Investigation of Cyber Attacks on a Water Distribution System

ICS Security 0 (0) 1 1 IOS Press In v estigation of Cyber Attacks on a W ater Distrib ution System Sridhar Adepu a , ∗ , V enkata Reddy Palleti a , Gyanendra Mishra a and Aditya Mathur a a iT rust Center for Resear ch in Cyber Security , Singapore Univer sity of T echnology and Design, E-mails: adepu_sridhar@mymail.sutd.edu.sg, venkata_palleti@sutd.edu.sg, f2013126@pilani.bits-pilani.ac.in, aditya_mathur@sutd.edu.sg Abstract. A Cyber Physical System (CPS) consists of cyber components for computation and communication, and physical components such as sensors and actuators for process control. These components are networked and interact in a feedback loop. CPS are found in critical infrastructure such as water distrib ution, power grid, and mass transportation. Often these systems are vulnerable to attacks as the cyber components such as Supervisory Control and Data Acquisition workstations, Human Machine Interface and Programmable Logic Controllers are potential targets for attackers. In this work, we report a study to in vestigate the impact of cyber attacks on a water distribution (W ADI) system. Attacks were designed to meet attacker objectives and launched on W ADI using a specially designed tool. This tool enables the launch of single and multi-point attacks where the latter are designed to specifically hide one or more attacks. The outcome of the experiments led to a better understanding of attack propagation and behavior of W ADI in response to the attacks as well as to the design of an attack detection mechanism for water distrib ution system. Ke ywords: Industrial Control System, Cyber Attacks, Cyber-Physical Systems, SCAD A Security , ICS Security , W ater Distribution Systems 1. Introduction Cyber Physical Systems (CPSs) are found in critical infrastructure such as water distribution, energy and transportation. CPS consists of a ph ysical process controlled by an Industrial Control System (ICS). In a CPS, a set of sensors measure process v ariables such as temperature, flo w rate, lev el etc., from the physical process and send these v alues to the controllers through communication channels. Based on these v alues the controller makes decisions and initiates actions on the ph ysical process. Figure 1 sho ws the representation of a CPS as a feedback system [1]. Attacks on ICS can hav e a significant impact depending on the type of attack and its location. The increase in successful cyber attacks on ICS [2, 3], and many unsuccessful attempts [4], points to the importance of research in the design of ICS that is resilient to cyber attacks. Attacks are a result of ex- ploitation of one or more vulnerabilities in an ICS. Such vulnerabilities might be due to the lack of access control in the system [5], software vulnerabilities in the Programmable Logic Controllers (PLCs), Super- visory Control and Data Acquisition (SCAD A) software systems, and weaknesses in the communication channels. * Corresponding author . E-mail: adepu_sridhar@mymail.sutd.edu.sg. 0926-227X/0-1900/$35.00 c  0 – IOS Press and the authors. All rights reserved 2 Adepu et al. / In vestigation of cyber attacks ICS: W ADI Fig. 1. Ke y components in a CPS. State transformation of a CPS in a feedback control loop. Motivation: Se veral attacks on water distrib ution systems ha ve been reported in recent years such as the Kemuri W ater Company (KWC) 1 attack, in 2016. The attack resulted in the exposure of personal information of the utility’ s 2.5 million customers. Reports from ICS-CER T [6] indicate that an under- standing of these attacks against critical infrastructure is important for rapid inv estigation and e valuation of detection methods. The w ork presented in this paper is a step towards realizing a safe and secure water distribution infrastructure. T o create effecti ve protection methods that lead to low false alarm and high detection rates, one needs to understand the nature of attacks on w ater distribution systems and the system response. Goals and r esear ch questions : The goal of the study reported here is to (a) understand vulnerabilities and design potential attacks and (b) in vestigate the impact of cyber physical attacks. The follo wing questions are addressed through experimentation on W ADI: RQ1: How do cyber attacks impact a water distribu- tion system? RQ2: How does knowledge of the response of a water distribution system to one or more cyber attacks help in designing an attac k detection mechanism? Contributions : In the context of a specific water distribution plant: (a) A tool to launch attacks and (b) design and implementation of attacks on a water distribution system. Or ganization : The remainder of this paper is structured as follows. Background and preliminary works are explained in Section 2. Section 3 presents the context of this w ork and includes architecture of W ADI, vulnerability assessment, and ho w attacks can be launched on W ADI. Section 4 describes the attack design and in vestigation on W ADI. Response to the research questions and lessons learned are discussed in Section 5. Related work is presented in Section 6. Section 7 offers a summary of this work and future work. 2. Preliminaries and background This section provides information needed to understand the remaining paper . 2.1. Industrial Contr ol Systems ICSs are found in plants such as water treatment, distribution, and in power generation, transmission and distribution. The complexity of an ICS increases the attack surface for an attacker to launch attacks 1 http://www .securityweek.com/attackers-alter-w ater-treatment-systems-utility-hack-report Adepu et al. / In vestigation of cyber attacks ICS: W ADI 3 P1 Control Progr am Pn Control Progr am P2 Control Progr am SCADA, HMI, Engineering Workstation, Historian etc. Level 1 Level 0 Level 0 Level 0 Level 3 Physical Level Supervisor y Level Control Level Physical Process Sensors Actuators Physical Process Sensors Actuators Physical Process Sensors Actuators SW1 SW2 Level 2 Corporate network Stage 1 Stage 2 Stage n Fig. 2. Architecture of the control portion of a CPS. P1, P2,. . . ,Pn denote PLCs. Each PLC communicates with its sensors and actuators through a local network at Lev el 0. PLCs communicate among themselves via another network at Le vel 1. Communication with SCAD A and other computers is not shown here. both at the cyber-and the physical-parts of a plant. Control software in an ICS may also contain vulner- abilities for reasons such as un-patched or practically impossible to patch legac y code, the absence of standard security certifications for ICS de vices, and the lack of resources to keep the ICS updated. Communication Structure of ICS: ICS consist of distributed supervisory control systems. The control system itself is a collection of PLCs, each controlling a specific portion of the physical process. Each PLC communicates with a set of sensors and actuators via a local network (Figure 2) through a multi- layer netw ork also referred to as the field-bus network [7]. The PLCs communicate with each other using the Le vel 1 netw ork. Such a layered netw ork is in accordance with the pre vailing practice for ICS [8]. As mentioned in Section 1, attacks on ICS are on the rise. The results of a recent survey [9] show on threat landscape on ICS in September 2017. It represents the attack space and ho w often an attacker attempts to enter an ICS. Such attempts, often successful, moti vate the study reported here. SCAD A and Distributed Control Systems are referred as to as operational T echnology (O T). The con vergence of Information T echnology (IT) and OT [10] is increasing in water distrib ution systems. W ith this con ver gence, O T data is now accessible from IT environment such as via remote access. The O T data includes critical information regarding the plant such as temperatures, lev el indicators, control signals, sensor signals and actuator statuses; especially so in water distribution systems as they are distributed across a city making it an easy tar get for cyber-physical attacks. 4 Adepu et al. / In vestigation of cyber attacks ICS: W ADI 2.2. V ulnerability Assessment V ulnerability assessment on ICSs follows four main steps 2 : 1) identify list of assets and resources in the system, 2) assign importance to the resources, 3) identify security vulnerabilities in each asset and resource, 4) propose mitigation for the most serious vulnerabilities. In order to know all the vulnerabilities in ICS, one must kno w the associated paths within ICS commu- nications. In [11] authors explained different paths through which an attacker can enter into the system using v arious devices, communications paths, and methods that can be used for communicating with process system components. An attacker who wishes to attack ICS has to go through the following steps: 1) gain access to the ICS network 2) perform reconnaissance and understanding of the process 3) gain control of ICSs. Some of the industries conducted the vulnerability assessments in industrial systems and published the results. Follo wing are the summary of reports from Kasper-sky and Honywell. Kasper -sky [12] summa- rized the findings of it’ s research on ICS vulnerabilities as follows: Ov er the years, 19 vulnerabilities in 2010 increased to 189 vulnerabilities in 2015. Even though the vulnerabilities are fixed by the product manufactures, the ICS management not upgrading soon. At least 5% of the vulnerabilities published by ICS-CER T were not fully fixed. Sometimes the vulnerable component was remo ved from the market and vendor support may not be av ailable anymore. Hone ywell XL W eb II Contr oller V ulnerabilities [13] are found by an independent researcher . An attacker may use these to e xpose a password by accessing a specific URL. The XL W eb II becomes an entry point into the network. Fig. 3. Three stages in W ADI are shown. Solid arrows indicate flow of water and sequence of processes. S: set of sensors; A: set of actuators. L T -Level Transmitter , AIT -Analyzer Indication T ransmitter , FIT -Flow Indication T ransmitter , PIT -Pressure Indication T ransmitter , LS-Level Switch. Actuators: P-Pump, MV -Motorized v alve, MCV -Modulating Control V alve, SV -Solenoid V alve. T ag name of the instrument is indicated as XXX_YYY_ZZZ, where XXX, YYY and ZZZ represent stage number , instrument type and instrument index, respectiv ely . 2 https://www .securew orks.com/blog/vulnerability-assessments-versus-penetration-tests Adepu et al. / In vestigation of cyber attacks ICS: W ADI 5 3. Context: W ADI T estbed This study centers around a W ater Distribution (W ADI) testbed 3 . This section cov ers the testbed ar- chitecture and the communication channels. 3.1. Ar chitectur e of the W ADI W ater distrib ution (W ADI) plant [14] is an operational testbed supplying 10 US gallons/min of filtered water . It represents a scaled-do wn version of a lar ge water distrib ution network in a city . W ADI consists of three stages (Figure 3), namely primary grid (P1), secondary grid (P2), and return water grid (P3). Primary grid consists of two raw water (R W) tanks of 2500 liters each. These tanks are fed by three incoming sources including Public Utility Board (PUB), return water grid, and from a water treatment plant. A lev el sensor (1_L T_001) is installed in the primary grid to monitor the lev els in the R W tanks. W ater quality analyzers are installed to measure pH, turbidity , conductivity and residual chlorine. Sec- ondary grid consists of two Ele vated Reservoir (ER) tanks, consumer tanks, and contamination sampling stations. R W tanks supply water to the ER tanks using raw water pump (1_P_003) which is installed in the primary grid. T wo level sensors, 2_L T_001 and 2_L T_002 are installed in ER tanks to measure w ater le vels. Further , water from ER tanks flo ws into the consumer tank based on the preset demand pattern. T wo w ater quality monitoring stations are installed at consumer tanks. One station is at the immediate do wnstream of reservoir and another is before the consumer tanks (P2A and P2B stations in Figure 3). These stations ensure water quality before it is sent to the consumer tanks. Once a consumer tank is filled, a level switch installed raises an alarm and water from the tank drains into the return water grid. T o recycle water , return water grid pumps w ater to the primary grid. W ater quality analyzers are installed in return water grid to check water quality before pumping it into the primary grid. Three PLCs are installed to control each stage of W ADI. These PLCs use CompactRIO as RIO (Re- mote Input Output) from National Instruments. In addition to the PLC in the secondary grid, two Schnei- der Electric Remote T erminal Units (R TUs), which use SCAD APack, are installed to measure water quality . There is a total of 103 sensors and actuators operating to measure water lev els, water quality , flo w rates, pressure, and status of motorized valv es and pumps. There are three levels of networks in W ADI. Le vel 0 corresponds to the communication between PLC’ s and sensors over Modbus RS485. Le vel 1 corresponds to communications using the National Instrument’ s publish subscribe protocol (NI- PSP) while the SCAD APack R TUs communicate through Modbus TCP . PLCs at Stage-1 and Stage-3 are connected to analyzers capable of communicating through Modbus Serial. Le vel 2 consists of com- munication between the HMI and the plant control network. The interconnection of HMI, workstations and PLCs allo ws remote monitoring. 3.2. V ulnerability Assessment in W ADI T o identify vulnerabilities in an ICS, one must know the associated paths within its communication infrastructure. In [11] authors explained paths through which an attacker can enter the system using v arious devices, communications paths, and methods that can be used for communicating with process system components. List of assets and resour ces in the system: The list of assets are mentioned in the T able 1. In this sub- section, different vulnerabilities in the W ADI are explained based on the assets provided from T able 1. 3 https://itrust.sutd.edu.sg/research/testbeds/water - distribution- wadi/ 6 Adepu et al. / In vestigation of cyber attacks ICS: W ADI These includes Eternal Blue, default admin password on web server , and vulnerabilities in restful web service, Modbus serial and TCP , objective C program that speaks NI-PSP and custom VI that interacts with a python script. T able 1 Assets T able Asset V ersion/Model used Location SCAD A System SCAD A System from Lab- view is used for the applica- tion. SCAD A System computer running on W indows 7. PLCs NI PLC is used in W ADI to control various operations Control and network panel and w orks based on the firmware and control logic program. Communicates with NI-PSP and Modbus TCP/IP communication in few cases Network Switches Moxa ES5 301 Network Control panel Access points W ifi access points Network Control panel Eternal Blue: [15, 16] This is an exploit that focuses on Microsoft Windo ws and used for the wannacry ransomware attack in 2017. EternalBlue [17] is vulnerability in server message block (SMB) protocol. This is mentioned in CVE-2017-0144 [18] catalog. SMB server mishandles the packets from remote attackers, which e ventually allo ws to access to the system. Attacks similar to w annacry attack was stud- ied in automoti ve sector [19] and identified as an emerging threat to critical infrastructure and industrial control systems. Default Admin P asswor d on webserver: [6, 11, 20] Manufacturures follo w def ault passw ords, and during the installation and configuration period, the operating management are not changing the default pass- words. Attacker can use those default passwords from each manufacturing unit and exploit the system. Later it could be used to modify the functions of the ov erall control the system. T o de velop the attack tool all communication channels were studied and in vestigated for openings and vulnerabilities. A lot of them lack ed an y form of access control. Dif ferent parts of W ADI support v arious dif ferent communication channels like MODB US between R TUs and SCAD A, NI-PSP between v arious controllers and R TUs. Restful W eb Service: LabVIEW allows VIs to be equipped with restful web services which manipulates the data via HTTP methods lik e GET , POST etc. These services don’t require any authentication by default. Modbus Serial And TCP: R TUs P2A and P2B run Modbus TCP while the analyzers installed in P1 and P3 are connected via Modb us serial. The protocol w as designed with safety in mind but not security and hence lacks any type of access control, if you can ping a device running Modbus you can own the de vice. Python has a couple of libraries which speak Modbus, most importantly pyModbus. Using this library an attack tool was designed capable of reading and manipulating data on 8 sensors connected in P2A and P2B related to water quality . These sensors are responsible for measuring the water properties such as pH, ORP , conductivity . Adepu et al. / In vestigation of cyber attacks ICS: W ADI 7 Objective C Pr ogram that Speaks NI-PSP: It was found that there exist C# and V isual Basic libraries that speak NI-PSP . These libraries are proprietary and consist of Measurement Studio for V isual Studio. This allo ws any attacker to write and read basic data from sensors and actuators in the plant. Custom VI that interacts with a python script: This method relies on using special VIs (V irtual Instru- ments) or LabVIEW programs that can read and write to the cluster variables. T o mak e this method more dynamic, a python package was written that could speak to the V irtual Instruments to craft more com- plex attacks gi ving complete access to the system. The NI-PSP implementation in the w ater distribution system plant has no authentication or access control as mentioned above. As long as an adversary can access the network the y can control the entire plant. Summary: All the above methods rely on the fact that the network is very open. The system has no authentication in place and depends on the network to be full of good nodes acting in the interest of the plant. • The National Instruments Publish Subscribe Protocol v ariables hav e a property through which the y can be made accessible to certain users/groups through an additional plugin b ut the configuration of the plant allows access to any user on any host as long as they can connect with the PLC/SCAD A system. The publish subscribe protocol has no security for variables by default. One has to pay for another product called DSC or Datalogging and Supervisory Control to hav e any form of security . • Modbus is known to be very open and insecure. As long as one can assume the IP address of one of the re gistered de vices in the netw ork, one can access, read and write an y v ariable on an y register via Modbus. Assuming IP address is as simple as removing one of the cables from one of the switches and plugging in your own cable. Despite the lack of an y access control methods, MODB US finds itself being continously used in a lot of Industrial Control Systems. It has no passwords, no authorization, no facility to pass certificates b ut it continues to be used because of it’ s popularity and simplicity . Ha ving a firew all in place is one of the methods to ensure that a PLC isn’ t e xposed to the internet but this doesn’t solve the inherent problems that MODB US brings, it only pushes it up a le vel. No w the attacker has to access a machine that the fire wall trusts in order to gain access to the PLC supporting MODBUS. According to the Internet of Things Search Engine Shodan, there are 17,000 de vices listening to MODBUS on the internet majority of them being in the united states. 4 CWE-284 5 Improper Access Control talks about systems with improper or no access control. The state of the plant at the moment exhibits CWE-284. As an adversary can easily read and manipulate critical data in the plant the plant at the moment is also guilty of having the CWE-306: Missing Authentication for Critical Function weakness. Moving forward protocol designers and software/PLC component manufacturers should push for proper authentication by default. The lack of secure def aults is no minor issue and is nothing new . A lot of studies have shown the impact of insecure defaults and how users generally don’t change 6 ’ 7 the defaults if they don’ t have to. 4 https://blog.shodan.io/content/images/2015/09/screenshot-www-shodan-io-2015-09-04-22-33-29.png 5 https://cwe.mitre.org/data/definitions/284.html 6 https://www .uie.com/brainsparks/2011/09/14/do-users-change-their-settings/ 7 https://www .nngroup.com/articles/the-power -of-defaults/ 8 Adepu et al. / In vestigation of cyber attacks ICS: W ADI 3.3. Attacking W ADI As mentioned in Section 3.1, W ADI uses a multi layered network comprising of different protocols at dif ferent lev els and between different devices. For this paper the focus is on the National Instruments Publish Subscribe Protocol (NI-PSP). NI-PSP is the most used protocol in the entire W ADI network and pro vides access to all data on the network. W e developed an attack tool named NiSploit 8 that uses custom LabVIEW V irtual Instruments (VIs) that communicate with shared variables present on different PLCs across the plant using NI-PSP . Earlier exploration into v arious other mechanisms gave limited access to the v ariables [5]. Shared variables are used by a controller and SCADA to expose data over the network via a shared variable engine. These v ariables reside in controllers and the SCADA, hav e publish-subscribe architecture, and are shared using the NI-PSP . Network shared variables publish data through the shared variable engine. The shared v ariable engine resides on a SCAD A and manages variables using the NI-PSP protocol. In the publish subscribe model the publishers do not publish to clients; instead they send data to the shared variable engine after e very update and the subscribers subscribe to the shared variable engine for changes. LabVIEW programs, or VIs, are simple drag and drop programs. W e have written custom VIs for the purpose of attacking the National Instruments Publish Subscribe Protocol V ariables. Several different custom VIs have been created, each one for attacking dif ferent types of cluster v ariables used in W ADI. The Python module is the front end of the tool and an attacker needs to be concerned only with the use of this module. The module uses Activ eX [21] to control the LabVIEW application from python code. It connects to Activ eX controls using the Pywin32 library . Acti veX allo ws the user to run programs and specific functions that the program has exposed via it’ s Acti veX serv er . LabVIEW exposes a lot of dif ferent functionality including the ability to run VIs, set v alues for different controls and to fetch values of interest. The custom VIs along with the python module allow for creating powerful and complex controlled attacks. The attacks designed and executed in the following Section (Section 4) are realized through the NI-PSP attack tool called NiSploit. 4. Attack Inv estigation on W ADI This section presents a detailed case study which includes attack design, ex ecution of attacks and results. W e assumed an attack er [22] has an ability to enter into the system through vulnerabilities and social engineering. Further , we considered an insider attacker profile in which attacker has the process, communication knowledge, and access to the communication channels. 4.1. Attack Design Attacks considered in this paper are launched on primary grid (P1) and secondary grid (P2) of W ADI (Sec- tion 3.1). Stage-1 contains a tank whose le vel is measured by 1_L T_001. The stage-2 tank is responsible for water receiv ed by the consumer and its le vel is measured by 2_L T_002. V alve 1_MV_001 is responsible for the flow of water from R W tanks to the drain. V alve 1_MV_002 is responsible for the inflo w of water to the R W tank. V alve 2_MV_003 is responsible for inflo w of w ater to the ER tank. W ater flo ws from the R W tank to the ER tank. In this study , an attacker is an insider, who has an access to the system: process, communication knowledge, and access to the communication channels. Cyber attacks on W ADI were deriv ed from a CPS-specific generalized attacker model[23, 24]. This model contains the attacker’ s intents (set I ), and the attack domain ( D ). For example, in a water distribution system attacker’ s intent could be water pump damage or overflo w the water from a tank. An attack model for a CPS is represented as a six-tuple ( M , G , D , P , S o , S e ) . An attack procedure M is designed by the attacker to realize an attack on a finite set of attack points P in a CPS when this CPS is in state S o , and possibly remov ed when the 8 https://gitlab .com/gyani/NiSploit Adepu et al. / In vestigation of cyber attacks ICS: W ADI 9 CPS is in state S e . This attacker model is useful in generating a variety of attacks. Attack procedure M contains the attack vectors which include how an attacker enters into the system and manipulate dif ferent communication channels. The procedure M essentially the use of the NiSploit tool as described in Section 3.3. Goal G is equal to Intent I . Domain D is deriv ed from the CPS domain [23]. For each CPS, domain is different based on the kind of physical process and components inv olved. Here, P is a set of sensors, actuators or any other potential attack points. S o is the starting state of the system at the time of attack launch starting and S e is the end state of the system when the attacker ends an attack. When S e and I is identical then it shows that attacker reached his intent or attacker made an impact on the system. Impact of attacks can be viewed along three [23] dimensions: ( C m , P r , P e ) , where C m represents the impact on components of the system, P r is the impact on properties such as water pH, ORP (Oxidation Reduction Potential), conductivity and hardness, P e is performance of the overall plant - e.g. if a water distribution system supplies 10 million gallons per day , attacker intent may be to reduce it to 5-million gallons per day . The attacks are on 1_L T_001, 2_L T_002, 1_MV_002, 2_MV_003, and 1_MV_001 which form the C m dimension of the attack do- main. For the dimensions considered in this paper , refer to T able 2. The attacks also affect the flow of water that falls along the P e dimension. P r is an empty set as the attacks do not affect the property dimension. Based on the abov e description, six attacks were designed and launched one at a time (refer to the T able 2 for summary of all attacks). As we discussed in the attacker model, we deriv ed the attacks from an intent of the attack. Based on the existing realistic attacks and incidents reported in the literature on water distribution systems, we considered the following intents in our experiments: 1) stop w ater supply to consumers, 2) damage water pumps in water distribution system, 3) overflo w the water tanks, 4) wastage of water by leaking the pipe, 5) burst the water pipes, 6)manipulate the dosing mechanisms in a water distrib ution systems. One might attempt to realize only one or more than one intent (mentioned in T able 2) at a time. There are a couple of steps in going through to realize an intent: 1) understand the physical process, 2) based on the intent, identify the set of sensors or actuators to manipulate, and 3) control process to reach the intent. Initially , we understand the W ADI process behavior and identify the set of sensors and actuators to be attacked in order to reach the intent. W e divided the attacks into tw o categories based on the number of sensors and actuators attack ed. A single-point attack is when only one sensor or actuator is attacked. When the attack occurs on more than one sensor or actuator , it is classified as a multi-point attack. In T able 2, four single point and two multi point attacks are listed. 4.2. Execution of attacks W e used the NiSpliot (see Section 3.3) to launch the attacks listed in T able 2. The remaining subsection offers details of each attack. 4.2.1. Attack 1: Attack on 1_L T_001 This is an attack on level indicator 1_L T_001. This level indicator measures the level in the raw water tank (stage 1). The related shared variable is stored at the path P1-CompactRIO/HMI_HOST/HMI_1_LT_001 and contains measurements for the water level in raw water tank 1. The shared variable cluster can be broken further into the following v ariables. • PV - Process v alue measures water lev el. • SIM PV - Process v alue used in simulation Mode. • SIMULA TION - This variable is a boolean, sets whether the PV is to be used in the simulation PV or the actual PV . • SAHH - Set point Alarm High High, the HH alarm default is 90. • SAH - Set point Alarm High, the High ( H ) alarm set point default is 70. • SAL - Set point Alarm Lo w , the Low ( L ) alarm set point default is 60. • SALL - Set point Alarm Lo w Lo ( LL ), the Low Lo w alarm set point default is 40. • S EMPTY - Set point for the state in which the tank is considered empty , default is 35. 10 Adepu et al. / In vestigation of cyber attacks ICS: W ADI T able 2 Summary of attacks launched on W ADI Attack No Attack Sen- sor/Actuator Intent Start state( S o ) End state( S e ) Single Point Attacks 1 LIT - 1_L T_001 Block flow of water to ER tank 48% 40% 2 LIT - 2_L T_002 Stop flow of water to con- sumers and damage pump 80% 3 MV - 1_MV_002 No flow of water to the consumers Open Close 4 MV - 1_MV_001 Block flow of water to raw water tank Open Close Multi Point Attacks 5 1_AIT_002, 2_MV003 Supply contaminated water to the elev ator tank 1_AIT_002 is 0.5 and 2_MV003 is Close 1_AIT_002 is 6 and 2_MV003 is Open 6 2_MCV_101, 2_MCV_201 Intermittent supply to con- sumer tank Both Close Open both valv es at 50% • A EMPTY - Alarm indicating S EMPTY is reached. • AHH - Alarm indicating SAHH is reached • AH - Alarm indicating SAH has been reached. • AL - Alarm indicating SAL is reached. • ALL - Alarm indicating SALL is reached. In this attack the attacker sets SIMULA TION to True and also sets Simulation PV to 40 while setting S_EMPTY to 40 using a script written using the NiSploit library . Thus, the state of W ADI moves from S o ={SIMULA TION=False, S EMPTY=35, 2_MV_004=Open} to S e ={SIMULA TION=True, S EMPTY=40, 2_MV_004=Close}. 4.2.2. Attack 2: Attac k on 2_LT_002 This is an attack on level indicator 2_L T_002. This level indicator measures ER tank-2 lev el in process 2. The related shared variable is stored at the path P2-CompactRIO/HMI_HOST/HMI_2_L T_002 and contains measure- ments for the water lev el in ER tank-2. The shared variable cluster can be broken further into smaller variables as described in Section 4.2.1. In this attack the attacker sets PV to 80 by running a continuous loop. The state of valv es and pumps remains unchanged, i.e. open and running, but the level of water falls in both the Raw W ater T ank and the ER. 4.2.3. Attack 3: Attac k on Motorized V alve 1_MV_002 This attack is on motorized v alve 1_MV_002. This motorized valv e is an actuator in process 1, the related shared variable is stored at the path P1-CompactRIO/HMI_HOST/HMI_1_MV_002 and contains the current status of the respectiv e motorized valve go verning the flo w of water to the drain. The shared variable cluster can be broken further into smaller variables. The state of the system moves from S o ={1_MV_002=Close, 2_MV_004=Open} to S e ={1_MV_002=Open, 2_MV_004=Close}. Adepu et al. / In vestigation of cyber attacks ICS: W ADI 11 Fig. 4. Attack 1: W ater level readings of three stages. Attacker brings the le vel of 1_L T_001 to 40%. Fig. 5. Attack 1: Flow to the consumer tanks and con- sumers are cut-off from water supply from little over 3500 seconds onwards. • Auto - If set to T rue, the motorized valv e works according to the programmed logic. • Open Command - open the v alve • Close Command - close the v alve • Reset - reset v alve state to default state • A v ailable - Check if the V alve is av ailable for control. • Fully Open - Boolean indicating whether the V alve is fully open. • Fully Close - Boolean indicating whether the v alve is fully closed. • Failed to Open - When the open command is sent b ut the valv e could not be opened. • Failed to Close - When the close command is sent and the v alve could not be be closed. • Status - The current status of the v alve. • State - The current state of the v alve, i.e. open or closed. The attacker sets Auto to False and force opens the drain v alve. 4.2.4. Attack 4: Attac k on Motorized V alve 1_MV_001 This attack is on motorized valve 1_MV_001. This motorized v alve is an actuator in process 1. The related shared variable is stored at the path P1-CompactRIO/HMI_HOST/HMI_1_MV_001 and contains the current sta- tus of the motorized v alve go verning the inflo w of water to ra w water tanks. The attacker sets Auto to False and sends the Close command. The state of W ADI mo ves from S o ={1_MV_001=Open, 2_MV_004=Open} to S e ={1_MV_001=Close, 2_MV_004=Close}. In the previous sections, we described the single point of attacks. It is also possible an attacker can target multi points at a time, within the single stage and/or across multiple stages. Ho wev er , in this study we in vestigated attacks on maximum two points. As sho wn in the T able 2, four two point attacks are launched on the system. In attack 5, the attacker intention is to supply contaminated water to the elev ator tank. In order to realize this intent attacker tar gets multistage multi point attack across the processes P1 and P2. In this attack, attacker targets 1_AIT_002 in process1 and 2_MV002 in process2. In attack 6, the attack er intention is to cause intermittent supply to consumer tank. This is an single stage multi point attack, where attacker targeted two actuators (2_MCV_101, 2_MCV_201 ) in process P2. Initial and final states of the system during attack 5 and attack 6 are mentioned in T able 2. 4.3. Results The results show how an attacker is able to reach his intent. This kind of study is helpful to perform the impact analysis of the system. The remaining subsection presents the results for the attacks designed in the T able 2. 12 Adepu et al. / In vestigation of cyber attacks ICS: W ADI 4.3.1. Attack 1: Attac k on 1_LT_001 From Figure 4 it can be seen that the attack begins slightly after 1000 seconds when the 1_L T_001 is set to simulation mode with SIM PV at 40. Figure 4 sho ws the attack on 1_L T_001 in which the attacker alters the reading from 48% to 40% of the R W tank le vel which corresponds to a LowLo w ( LL ) state. Since the raw water tank is in LL state the controller sends a command to open the PUB inlet valv e, or the return water grid pump, to fill the tank. Further , due to LL state of the R W tank there is no flow of water from primary to the secondary grid. It is to be noted that at the time of attack launch on R W tank, the secondary grid is at 50% of the maximum tank lev el. Therefore, the secondary grid supplies water to the consumer tanks until it reaches to 35% of the maximum tank le vel which is considered an “Empty" state. The secondary grid tank lev el (2_L T_002) behavior is shown in Figure 4. Figure 5 indicates that no water flo ws to the consumers when the secondary grid tank is in Empty state. Further , the R W tank ov erflows as there is no flow from the primary grid to the secondary grid though there is continuous supply of water to R W tank through the PUB v alve. Fig. 6. Attack 1: Actual lev el of the R W tank as it overflo ws. It is possible to estimate from first principles the water le vel in a tank. Mass balance equations, in continuous and discrete forms, for the change in water le vel h for a gi ven input Q in and output Q out , flow rate, as follo ws, A d h d t = Q in − Q out , (1) h ( t + 1) = h ( t ) + ∆ t ( Q in ( t ) − Q out ( t )) A , (2) where A is the cross sectional area of the tank. Assuming linear dynamics, Q in and Q out are either 0 (when valv e closes) or constant (when valv e opens). W e use Eq 2 to estimate the tank lev el when a sensor is under attack. In this attack, the attacker sets the value of 1_L T_001 to 40% which corresponds to LL state. Consequently the outlet flow rate Q out is zero. Hence, Eq 2 reduces to the following h ( t + 1) = h ( t ) + ∆ t ( Q in ( t )) A . (3) Using Eq. 3 we estimate the actual lev el of the tank. As in Figure 6 the tank overflo ws when the attacker sets a constant value to 40%. Adepu et al. / In vestigation of cyber attacks ICS: W ADI 13 4.3.2. Attack 2: Attac k on 2_LT_002 Fig. 7. Attack 2: W ater lev el readings of tanks. Figure shows launch of attack on 2_L T_002 at approximately 1000 seconds. In Figure 7 it can be seen that the attack begins after 1000 seconds when 2_L T_002 is set to 80% of the tank lev el which corresponds to High ( H ) state. This leads to no flo w of water from the R W tank to ER tank. Howe ver , the ER tank continuously supplies water to the consumers. After sufficient time has elapsed, the actual ER tank lev el moves to Empty state as seen in Figure 8. It can be observed that in this situation the booster pump will be running continuously assuming that ER lev el is at H . Consequently the booster pump will run dry and may be damaged unless a physical protection, e.g., a temperature cut off, are installed. Further , supply to the consumers stops completely . 4.3.3. Attack 3: Attac k on Motorized V alve 1_MV_002 In Figure 9 it can be seen that the attack begins after 1000 seconds when valv es 1_MV_002 and 1_MV_003 (also called drain valves) are forced open. When these valves are open, water starts draining from the R W tank. Also, water is supplied to the ER tank when its le vel reaches the L state. After some time water le vel in the R W tank reaches to LL state and consequently PUB inlet v alve, or return w ater grid pump, turns on to fill the tank. Note that water filling (through the PUB valve or return water grid) and draining (through 1_MV_002 and 1_MV_003) happens simultaneously . This leads to the water le vel in the tank at 40% or below depending on the inlet and drain water flow rate. Figure 10 sho ws that water lev el falls below 40% gradually leading to no water supply from R W tank to the ER tank. Consequently w ater supply will be stopped to the consumer tanks (shown in Figure 11) when the lev el in the ER tank falls to 35% of the maximum tank lev el. 4.3.4. Attack 4: Attac k on Motorized V alve 1_MV_001 As in Figure 12 the attack begins after 1000 seconds when 1_MV_001 valv e is forced shut. This leads to no water flo w into the R W tank. Figure 13 shows that R W tank le vel is kept at 40% as a result of the attack. Hence, there is no flo w from the R W to the ER tank. Ho wev er , the ER tank continuously supplies water to the consumers. 14 Adepu et al. / In vestigation of cyber attacks ICS: W ADI Fig. 8. Attack 2: Actual water le vel of ER tank (2_L T_002) goes into Empty state. Fig. 9. Attack 3: Attack on valv es 1_MV_002 and 1_MV_003. Adepu et al. / In vestigation of cyber attacks ICS: W ADI 15 Fig. 10. Attack 3: W ater tank le vels of 1_L T_001 reduces gradually . At ≈ 2250 s 2_L T_002 reaches to Empty state (35% of tank lev el). Fig. 11. Attack 3: W ater flow to the consumers. 16 Adepu et al. / In vestigation of cyber attacks ICS: W ADI Fig. 12. Attack 4: Attack on valv e 1_MV_001 at approximately 1250 seconds Fig. 13. Attack 4: W ater tank levels when 1_MV_001 is attack ed. Adepu et al. / In vestigation of cyber attacks ICS: W ADI 17 It can be observed from Figure 13 that ER tank lev el reaches Empty state after sometime and there is no water flowing to the consumers. 4.4. Multi point attacks 4.4.1. Attack 5 In this attack, attacker launches multi point attack on 1_AIT_001 and 2_MV_003 as sho wn in Figure 14 and 15 respectiv ely . Initially , the attacker manipulates 1_AIT_001 value from 0.5 to 6 which is abov e threshold at around 400 seconds. And, at around 500 seconds the attacker intentionally tries to open the inlet valve (2_MV_003) of elev ated reservoir tank. As a result water from the raw w ater tank will be pumped to the elev ated reservoir tank. Therefore, the attacker successfully achie ves his goal by launching attack on 1_AIT_001 and 2_MV_003. Fig. 14. Attack 5: Attack on 1_AIT_001 Similarly , attacks 6 is launched on the system to achie ve his goals based on the attacker intentions. 5. Discussion Next we summarize what we learned during this in vestigation and provide answers to research questions stated earlier . 18 Adepu et al. / In vestigation of cyber attacks ICS: W ADI Fig. 15. Attack 5: Attack on 2_MV_003 V alue of a testbed : Researchers have studied [25, 26] the attacks on water distribution systems. Howe ver , these stud- ies have concentrated on small systems with a few sensors and actuators, and thus are not adequate to in vestigate cyber attacks on lar ger systems. Characterization of cyber attacks on water distrib ution systems [26] launched in a simulated en vironment may not be realistic though they do offer hints on the design of experiments reported here. The study reported here overcomes the limitations of past studies by using a realistic water distribution system as the testbed, namely W ADI. RQ1: How do cyber attacks impact a water distrib ution system? : Section 4.3 describes ho w six attacks af fect the water distribution process in W ADI. In summary , an attack may lead to any one or more of the following undesirable consequences: (a) tank overflo w , (b) pressure drop at the consumer end, (c) no w ater at consumer end, and (d) equipment damage. In addition to the six attacks mentioned in Section 4.3, sev eral other attacks can be launched on W ADI. F or example organic and inorganic contaminants may be added to water and the chemical sensors compromised [27] so that the attack is not detected. W ADI also has a leakage simulator that can be used to launch leakage or water theft attacks. Such attacks and their impact on W ADI will be study in the future. RQ2: How does knowing the r esponse of a CPS to one or mor e cyber attacks, help in designing an attack detection mechanism? : T raditional attack detection is often based on network traf fic monitoring. [28] Proposed water marking schemes are based on control theory . [29] It is well understood that cyber attacks or faults on the system affect specific sensor readings. Future research will focus on the detection of attacks such as those described in Section 4.1. There e xist sev eral detection mechanisms in the literature. One such mechanism is based on in variants derived from plant design. A “process in variant," or simply an in variant [30] is a mathematical relationship among “physical" and/or “chemical" properties of the process controlled by the PLCs in a CPS. These in variants aid in detecting such attacks. For Adepu et al. / In vestigation of cyber attacks ICS: W ADI 19 example, attack 1 in Section 4.1 can be detected as follows. In this attack, attacker sets the raw water tank lev el to LL state and as a result 1_MV_001 opens to fill the tank. Further, the tank lev el is not rising ev en though the inlet valve is open and also there is no outflow from this tank. One can write the in variant for the valv e and the tank lev el as follows. If the tank level is in LL and the inlet valv e opens, then after sufficient time the tank lev el should rise to L or H state. Ho wever , in this case the tank level neither reaches L nor the H state. Clearly , in this case the in variant is violated and hence the attack is detected. Therefore, these kinds of in variants are useful in attack detection. Note that violation of an in variant does not necessarily imply that there is a cyber attack; it could also be due to communication or component failure. 6. Related W ork Open r esear ch challeng es: Researchers have presented challenges in safety and security against cyber attacks that need to be addressed while designing a CPS [31 – 33]. Sajid et al. [34] explained the integration of IoT and SCADA systems with a focus on security and how to integrate and create intelligent ICS using the Internet. Humayed et al. [35] surveyed literature on cyber physical systems security , and presented a orthogonal frame work consists of security , components, system perspectives. They focused mainly on four CPS systems such as ICS, smart grids, medical devices, and smart cars. Attack modeling and analysis: Attacks have been modeled as noise in sensor data [29]. Attack models designed specifically for CPS include a variety of deception attacks including surge, bias, and geometric [36]. Such models hav e been used in experiments to understand the ef fectiv eness of statistical techniques in detecting cyber attacks. The attacks designed in this work are based on a cyber-ph ysical attacker model [23]. Jajodia et al. [37] proposed a detailed procedure for modeling cyber systems using attack graphs. Such graphs model practical vulnerabilities in distributed networked systems. Chen et al. [38] have proposed argument graphs as a means to capture the w orkflow in a CPS. The graphs are intended to assess a system in the presence of an attacker . The graphs are formed based on information in the workflow such as use case or state, physical system topology such as netw ork type, and an attacker model such as an order to interrupt, po wer supply , physical tampering, network connection, denial of service, etc. T yped graphs [39] and Bayesian defense graphs [40] are a few other important contributions to the modeling of cyber attacks. Attacks on water systems: The first well kno wn attack on water supply was Maroochy Shire [41] in 2000 in Australia. Industrial Control Systems Cyber Response T eam [6] has reported several attacks on w ater systems and remedial actions to protect against these. Amin et al. [25, 42] studied attacks on water canal systems and presented attack detection methods based on control, hydrodynamic models. Howe ver , this paper focuses on an ICS system consisting of a few sensors and actuators. The formal approach [43, 44] is used to analyse the security of a water treatment system. W e aim at in vestigating the impact of attacks on a larger system such as W ADI, which has more than 100 sensors and actuators. Riccardo et al. [26] presented a modeling frame work to characterize the c yber physical attacks on water distribution systems. This framework consists of a few categories of attacks and EP ANET simulation models. The analysis is applied to C-T own network to show the usage of the frame work. This work is mostly performed in a simulation en vironment while the study reported here was performed on an operational water distribution system [14]. This research is helpful to understand the dif ferences between simulation based attack in vestigation in water distribution systems, real time water distribution attacks. Section 5 addresses these differences and adv antages of the approach used in the current work. Attack detection in water systems: Mitchel and Chen surveyed [45] intrusion detection techniques for CPS. They presented existing works based on a classification tree. They also presented the adv antages and limitations of the techniques. The use of inv ariants for detecting attacks on CPS has been proposed and ev aluated by several researchers such as in [30, 46, 47]. In this work it is claimed that the use of controlled in variant sets in detecting cyber attacks uses little information about the controller and hence is useful for a large range of control laws. Y uqi 20 Adepu et al. / In vestigation of cyber attacks ICS: W ADI et. al. [48] proposed an approach for learning physical in variants that combine machine learning with ideas from mutation testing. Data driv en [49, 50] approaches for attack detection is studied on a water treatment system. Security of cyber physical systems are also studied as decision games [51]. The B A T AD AL [52] is a battle of the attack detection algorithms competition on water distribution symposioum. The goal of the battle was to compare the different detection methods to detect c yber physical attacks. The B A T ADAL was conducted on a C-T own net- work, a real-world, medium-sized water distribution system operated through Programmable Logic Controllers and a Supervisory Control And Data Acquisition (SCAD A). T otal sev en different teams participated in the B A T ADAL and their ef fectiv eness of was ev aluated in terms of time-to-detection and classification accuracy . This emphasis of dealing with real-life infrastructure and equipment for training and research is also seen in the dev elopment of Capture the Flag style gamification of an ICS testbed platform [53, 54]. The acti vity described in this paper is not a con ventional competiti ve hackathon; as a combination of jam and hackathon, it emphasises hacking CPS platforms as a means to integrate, demonstrate and e xplore lines of research. 7. Conclusions and Future work This paper reports an in vestigation into the response of an operational water distribution plant to cyber attacks. The outcome of the in vestigation points to the importance of testbeds in understanding stealthy and a v aried set of attacks and practical issues in operational water distribution plants. The case study also indicates that an attacker will lik ely be able realize an intent when adequate resources are a vailable and the required accessibility exists. The work presented in this paper is a step to wards realizing a safe and secure critical infrastructure. Future work includes understanding more stealthy attacks and the implementation of a prototype defence mech- anism in W ADI. W e plan to implement some of the attack detection mechanism mentioned in the related work section and assess in a real time water distrib ution system. A CKNO WLEDGMENT This work was supported in part by the National Research Foundation (NRF), Prime Minister’ s Of fice, Singa- pore, under its National Cybersecurity R&D Programme (A ward No. NRF2014NCR-NCR001-40, NRF2015NCR- NCR003-001) and administered by the National Cybersecurity R&D Directorate. The W ADI testbed is built with the support from Ministry of Defense, Singapore and SUTD-MIT International Design Centre (IDC). References [1] S. Adepu and A. Mathur, Introducing Cyber Security at the Design Stage of Public Infrastructures: A Procedure and Case Study, in: Pr oceedings of the 2nd Asia-P acific Confer ence on Complex Systems Design & Management in Advances in Intelligent Systems and Computing , Springer, 2016. [2] R. Lipovsky, New wave of cyberattacks against Ukrainian power industry , 2016, http://www .weliv esecurity .com/2016/01/ 11. [3] S. W einberger, Computer s ecurity: Is this the start of cyberwarfare?, Natur e 174 (2011). [4] https://ics- cert.us- cert.gov/. [5] S. Adepu, G. Mishra and A. Mathur, Access Control in W ater Distrib ution Networks: A Case Study, in: QRS , 2017. [6] US Department of Homeland Security , ICS-CER T Advisories https://ics- cert.us- cert.gov/advisories. [7] K. Stouffer and J.F .K. Scarfone, Guide to Industrial Control Systems (ICS) Security; NIST Special Publication 800-82; pages 1-155. , 2011. [8] B. Galloway and G.P . Hancke, Introduction to Industrial Control Networks, Communications Surveys T utorials, IEEE 15 (2) (2013), 860–880. Adepu et al. / In vestigation of cyber attacks ICS: W ADI 21 [9] Kasperskey ICS CER T, Threat Landscape for Industrial Automation Systems in H1 2017, 2017, https://securelist.com/ threat- landscape- for- industrial- automation- systems- in- h1- 2017/82660/. [10] J.M.N..V .C. Murray G., The conv ergence of IT and O T in critical infrastructure, in: The Proceedings of 15th Australian Information Security Management Confer ence, 5-6 December , 2017 , 2017, pp. 149–155. [11] Homeland Security, DHS Common Cybersecurity V ulnerabilities in ICS, https://ics- cert.us- cert.gov/sites/default/files/ recommended_practices/DHS_Common_Cybersecurity_V ulnerabilities_ICS_2010.pdf. [12] Kasper Sky, Industrial Control Systems V ulnerabilities Statistics, https://kasperskycontenthub .com/securelist/files/2016/ 07/KL_REPOR T_ICS_Statistic_vulnerabilities.pdf. [13] M. Rupp, Honeywell XL W eb II Controller V ulnerabilities, https://ics- cert.us- cert.gov/advisories/ICSA- 17- 033- 01. [14] C.M. Ahmed, V .R. Palleti and A. Mathur, W ADI: A W ater Distribution T estbed for Research in the Design of Secure Cyber Physical Systems, in: 3r d CysW ater , 2017. [15] T . Caulfield, C. Ioannidis and D. Pym, The U.S. V ulnerabilities Equities Process: An Economic Perspecti ve, in: Decision and Game Theory for Security , 2017, pp. 131–150. [16] A. Kharraz, T echniques and Solutions for Addressing Ransomware Attacks (2017). [17] E. Nakashima and C. T imberg, NSA of ficials worried about the day its potent hacking tool would get loose. Then it did (2017). [18] CVE-2017-0144, W indows SMB Remote Code Execution V ulnerability , 2017, https://www .cve.mitre.org/cgi- bin/ cvename.cgi?name=CVE- 2017- 0144. [19] A. Zimba, Z. W ang and H. Chen, Multi-stage crypto ransomware attacks: A new emerging cyber threat to critical infras- tructure and industrial control systems, ICT Expr ess (2018). [20] US Department of Homeland Security , ICS-CER T Advisories https://ics- cert.us- cert.gov/sites/default/files/Annual_ Reports/FY2015_Industrial_Control_Systems_Assessment_Summary_Report_S508C.pdf. [21] Microsoft, Activ eX Controls, https://msdn.microsoft.com/en- us/library/aa751968(v=vs.85).aspx. [22] M. Rocchetto and N.O. Tippenhauer , On Attacker Models and Profiles for Cyber-Physical Systems, in: "Computer Secu- rity – ESORICS 2016: September 26-30,pages="427–449" . [23] S. Adepu and A. Mathur, Generalized attacker and attack models for Cyber Physical Systems, in: COMPSAC, 2016 IEEE 40th Annual , V ol. 1, 2016, pp. 283–292. [24] S. Adepu and A. Mathur, An In vestigation into the response of a W ater Treatment System to Cyber Attacks, in: Pr oceed- ings of the 17th IEEE High Assurance Systems Engineering Symposium, Orlando , 2016. [25] S. Amin, X. Litrico, S. Sastry and A.M. Bayen, Cyber Security of W ater SCADA Systems; Part I: Analysis and Experi- mentation of Stealthy Deception Attacks, IEEE T ransactions on Contr ol Systems T echnology (2013). [26] R. T aormina, S. Galelli, N.O. Tippenhauer, E. Salomons and A. Ostfeld, Characterizing Cyber -Physical Attacks on W ater Distribution Systems, J ournal of W ater Resour ces Planning and Management 143 (5) (2017), 04017009. [27] V .R. Palleti, S. Narasimhan, R. Rengaswamy, R. T eja and S.M. Bhallamudi, Sensor network design for contaminant detection and identification in water distrib ution networks, Computers & Chemical Engineering 87 (2016), 246–256. [28] Z.A. Baig, S. Ahmad and S.M. Sait, Detecting Intrusiv e Activity in the Smart Grid Communications Infrastructure Using Self-Organizing Maps, in: 12th IEEE T rustCom , 2013, pp. 1594–1599. [29] C. Kwon, W . Liu and I. Hwang, Security analysis for cyber-physical systems against stealthy deception attacks, in: A CC, , 2013, pp. 3344–3349. [30] S. Adepu and A. Mathur, Distributed detection of single-stage multipoint cyber attacks in a water treatment plant, in: Pr oc. of the 11th ASIACCS , 2016, pp. 449–460. [31] A.A. Cardenas, S. Amin and S. Sastry, Secure Control: T ow ards Surviv able Cyber-Physical Systems, in: ICDCS ’08. , 2008, pp. 495–500. [32] E.A. Lee, Cyber Physical Systems: Design Challenges, http://www .eecs.berkeley .edu/Pubs/T echRpts/2008/ EECS- 2008- 8.html, T echnical Report, 2008. [33] G. Sabaliauskaite and S. Adepu, Integrating Six-Step Model with Information Flow Diagrams for Comprehensiv e Anal- ysis of Cyber-Ph ysical System Safety and Security , in: 18th IEEE International Symposium on High Assurance Systems Engineering (HASE2017) , 2017. [34] A. Sajid, H. Abbas and K. Saleem, Cloud-Assisted IoT -Based SCAD A Systems Security: A Revie w of the State of the Art and Future Challenges, IEEE Access (2016), 1375–1384. [35] A. Humayed, J. Lin, F . Li and B. Luo, Cyber-Physical Systems Security – A Survey , IEEE Internet of Things Journal (2017), 1–1. [36] A.A. Cárdenas, S. Amin, Z.-S. Lin, Y .-L. Huang, C.-Y . Huang and S. Sastry, Attacks against process control systems: Risk assessment, detection, and response, in: A CM Symp. Inf. Comput. Commun. Security , 2011. [37] S. Jajodia and S. Noel, ADV ANCED CYBER A TT A CK MODELING, AN AL YSIS, AND VISUALIZA TION, T echnical Report, AFRL-RI-RS-TR-2010-078. Final T echnical Report, George Mason Uni versity , 2010. 22 Adepu et al. / In vestigation of cyber attacks ICS: W ADI [38] B. Chen, Z. Kalbarczyk, D.M. Nicol, W .H. Sanders, R. T an, W .G. T emple, N.O. T ippenhauer, A.H. V u and D.K.Y . Y au, Go with the Flow: T oward W orkflow-oriented Security Assessment, in: Pr oceedings of the 2013 W orkshop on New Security P aradigms W orkshop , NSPW ’13, 2013, pp. 65–76. [39] A. Bhave, B. Krogh, D. Garlan and B. Schmerl, V iew consistency in architectures for cyber -physical systems, in: Pr oc. 2nd A CM/IEEE Int. Conf. Cyber-Phys. Syst. , 2011. [40] T . Sommestad, M. Ekstedt and P . Johnson, Cyber security risks assessment with Bayesian Defense graphs and architectural models, in: 42nd Hawaii International Confer ence on System Sciences , 2009, pp. 1–20. [41] M. Abrams and J. W eiss, Malicious control system cyber security attack case study–Maroochy W ater Services, Australia, McLean, V A: The MITRE Corporation (2008). [42] S. Amin, X. Litrico, S.S. Sastry and A.M. Bayen, Cyber Security of W ater SCADA Systems; Part II: Attack Detection Using Enhanced Hydrodynamic Models, IEEE T ransactions on Contr ol Systems T echnology (2013). [43] E. Kang, S. Adepu, D. Jackson and A.P . Mathur, Model-Based Security Analysis of a W ater Treatment System, in: In Pr oceedings of 2nd International W orkshop on Software Engineering for Smart Cyber-Physical Systems (in press; SEsCPS’16) , 2016. [44] S.S. Patlolla, B. McMillin, S. Adepu and A. Mathur, An approach for formal analysis of the security of a water treatment testbed, in: 2018 IEEE 23r d P acific Rim International Symposium on Dependable Computing (PRDC) , IEEE, 2018, pp. 115–124. [45] R. Mitchell and I.-R. Chen, A survey of intrusion detection techniques for cyber-physi cal systems, ACM Computing Surve ys (CSUR) 46 (4) (2014), 55. [46] T .T . Gamage, B.M. McMillin and T .P . Roth, Enforcing Information Flow Security Properties in Cyber -Physical Systems: A Generalized Framew ork Based on Compensation, in: COMPSACW , IEEE 34th Annual , 2010, pp. 158–163. [47] S. Adepu and A. Mathur, Distributed attack detection in a water treatment plant: method and case study , IEEE T ransactions on Dependable and Secur e Computing (2018). [48] Y . Chen, C.M. Poskitt and J. Sun, Learning from Mutants: Using Code Mutation to Learn and Monitor In variants of a Cyber-Physical System, in: Pr oc. IEEE Symposium on Security and Privacy (S&P 2018) , 2018. [49] J. Goh, S. Adepu, M. T an and Z.S. Lee, Anomaly detection in cyber physical systems using recurrent neural networks, in: 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE) , IEEE, 2017, pp. 140–145. [50] Q. Lin, S. Adepu, S. V erwer and A. Mathur, T ABOR: A Graphical Model-based Approach for Anomaly Detection in Industrial Control Systems, in: Pr oceedings of the 2018 on Asia Confer ence on Computer and Communications Security , A CM, 2018, pp. 525–536. [51] S. Frey, A. Rashid, P . Anthonysamy, M. Pinto-Albuquerque and S.A. Naqvi, The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game, IEEE T ransactions on Softwar e Engineering (2018). [52] R. T aormina, S. Galelli, N.O. T ippenhauer , E. Salomons, A. Ostfeld, D.G. Eliades, M. Aghashahi, R. Sundararajan, M. Pourahmadi, M.K. Banks et al., Battle of the Attack Detection Algorithms: Disclosing Cyber Attacks on W ater Distri- bution Netw orks, Journal of W ater Resour ces Planning and Management 144 (8) (2018), 04018048. [53] D. Antonioli, H.R. Ghaeini, S. Adepu, M. Ochoa and N.O. Tippenhauer, Gamifying ICS security training and research: Design, implementation, and results of S3, in: Pr oceedings of the 2017 W orkshop on Cyber-Physical Systems Security and PrivaCy , A CM, 2017, pp. 93–102. [54] S. Adepu and A. Mathur, Assessing the ef fectiv eness of attack detection at a hackfest on industrial control systems, IEEE T ransactions on Sustainable Computing (2018). A ppendix Acronyms : AI Analog Input AIT Analyzer Indicator and T ransmitter A O Analog Output AP Access Point ARP Address Resolution Protocol CPS Cyber-Physical System CUSUM cumulativ e sum D A Q Data acquisition DB Data Base Adepu et al. / In vestigation of cyber attacks ICS: W ADI 23 DCS Distributed Control System DDoS Distrib uted Denial of Service DI Digital Input DLR Distributed Logic Router DO Digital Output DoS Denial of Service FIT Flow Indicator and T ransmitter HMI Human Machine Interface ICS Industrial Control System LIT Lev el Indicator and Transmitter LSTM Long short-term memory MITM Man In The Middle MV Motorized valv e NI-PSP National Instruments Publish Subscribe Protocol PLC Programmable Logic Controller R TU Remote T erminal Unit RIO Remote Input Output SCAD A Supervisory Control and Data Acquisition VI V irtual Instruments W ADI W ater Distribution