning-to-customers-about-data-breach.html. Accessed April 9, 2017.
Chambers, J. (2015). What does the internet of everything mean for security? https://www.weforum.org/agenda/2015/01/companies-fighting-cyber-crime/?utm_content=bufferb0881&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer. Accessed October 30, 2015.
Cherry, S. (2011). Sons of stuxnet. http://spectrum.ieee.org/podcast/telecom/security/sons-of-stuxnet. Accessed December 15, 2014.
Chhetri, S. R., Canedo, A., & Al Faruque, M. A. (2016). KCAD: Kinetic cyber-attack detection method for cyber-physical additive manufacturing systems. In International conference on computer aided design (ICCAD ’16), Austin, TX, USA, November 07–10 2016: IEEE/ACM. https://doi.org/10.1145/2966986.2967050.
Chhetri, S. R., Wan, J., & Al Faruque, M. A. (2017). Cross-domain security of cyber-physical systems. In 22nd Asia and South Pacific design automation conference (ASP-DAC 2017), Chiba/Tokyo, Japan, 16–19 January 2017 (pp. 200–205): IEEE. https://doi.org/10.1109/ASPDAC.2017.7858320.
Deloitte. (2014). Global cyber executive briefing—Manufacturing. https://www2.deloitte.com/global/en/pages/risk/articles/Manufacturing.html. Accessed August 16, 2015.
DeSmit, Z., Elhabashy, A. E., Wells, L. J., & Camelio, J. A. (2017). An approach to cyber-physical vulnerability assessment for intelligent manufacturing systems. Journal of Manufacturing Systems, 43(Part 2), 339–351. https://doi.org/10.1016/j.jmsy.2017.03.004.
Evans, D. (2011). The Internet of Things: How the next evolution of the internet is changing everything. Cisco Internet Business Solutions Group (IBSG).
Fahey, M., & Wells, N. (2016). Yahoo data breach is among the biggest in history. http://www.cnbc.com/2016/09/22/yahoo-data-breach-is-among-the-biggest-in-history.html. Accessed April 9, 2017.
Gendarmerie, N. (2011). Prospective analysis on trends in cybercrime from 2011 to 2020.
Goonatilake, R., Bachnak, R., & Herath, S. (2011). Statistical quality control approaches to network intrusion detection. International Journal of Network Security & Its Applications (IJNSA), 3(6), 115–124.
Groover, M. P. (2010). Fundamentals of modern manufacturing: Materials, processes, and systems (4th ed.). Hoboken, NJ: Wiley.
Hutchins, M. J., Bhinge, R., Micali, M. K., Robinson, S. L., Sutherland, J. W., & Dornfeld, D. (2015). Framework for identifying cybersecurity risks in manufacturing. Procedia Manufacturing, 1, 47–63. https://doi.org/10.1016/j.promfg.2015.09.060.
IBM X-Force Research (2016). 2016 Cyber security intelligence index infographic for manufacturing. IBM Corporation.
ICS-CERT (2016). ICS-CERT Monitor Newsletters: November–December 2015. https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Nov-Dec2015_S508C.pdf. Accessed May 26, 2016.
Kammerdiner, A. R. (2014). Statistical techniques for assessing cyberspace security. In C. Vogiatzis, J. L. Walteros, & P. M. Pardalos (Eds.), Dynamics of information systems—Computational and mathematical challenges (Vol. 105, pp. 161–177). Berlin: Springer.
Kravets, D. (2009). Feds: Hacker disabled offshore oil platforms’ leak-detection system. www.wired.com/2009/03/feds-hacker-dis. Accessed December 15, 2014.
Kurtzman Carson Consultants. (2016). Home depot breach settlement. http://www.homedepotbreachsettlement.com/. Accessed 15 June 2016.
Lee, T. B. (2014). The Sony hack: How it happened, who is responsible, and what we’ve learned. www.vox.com/2014/12/14/7387945/sony-hack-explained. Accessed December 15, 2014.
Liptak, A. (2017). Renault shut down several french factories after cyberattack. https://www.theverge.com/2017/5/14/15637472/renault-nissan-shut-down-french-uk-factories-wannacry-cyberattack. Accessed May 15, 2017.
Manadhata, P. K., & Wing, J. M. (2011). An attack surface metric. IEEE Transactions on Software Engineering, 37(3), 371–386. https://doi.org/10.1109/TSE.2010.60.
Mandiant (2015). M-Trends 2015: A view from the front line. Mandiant.
McGee, B. (2016). Move over Healthcare, ransomware has manufacturing in its sights. https://blog.fortinet.com/2016/06/06/move-over-healthcare-ransomware-has-manufacturing-in-its-sights. Accessed August 3, 2016.
Megahed, F. M., & Jones-Farmer, L. A. (2015). Statistical Perspectives on “Big Data”. In S. Knoth & W. Schmid (Eds.), Frontiers in statistical quality control 11 (pp. 29–47). Berlin: Springer.
Meserve, J. (2007). Mouse click could plunge city into darkness, experts say. http://www.cnn.com/2007/US/09/27/power.at.risk/index.html. Accessed February 22, 2016.
Montgomery, D. C. (2009). Introduction to statistical quality control (6th ed.). Hoboken, N.J.: Wiley.
Moore, S. B., Gatlin, J., Belikovetsky, S., Yampolskiy, M., King, W. E., & Elovici, Y. (2017a). Power consumption-based detection of sabotage attacks in additive manufacturing. arXiv preprint arXiv:1709.01822.
Moore, S. B., Glisson, W. B., & Yampolskiy, M. (2017b). Implications of malicious 3D printer firmware. In Proceedings of the 50th Hawaii International Conference on System Sciences (HICSS), Waikoloa Village, Hawaii, USA, 4–7 January (pp. 6089–6098).
MTConnect Institute (2016). www.mtconnect.org. Accessed April 11, 2016.
Neil, J., Hash, C., Brugh, A., Fisk, M., & Storlie, C. B. (2013). Scan statistics for the online detection of locally anomalous subgraphs. Technometrics, 55(4), 403–414. https://doi.org/10.1080/00401706.2013.822830.
Pan, Y., White, J., Schmidt, D. C., Elhabashy, A., Sturm, L., Camelio, J., et al. (2017). Taxonomies for reasoning about cyber-physical attacks in IoT-based manufacturing systems. International Journal of Interactive Multimedia and Artificial Intelligence, Special Issue on Advances and Applications in the Internet of Things and Cloud Computing, 4(3), 45–54. https://doi.org/10.9781/ijimai.2017.437.
Park, Y., Baek, S. H., Kim, S.-H., & Tsui, K.-L. (2014). Statistical process control-based intrusion detection and monitoring. Quality and Reliability Engineering International, 30(2), 257–273. https://doi.org/10.1002/qre.1494.
Pham, T. (2015). Authentication-based attacks target energy and critical manufacturing industries. https://duo.com/blog/authentication-based-attacks-target-energy-and-critical-manufacturing. Accessed August 17, 2015.
Poulsen, K. (2009). Ex-employee fingered in texas power company hack. www.wired.com/2009/05/efh/. Accessed December 15, 2014.
Slay, J., & Miller, M. (2008). Lessons learned from the maroochy water breach. In E. Goetz & S. Shenoi (Eds.), Critical infrastructure protection (pp. 73–82). Boston, MA: Springer.
Stamp, J., Dillinger, J., Young, W., & DePoy, J. (2003). Common vulnerabilities in critical infrastructure control systems. Sandia National Laboratories.
Steitz, C. A., Eric (2016). German nuclear plant infected with computer viruses, operator says. http://www.reuters.com/article/us-nuclearpower-cyber-germany-idUSKCN0XN2OS. Accessed June 15, 2016.
Stouffer, K., Zimmerman, T., Tang, C., Lubell, J., Cichonski, J., & McCarthy, J. (2017). Cybersecurity framework manufacturing profile. National Institute of Standards and Technology (NIST).
Sturm, L. D., Albakri, M., Williams, C. B., & Tarazaga, P. (2016). In-situ detection of build defects in additive manufacturing via impedance-based monitoring. Paper presented at the proceedings of the 27th annual international solid freeform fabrication symposium—an additive manufacturing conference, Austin, Texas, USA, 8–10 August.
Sturm, L. D., Williams, C. B., Camelio, J. A., White, J., & Parker, R. (2017). Cyber-physical vulnerabilities in additive manufacturing systems: A case study attack on the.STL file with human subjects. Journal of Manufacturing Systems, 44(Part 1), 154–164. https://doi.org/10.1016/j.jmsy.2017.05.007.
Symantec. (2014). Internet security threat report 2014 (Vol. 19). Symantec Corporation.
Symantec. (2015). Internet security threat report 2015 (Vol. 20). Symantec Corporation.
Symantec. (2016). Internet security threat report 2016 (Vol. 21). Symantec Corporation.
Symantec. (2017). Internet security threat report 2017 (Vol. 22). Symantec Corporation.
Target (2014). Data Breach FAQ. https://corporate.target.com/about/shopping-experience/payment-card-issue-faq. Accessed October 28, 2015.
Teemu, M. (2015). 3 Key learnings: Ransomware hits a concrete manufacturer. https://business.f-secure.com/3-key-learnings-ransomware-hits-a-concrete-manufacturer/. Accessed August 3, 2016.
Tucker, P. (2014). Forget the Sony hack, this could be the biggest cyber attack of 2015. www.defenseone.com/technology/2014/12/forget-sony-hack-could-be-he-biggest-cyber-attack-2015/101727/. Accessed February 22, 2016.
Tuptuk, N., & Hailes, S. (2016). The Cyberattack on Ukraine’s power grid is a warning of what’s to come. https://theconversation.com/the-cyberattack-on-ukraines-power-grid-is-a-warning-of-whats-to-come-52832. Accessed June 15, 2016.
Turner, H., White, J., Camelio, J. A., Williams, C., Amos, B., & Parker, R. (2015). Bad parts: Are our manufacturing systems at risk of silent cyberattacks? IEEE Security & Privacy, 13(3), 40–47.
Underbrink, A., Potter, A., Jaenisch, H., & Reifer, D. J. (2012). Application stress testing achieving cyber security by testing cyber attacks. In IEEE conference on technologies for homeland security (HST), 13–15, 556–561. https://doi.org/10.1109/THS.2012.6459909.
Vincent, H., Wells, L., Tarazaga, P., & Camelio, J. (2015). Trojan detection and side-channel analyses for cyber-security in cyber-physical manufacturing systems. Procedia Manufacturing, 1, 77–85. https://doi.org/10.1016/j.promfg.2015.09.065.
Wegner, A., Graham, J., & Ribble, E. (2017). A new approach to cyberphysical security in industry 4.0. In L. Thames & D. Schaefer (Eds.), Cybersecurity for Industry 4.0: Analysis for Design and Manufacturing (pp. 59–72). Cham: Springer.
Wells, L. J., Camelio, J. A., Williams, C. B., & White, J. (2014). Cyber-physical security challenges in manufacturing systems. Manufacturing Letters, 2(2), 74–77. https://doi.org/10.1016/j.mfglet.2014.01.005.
Wu, M., & Moon, Y. B. (2017). Taxonomy of cross-domain attacks on cybermanufacturing system. Procedia Computer Science, 114, 367–374. https://doi.org/10.1016/j.procs.2017.09.050.
Wu, M., Song, Z., & Moon, Y. B. (2017). Detecting cyber-physical attacks in cybermanufacturing systems with machine learning methods. Journal of Intelligent Manufacturing,. https://doi.org/10.1007/s10845-017-1315-5.
Wu, Q., Zhang, H., & Pu, J. (2007). Mitigating distributed denial-of-service attacks using network connection control charts. In Proceedings of the 2nd international conference on scalable information systems (InfoScale ’07), Suzhou, China (pp. 1–4): ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering).
Yampolskiy, M., King, W., Pope, G., Belikovetsky, S., & Elovici, Y. (2017). Evaluation of additive and subractive manufacturing from the security perpsective. In M. Rice, & S. Shenoi (Eds.), Critical infrastructure protection XI: 11th IFIP WG 11.10 international conference, ICCIP 2017, Arlington, VA, USA, March 13–15, 2017, Revised selected papers (pp. 23–44, IFIP Advances in Information and Communication Technology). Cham: Springer.
Yampolskiy, M., Skjellum, A., Kretzschmar, M., Overfelt, R. A., Sloan, K. R., & Yasinsac, A. (2016). Using 3D printers as weapons. International Journal of Critical Infrastructure Protection, 14, 58–71. https://doi.org/10.1016/j.ijcip.2015.12.004.
Ye, N., Borror, C., & Zhang, Y. (2002). EWMA techniques for computer intrusion detection through anomalous changes in event intensity. Quality and Reliability Engineering International, 18(6), 443–451.
Ye, N., Emran, S. M., Li, X., & Chen, Q. (2001). Statistical process control for computer intrusion detection. In DARPA information survivability conference and exposition II, 2001 (DISCEX’01). (Vol. 1, pp. 3–14): IEEE.
Ye, N., Vilbert, S., & Qiang, C. (2003). Computer intrusion detection through EWMA for autocorrelated and uncorrelated data. IEEE Transactions on Reliability, 52(1), 75–82. https://doi.org/10.1109/TR.2002.805796.
Zeltmann, S. E., Gupta, N., Tsoutsos, N. G., Maniatakos, M., Rajendran, J., & Karri, R. (2016). Manufacturing and security challenges in 3D printing. The Journal of The Minerals, Metals & Materials Society (JOM), 68(7), 1872–1881. https://doi.org/10.1007/s11837-016-1937-7.
Acknowledgements
This research work was funded by the National Science Foundation (NSF) Grant CMMI-1436365 and supported by Virginia Tech’s Cyber-Physical Security Systems Manufacturing (CPSSMFG) Group. The authors would also like to thank the reviewers, for their constructive feedback, and the members of the Center for Innovation-based Manufacturing (CIbM) lab at Virginia Tech, for their help with revising this manuscript.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Elhabashy, A.E., Wells, L.J., Camelio, J.A. et al. A cyber-physical attack taxonomy for production systems: a quality control perspective. J Intell Manuf 30, 2489–2504 (2019). https://doi.org/10.1007/s10845-018-1408-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10845-018-1408-9