Autonomic Intelligent Cyber-Sensor to Support Industrial Control Network Awareness
IEEE Transactions on Industrial Informatics2013
The proliferation of digital devices in a networked industrial ecosystem, along with an exponential growth in complexity and scope, has resulted in elevated security concerns and management complexity issues. This paper describes a novel architecture utilizing concepts of autonomic computing and a simple object access protocol (SOAP)-based interface to metadata access points (IF-MAP) external communication layer to create a network security sensor. This approach simplifies integration of legacy software and supports a secure, scalable, and self-managed framework. The contribution of this paper is twofold: 1) A flexible two-level communication layer based on autonomic computing and service oriented architecture is detailed and 2) three complementary modules that dynamically reconfigure in response to a changing environment are presented. One module utilizes clustering and fuzzy logic to monitor traffic for abnormal behavior. Another module passively monitors network traffic and deploys deceptive virtual network hosts. These components of the sensor system were implemented in C++ and PERL and utilize a common internal D-Bus communication mechanism. A proof of concept prototype was deployed on a mixed-use test network showing the possible real-world applicability. In testing, 45 of the 46 network attached devices were recognized and 10 of the 12 emulated devices were created with specific operating system and port configurations. In addition, the anomaly detection algorithm achieved a 99.9% recognition rate. All output from the modules were correctly distributed using the common communication structure.
View more
Cyber-Physical System Security With Deceptive Virtual Hosts for Industrial Control Networks
IEEE Transactions on Industrial Informatics2014
A challenge facing industrial control network administrators is protecting the typically large number of connected assets for which they are responsible. These cyber devices may be tightly coupled with the physical processes they control and human induced failures risk dire real-world consequences. Dynamic virtual honeypots are effective tools for observing and attracting network intruder activity. This paper presents a design and implementation for self-configuring honeypots that passively examine control system network traffic and actively adapt to the observed environment. In contrast to prior work in the field, six tools were analyzed for suitability of network entity information gathering. Ettercap, an established network security tool not commonly used in this capacity, outperformed the other tools and was chosen for implementation. Utilizing Ettercap XML output, a novel four-step algorithm was developed for autonomous creation and update of a Honeyd configuration. This algorithm was tested on an existing small campus grid and sensor network by execution of a collaborative usage scenario. Automatically created virtual hosts were deployed in concert with an anomaly behavior (AB) system in an attack scenario. Virtual hosts were automatically configured with unique emulated network stack behaviors for 92% of the targeted devices. The AB system alerted on 100% of the monitored emulated devices.
View more
FN-DFE: Fuzzy-Neural Data Fusion Engine for Enhanced Resilient State-Awareness of Hybrid Energy Systems
IEEE Transactions on Cybernetics2014
Resiliency and improved state-awareness of modern critical infrastructures, such as energy production and industrial systems, is becoming increasingly important. As control systems become increasingly complex, the number of inputs and outputs increase. Therefore, in order to maintain sufficient levels of state-awareness, a robust system state monitoring must be implemented that correctly identifies system behavior even when one or more sensors are faulty. Furthermore, as intelligent cyber adversaries become more capable, incorrect values may be fed to the operators. To address these needs, this paper proposes a fuzzyneural data fusion engine (FN-DFE) for resilient state-awareness of control systems. The designed FN-DFE is composed of a three-layered system consisting of: 1) traditional threshold based alarms; 2) anomalous behavior detector using self-organizing fuzzy logic system; and 3) artificial neural network-based system modeling and prediction. The improved control system stateawareness is achieved via fusing input data from multiple sources and combining them into robust anomaly indicators. In addition, the neural network-based signal predictions are used to augment the resiliency of the system and provide coherent state-awareness despite temporary unavailability of sensory data. The proposed system was integrated and tested with a model of the Idaho National Laboratory's hybrid energy system facility known as HYTEST. Experiment results demonstrate that the proposed FNDFE provides timely plant performance monitoring and anomaly detection capabilities. It was shown that the system is capable of identifying intrusive behavior significantly earlier than conventional threshold-based alarm systems.
View more
Mining Building Energy Management System Data Using Fuzzy Anomaly Detection and Linguistic Descriptions
IEEE Transactions on Industrial Informatics2014
Building Energy Management Systems (BEMSs) are essential components of modern buildings that are responsible for minimizing energy consumption while maintaining occupant comfort. However, since indoor environment is dependent on many uncertain criteria, performance of BEMS can be suboptimal at times. Unfortunately, complexity of BEMSs, large amount of data, and interrelations between data can make identifying these suboptimal behaviors difficult. This paper proposes a novel Fuzzy Anomaly Detection and Linguistic Description (Fuzzy-ADLD)-based method for improving the understandability of BEMS behavior for improved state-awareness. The presented method is composed of two main parts: 1) detection of anomalous BEMS behavior; and 2) linguistic representation of BEMS behavior. The first part utilizes modified nearest neighbor clustering algorithm and fuzzy logic rule extraction technique to build a model of normal BEMS behavior. The second part of the presented method computes the most relevant linguistic description of the identified anomalies. The presented Fuzzy-ADLD method was applied to real-world BEMS system and compared against a traditional alarm-based BEMS. Six different scenarios were tested, and the presented Fuzzy-ADLD method identified anomalous behavior either as fast as or faster (an hour or more) than the alarm based BEMS. Furthermore, the Fuzzy-ADLD method identified cases that were missed by the alarm-based system, thus demonstrating potential for increased state-awareness of abnormal building behavior.
View more
Building Energy Management Systems: The Age of Intelligent and Adaptive Buildings
IEEE Industrial Electronics Magazine2016
Building automation systems (BAS), or building control systems (BCS), typically consist of building energy management systems (BEMSs), physical security and access control, fire/life safety, and other systems (elevators, public announcements, and closed-circuit television). BEMSs control heating, ventilation, and air conditioning (HVAC) and lighting systems in buildings; more specifically, they control HVAC's primary components such as air handling units (AHUs), chillers, and heating elements. BEMSs are essential components of modern buildings, tasked with seemingly contradicting requirements?minimizing energy consumption while maintaining occupants? comfort [1]. In the United States, about 40% of total energy consumption and 70% of electricity consumption are spent on buildings every year. These numbers are comparable to global statistics that about 30% of total energy consumption and 60% of electricity consumption are spent on buildings. Buildings are an integral part of global cyber-physical systems (smart cities) and evolve and interact with their surroundings. As buildings undergo years of exploitation, their thermal characteristics deteriorate, indoor spaces (especially in commercial buildings) get rearranged, and usage patterns change. In time, their inner (and outer) microclimates adjust to changes in surrounding buildings, overshadowing patterns, and city climates, not to mention building retrofitting. Thus, even in cases of ideally designed BEMS/HVAC systems, because of ever-changing and uncertain indoor and outdoor environments, their performance frequently falls short of expectations. Unfortunately, the complexity of BEMSs, large amounts of constantly changing data, and evolving interrelations among sensor feeds make identifying these suboptimal behaviors difficult. Therefore, traditional data-mining algorithms and data-analysis tools are often inadequate.This article provides an overview of issues related to modern BEMSs with a multitude of (often conflicting) requirements. Because of massive and often incomplete data sets, control, sensing, and the evolving nature of these complex systems, computational intelligence (CI) techniques present a natural solution to optimal energy efficiency, energy security, and occupant comfort in buildings. The article further presents an overall architecture where CI can be used in BEMSs and concludes with a case study of the practical applications of using CI techniques in the BEMS domain.
View more
