skip to main content
10.1145/3372020.3391563acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article

Impact Analysis of Cyber-Physical Attacks on a Water Tank System via Statistical Model Checking

Published: 07 October 2020 Publication History

Abstract

Cyber-Physical Systems (CPSs) are integrations of distributed computing systems with physical processes that monitor and control entities in a physical environment. Although the range of their applications include several critical domains, the current trend is to verify CPSs with simulation-test systems rather than formal methodologies. In this paper, we test the effectiveness of statistical model checking, within the Modest Toolset, when analyzing the security of a non-trivial quadruple-tank water system equipped with an ad-hoc intrusion detection system (IDS) capable of mitigating attacks. Our goal is to evaluate the impact of three carefully chosen cyber-physical attacks, i.e., attacks targeting sensors and/or actuators of the system with potential consequences on the safety of the inner physical process. Our security analysis estimates both the physical impact of the attacks and the performance of the proposed IDS.

References

[1]
R. Alur and D. L. Dill. 1994. A theory of timed automata. Theoretical Computer Science 126, 2 (1994), 183--235.
[2]
G. Behrmann, A. David, Larsen K. G., J. Håkansson, P. Pettersson, W. Yi, and M. Hendriks. 2006. UPPAAL 4.0. In QEST 2006. IEEE Computer Society, 125--126.
[3]
B. Blanchet. 2009. Automatic Verification of Correspondences for Security Protocols. Journal of Computer Security 17, 4 (2009), 363--434.
[4]
C. Cheh, A. Fawaz, M. A. Noureddine, B. Chen, W. G. Temple, and W. H. Sanders. 2018. Determining Tolerable Attack Surfaces that Preserves Safety of Cyber-Physical Systems. In PRDC. IEEE Computer Society, 125--134.
[5]
Y. S. Chow and H. Robbins. 1965. On the Asymptotic Theory of Fixed-Width Sequential Confidence Intervals for the Mean. The Annals of Mathematical Statistics 36, 2 (1965), 457--462.
[6]
E. M. Clarke, O. Grumberg, and D. A Peled. 2001. Model checking. MIT Press.
[7]
E. M. Clarke and P. Zuliani. 2011. Statistical Model Checking for Cyber-Physical Systems. In ATVA (LNCS), Vol. 6996. Springer, 1--12.
[8]
D. David, K. G. Larsen, A. Legay, M. Mikucionis, and Z. Wang. 2011. Time for Statistical Model Checking of Real-Time Systems. In CAV (LNCS), Vol. 6806. Springer, 349--355.
[9]
A. Di Pinto, Y. Dragoni, and A. Carcano. 2018. TRITON: The First ICS Cyber Attack on Safety Instrument Systems. In Black Hat USA 2018. 1--28.
[10]
R. C. Dorf and R. H. Bishop. 2011. Modern control systems. Pearson.
[11]
N. Falliere, L. Murchu, and E. Chien. 2011. W32.Stuxnet Dossier.
[12]
E. M. Hahn, A. Hartmanns, H. Hermanns, and J.P. Katoen. 2013. A compositional modelling and analysis framework for stochastic hybrid systems. FMSD 43, 2 (2013), 191--232.
[13]
A. Hartmanns and H. Hermanns. 2014. The Modest Toolset: An integrated environment for quantitative modelling and verification. In TACAS (LNCS), Vol. 8413. Springer, 593--598.
[14]
W. K. Hastings. 1970. Monte Carlo Sampling Methods Using Markov Chains and Their Applications. Biometrika 57, 1 (1970), 97--109.
[15]
T. A. Henzinger, P. W. Kopke, A. Puri, and P. Varaiya. 1998. What's Decidable about Hybrid Automata? J. Comput. System Sci. 57, 1 (1998), 94--124.
[16]
L. Huang and E.-Y. Kang. 2019. Formal Verification of Safety & Security Related Timing Constraints for a Cooperative Automotive System. In FASE (LNCS), Vol. 11424. Springer, 210--227.
[17]
Y. Huang, A. A. Cárdenas, S. Amin, Z. Lin, H. Tsai, and S. Sastry. 2009. Understanding the physical and economic consequences of attacks on control systems. Int. J. Crit. Infrastructure Prot. 2, 3 (2009), 73--83.
[18]
ICS-CERT. 2015. Cyber-Attack Against Ukrainian Critical Infrastructure. (2015). https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01.
[19]
K. H.Johansson. 2000. The quadruple-tank process: A multivariable laboratory process with an adjustable zero. IEEE Trans. on Control System Tech. 8, 3 (2000), 456--465.
[20]
R. Kumar and M. Stoelinga. 2017. Quantitative Security and Safety Analysis with Attack-Fault Trees. In HASE. IEEE Computer Society, 25--32.
[21]
M. Z. Kwiatkowska, G. Norman, and D. Parker. 2011. PRISM 4.0: Verification of Probabilistic Real-Time Systems. In CAV (LNCS), Vol. 6806. Springer, 585--591.
[22]
R. Lanotte, M. Merro, and F. Mogavero. 2019. On the decidability of linear bounded periodic cyber-physical systems. In HSCC. ACM, 87--98.
[23]
R. Lanotte, M. Merro, and A. Munteanu. 2018. A Modest Security Analysis of Cyber-Physical Systems: A Case Study. In FORTE (LNCS), Vol. 10854. Springer, 58--78.
[24]
R. Lanotte, M. Merro, A. Munteanu, and L. Viganò. 2020. A Formal Approach to Physics-based Attacks in Cyber-physical Systems. ACM Trans. Priv. Secur. 23, 1 (2020), 3:1-3:41.
[25]
R. Lanotte, M. Merro, and S. Tini. 2018. Towards a Formal Notion of Impact Metric for Cyber-Physical Attacks. In IFM (LNCS), Vol. 11023. Springer, 296--315.
[26]
A. Legay, B. Delahaye, and S. Bensalem. 2010. Statistical Model Checking: An Overview. In RV (LNCS), Vol. 6418. Springer, 122--135.
[27]
P. C. Ölveczky and J. Meseguer. 2007. Semantics and pragmatics of Real-Time Maude. Higher-Order and Symbolic Computation 20, 1-2 (2007), 161--196.
[28]
G. Pedroza, L. Apvrille, and D. Knorreck. 2011. AVATAR: A SysML Environment for the Formal Verification of Safety and Security Properties. In NOTERE. IEEE, 1--10.
[29]
R. Taormina, S. Galelli, H.C. Douglas, N.O. Tippenhauer, E. Salomons, and A. Ostfeld. 2019. A toolbox for assessing the impacts of cyber-physical attacks on water distribution systems. Environ. Model. Softw. 112 (2019), 46--51.
[30]
D. I. Urbina, J. A. Giraldo, A. A. Cardenas, N. O. Tippenhauer, J. Valente, M. Faisal, J. Ruths, R. Candell, and H. Sandberg. 2016. Limiting the Impact of Stealthy Attacks on Industrial Control Systems. In ACM CCS. ACM, 1092--1105.
[31]
D. C. Wardell, R. F. Mills, G. L. Peterson, and M. E. Oxley. 2016. A Method for Revealing and Addressing Security Vulnerabilities in Cyber-physical Systems by Modeling Malicious Agent Interactions with Formal Verification. Procedia Com. Sc. 95 (2016), 24--31.
[32]
Y. Zacchia Lun, A. D'Innocenzo, I. Malavolta, and M. D. Di Benedetto. 2016. Cyber-Physical Systems Security: a Systematic Mapping Study. CoRR abs/1605.09641 (2016). arXiv:1605.09641
[33]
Y. Zacchia Lun, A. D'Innocenzo, F. Smarra, I. Malavolta, and M. D. Di Benedetto. 2019. State of the art of cyber-physical systems security: An automatic control perspective. Journal of Systems and Software 149 (2019), 174--216.

Cited By

View all
  • (2024)Requirements for Applying SCIA: A Structured Cyberattack Impact Analysis Approach for ICS2024 IEEE 24th International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS62785.2024.00045(388-399)Online publication date: 1-Jul-2024
  • (2023)Formal Verification of Safety and Security Properties in Industry 4.0 Applications2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA)10.1109/ETFA54631.2023.10275690(1-8)Online publication date: 12-Sep-2023
  • (2023)Impact Analysis of Coordinated Cyber-Physical Attacks via Statistical Model Checking: A Case StudyFormal Techniques for Distributed Objects, Components, and Systems10.1007/978-3-031-35355-0_6(75-94)Online publication date: 10-Jun-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
FormaliSE '20: Proceedings of the 8th International Conference on Formal Methods in Software Engineering
October 2020
163 pages
ISBN:9781450370714
DOI:10.1145/3372020
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 October 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Cyber-physical attack
  2. attack impact/mitigation
  3. security analysis

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

FormaliSE '20
Sponsor:

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)0
Reflects downloads up to 18 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Requirements for Applying SCIA: A Structured Cyberattack Impact Analysis Approach for ICS2024 IEEE 24th International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS62785.2024.00045(388-399)Online publication date: 1-Jul-2024
  • (2023)Formal Verification of Safety and Security Properties in Industry 4.0 Applications2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA)10.1109/ETFA54631.2023.10275690(1-8)Online publication date: 12-Sep-2023
  • (2023)Impact Analysis of Coordinated Cyber-Physical Attacks via Statistical Model Checking: A Case StudyFormal Techniques for Distributed Objects, Components, and Systems10.1007/978-3-031-35355-0_6(75-94)Online publication date: 10-Jun-2023
  • (2022)AFMT: Maintaining the safety-security of industrial control systemsComputers in Industry10.1016/j.compind.2021.103584136(103584)Online publication date: Apr-2022
  • (2021)Analyzing the Impact of Cyberattacks on Industrial Control Systems using Timed Automata2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS54544.2021.00106(966-977)Online publication date: Dec-2021

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media