Biblio

Cyber-Physical Systems (CPSs) are often tested at different test levels following "X-in-the-Loop" configurations: Model-, Software- and Hardware-in-the-loop (MiL, SiL and HiL). While MiL and SiL test levels aim at testing functional requirements at the system level, the HiL test level tests functional as well as non-functional requirements by performing a real-time simulation. As testing CPS product line configurations is costly due to the fact that there are many variants to test, test cases are long, the physical layer has to be simulated and co-simulation is often necessary. It is therefore extremely important to select the appropriate test cases that cover the objectives of each level in an allowable amount of time. We propose an efficient test case selection approach adapted to the "X-in-the-Loop" test levels. Search algorithms are employed to reduce the amount of time required to test configurations of CPS product lines while achieving the test objectives of each level. We empirically evaluate three commonly-used search algorithms, i.e., Genetic Algorithm (GA), Alternating Variable Method (AVM) and Greedy (Random Search (RS) is used as a baseline) by employing two case studies with the aim of integrating the best algorithm into our approach. Results suggest that as compared with RS, our approach can reduce the costs of testing CPS product line configurations by approximately 80% while improving the overall test quality.

We consider the problem of translating a deterministic \textbackslashemph\simulation model\ (like Matlab-Simunk, Modelica or Ptolemy models) into a \textbackslashemphěrification model\ expressed by a network of hybrid automata. The goal is to verify safety using reachability analysis on the verification model. Simulation models typically use transitions with urgent semantics, which must be taken as soon as possible. Urgent transitions also make it possible to decompose systems that would otherwise need to be modeled with a monolithic hybrid automaton. In this paper, we include urgent transitions in our verification models and propose a suitable adaptation of our reachability algorithm. However, the simulation model, due to its imperfections, may be unsafe even though the corresponding hybrid automata are safe. Conversely, set-based reachability may not be able to show safety of an ideal formal model, since complex dynamics necessarily entail overapproximations. Taken as a whole, the formal modeling and verification process can both falsely claim safety and fail to show safety of the concrete system. We address this inconsistency by relaxing the model as follows. The standard semantics of hybrid automata is a mathematical idealization, where reactions are considered to be instantaneous and physical measurements infinitely precise. We propose semantics that relax these assumptions, where guard conditions are sampled in discrete time and admit measurement errors. The relaxed semantics can be translated to an equivalent relaxed model in standard semantics. The relaxed model is realistic in the sense that it can be implemented on hardware fast and precise enough, and in a way that safety is preserved. Finally, we show that overapproximative reachability analysis can show safety of relaxed models, which is not the case in general.

In the last decades, there have been much more public health crises in the world such as H1N1, H7N9 and Ebola out-break. In the same time, it has been proved that our world has come into the time when public crisis accidents number was growing fast. Sometimes, crisis response to these public emergency accidents is involved in a complex system consisting of cyber, physics and society domains (CPS Model). In order to collect and analyze these accidents with higher efficiency, we need to design and adopt some new tools and models. In this paper, we used CPS Model based Online Opinion Governance system which constructed on cellphone APP for data collection and decision making in the back end. Based on the online opinion data we collected, we also proposed the graded risk classification. By the risk classification method, we have built an efficient CPS Model based simulated emergency accident replying and handling system. It has been proved useful in some real accidents in China in recent years.

In this work, we address the problem of designing and implementing honeypots for Industrial Control Systems (ICS). Honeypots are vulnerable systems that are set up with the intent to be probed and compromised by attackers. Analysis of those attacks then allows the defender to learn about novel attacks and general strategy of the attacker. Honeypots for ICS systems need to satisfy both traditional ICT requirements, such as cost and maintainability, and more specific ICS requirements, such as time and determinism. We propose the design of a virtual, high-interaction and server-based ICS honeypot to satisfy the requirements, and the deployment of a realistic, cost-effective, and maintainable ICS honeypot. An attacker model is introduced to complete the problem statement and requirements. Based on our design and the MiniCPS framework, we implemented a honeypot mimicking a water treatment testbed. To the best of our knowledge, the presented honeypot implementation is the first academic work targeting Ethernet/IP based ICS honeypots, the first ICS virtual honeypot that is high-interactive without the use of full virtualization technologies (such as a network of virtual machines), and the first ICS honeypot that can be managed with a Software-Defined Network (SDN) controller.

We present a technique for performing secure location verification of position claims by measuring the time-difference of arrival (TDoA) between a fixed receiver node and a mobile one. The mobile node moves randomly in order to substantially increase the difficulty for an attacker to make false messages appear genuine. We explore the performance and requirements of such a system in the context of verifying aircraft position claims made over the Automatic Dependent Surveillance - Broadcast (ADS-B) system through the use of simulation and find that it correctly detects false claims with a peak accuracy of over 97\textbackslash% for the most complex attack modelled; requiring only 75m of deviation between the reported position and the actual position in order for a false claim to be detected. We then report on our design for a mobile receiver and our construction of a prototype using low-cost COTS equipment. We discuss some additional benefits of incorporating a mobile node, examine the difficulties to be overcome and explore the applicability of the approach in other location verification use-cases.

Electrical substations are crucial for power grids. A number of international standards, such as IEC 60870 and 61850, have emerged to enable remote and automated control over substations. However, owing to insufficient security consideration in their design and implementation, the resulting systems could be vulnerable to cyber attacks. As a result, the modernization of a large number of substations dramatically increases the scale of potential damage successful attacks can cause on power grids. To counter such a risk, one promising direction is to design and deploy an additional layer of defense at the substations. However, it remains a challenge to evaluate various substation cybersecurity solutions in a realistic environment. In this paper, we present the design and implementation of SoftGrid, a software-based smart grid testbed for evaluating the effectiveness, performance, and interoperability of various security solutions implemented to protect the remote control interface of substations. We demonstrate the capability and usefulness of SoftGrid through a concrete case study. We plan to open-source SoftGrid to facilitate security research in related areas.

We study the trade-off between the benefits obtained by communication, vs. the risks due to exposure of the location of the transmitter. To study this problem, we introduce a game between two teams of mobile agents, the P-bots team and the E-bots team. The E-bots attempt to eavesdrop and collect information, while evading the P-bots; the P-bots attempt to prevent this by performing patrol and pursuit. The game models a typical use-case of micro-robots, i.e., their use for (industrial) espionage. We evaluate strategies for both teams, using analysis and simulations.

Traffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is highly periodic. However, it is sometimes multiplexed, due to multi-threaded scheduling. In previous work we introduced a Statechart model which includes multiple Deterministic Finite Automata (DFA), one per cyclic pattern. We demonstrated that Statechart-based anomaly detection is highly effective on multiplexed cyclic traffic when the individual cyclic patterns are known. The challenge is to construct the Statechart, by unsupervised learning, from a captured trace of the multiplexed traffic, especially when the same symbols (ICS messages) can appear in multiple cycles, or multiple times in a cycle. Previously we suggested a combinatorial approach for the Statechart construction, based on Euler cycles in the Discrete Time Markov Chain (DTMC) graph of the trace. This combinatorial approach worked well in simple scenarios, but produced a false-alarm rate that was excessive on more complex multiplexed traffic. In this paper we suggest a new Statechart construction method, based on spectral analysis. We use the Fourier transform to identify the dominant periods in the trace. Our algorithm then associates a set of symbols with each dominant period, identifies the order of the symbols within each period, and creates the cyclic DFAs and the Statechart. We evaluated our solution on long traces from two production ICS: one using the Siemens S7-0x72 protocol and the other using Modbus. We also stress-tested our algorithms on a collection of synthetically-generated traces that simulate multiplexed ICS traces with varying levels of symbol uniqueness and time overlap. The resulting Statecharts model the traces with an overall median false-alarm rate as low as 0.16% on the synthetic datasets, and with zero false-alarms on production S7-0x72 traffic. Moreover, the spectral analysis Statecharts consistently out-performed the previous combinatorial Statecharts, exhibiting significantly lower false alarm rates and more compact model sizes.