Detecting integrity attacks in IoT-based Cyber Physical Systems: a case study on Hydra testbed

Detecting inte grity attacks in IoT -based Cyber Physical Systems: a case study on Hydra testbed Federica Battisti, Giuseppe Bernieri, Marco Carli, Michela Lopardo, and Federica Pascucci Department of Engineering Uni versit ` a degli Studi Roma T re Roma, Italy Abstract The Internet of Things paradigm improv es the classical information sharing scheme. Howe ver , it has increased the need for granting the security of the con- nected systems. In the industrial field, the problem becomes more complex due to the need of protecting a large attack surface while granting the av ailability of the system and the real time response to the presence of threats. In this contribution, we deal with the injection of tampered data into the communication channel to affect the physical system. The proposed approach relies on designing a secure control system by coding the output matrices according to a secret pattern. This pattern is created by using the Fibonacci p-sequences , numeric sequence depend- ing on a ke y . The proposed method is v alidated on the Hydra testbed, emulating the industrial control network of a water distrib ution system. Keyw ords – Cyber Physical Systems, Industry 4.0, Industrial Internet of Things 1 Intr oduction In the last decades, we assisted to the spread of a new trend aimed at connecting as many devices as possible. This trend led to what is commonly referred to as Industry 4.0, the fourth industrial revolution. The core innovation of this re volution is the pos- sibility for the Cyber-Physical System (CPS) of exploiting Internet to extend the com- munication range beyond the closed industrial communication networks, thus leading to the birth of the Industrial Internet of Things (IIoT). IIoT requires the deployment of sensors, actuators, and communication de vices in the physical infrastructure for allo w- ing the remote monitoring and control of the whole system as well as of its components. The distributed nature of IIoT , together with the need of specific communication paradigms, and the adoption of Internet, may impact the reliability , the rob ustness, and 1 the security of CPS [1]. In more details, in IoT CPS context, the av ailability of the system is a key factor . In fact, since CPSs deal with dynamic systems, it is important that the service or system is always av ailable and that the information is shared within time delays that can be v ery short in real time applications [2]. Ne verthless, timing and information reliability is of paramount importance: the detection of data modification (due to transmission errors or to malicious alteration) should rise an alert as soon as possible for a prompt reaction/mitigation. If data modification is not timely detected, it may result in sev ere disruption of the system or e ven in its complete damage. Badly secured IIoT structures and services may be used as entry points for network attacks and expose both data and systems to threats [3 – 5]. In this contrib ution, we aim at the design of a secure control system able to identify the injection of tampered data (e.g., the deception attack) in the communication chan- nel. It useful to underline that the inte grity attack is e xtremely dangerous since it might be unnoticed till the unav ailability of the physical system happens. W e propose to code the physical output of the system through permutation matrices whose scheme varies based on a secret sequence. In more details, we extend the works in [6, 7] to non linear systems, by introducing the following inno vations: • the coding matrices are based on permutations obtained by rotation and flipping that modify the order of the elements in the output vector and their sign. T o the best of our kno wledge, in literature only a single rotation is used in [6], and a small subset of signed permutation matrices in [7]. In the proposed system, the flipping operation is adopted for increasing the number of possible matrices that can be used thus gaining in security; • the encoding procedure satisfies the real time constraint and avoids quantization errors; • the computational comple xity is highly reduced since the coding matrices can be precomputed off-line; • the security le vel of the system is increased by updating the coding matrix ac- cording to a rule based on k ey-dependent sequences, the Fibonacci p-sequences , exploiting the communication protocol to a void synchronization problems. 2 Related works The complex structure of a connected CPS is exposed to sev eral attacks in different points, thus resulting in a large attack surface [8]. It is possible to identify three layers as potential goals of an attacker: human, network, software, and hardware layer . Sev eral studies have been performed for assessing the security or mitigating the effects of an attack in a IoT -based CPS. In particular , secure control theory is used to estimate the impact of cyber threats on the physical plant [9]. Given the complexity of the problem, the methods proposed in literature are usually dedicated to counteract attacks that can be roughly classified in two groups: DoS and deception-based attacks. The impact of a DoS attack, even if limited to a subset of the network, may hav e a 2 disruptiv e effect on the whole system [10]. In [11], the av ailability of the system or service when their functionalities are interrupted (i.e., by limiting the exchange of in- formation between sensors and control system) is considered. In [12], the attack er goal is to limit the av ailability of a subset of controls and sensors. T o av oid the detection of his/her malicious behavior , the attacker mimics poor network conditions (i.e., by randomly dropping packets). Different mitigation methods are presented in [13]. In the deception-based attacks, the adversary , after having gained access to the CPS, injects false or tampered information to wards or from sensors or controllers (i.e., the value of a measurement or the sensor identification label). An effecti ve attack is de- signed to remain unnoticed to the detection system until a severe fault occurs. In [14], the cases in which a stealthy deception attack may be performed without being detected are addressed. In [15], the authors sho w that resiliency to malicious data injection may be obtained if a subset of measurements is immune to the attacks. In [16], a false data injection attack model is presented as a constrained control problem and the theoreti- cal analysis of the conditions under which the attacker could successfully destabilize the system are sho wn. An extended revie w of the security aspects is in [17]. In [6] a smart attack on linear time-in v ariant systems is addressed. The data injection is per- formed in such a way that the state estimation error increases without being detected till the moment when the presence is fatal for the system itself. The authors propose to code the sensor measurements exploiting a Gi vens rotation matrix for securing the system output. A similar approach is adopted in [7]. The key idea is to use a subset of the signed permutation matrices to perform rotation and flipping of the output v ector space. In this way , the signal injected by the attacker , once decoded, introduces a large residual error , so it does not sho w the same statistical property of the healthy signal. The same problem is addressed in [18], where a solution based on the encryption of shared information to protect data integrity (and confidentiality) is proposed. In our contribution we deal with the issues highlighted in [6, 7, 18]. In particular , we change the output coding scheme at each transmission time by selecting the coding matrix out of a predefined set, i.e., the set of the signed permutation matrices. This coding scheme av oids quantization errors and reduces the computational complexity , since it results in scrambling the elements of the observation v ector . 3 System and Adversary Modelling 3.1 Industrial CPS In this work the industrial CPS depicted in Fig. 1 is considered. It is composed by the physical system (i.e., the actuators, the plant, and the sensors) and the monitoring system , the controller , and a Human Machine Interface (HMI) . According to the IIoT paradigm, the sensors and the actuators of the physical system forward the collected data to the monitoring system, the controller , and the HMI through the network at each transmission time k using a protocol that identifies the sequence number of the packet in the data stream (e.g., Modbus/TCP). The physical system can be described by a nonlinear uncertain system: thus, the 3 Figure 1: The IoT based CPS and the detection scheme: the physical system commu- nicates with the controller , the monitoring system, and the HMI by a network. discrete time model is giv en by x k = f ( x k − 1 , u k − 1 ) + w k y k = g ( x k ) + v k (1) where x k ∈ R n x is the state of the system, u k ∈ R n u is the input, y k ∈ R n y is the output, f ( · ) is the state transition map, g ( · ) is the observation map, and w k ∈ R q , v k ∈ R l are the process and measurement noises, respectiv ely . The input u k is known, while w k and v k are Gaussian white noise with known constant co variance matrices (i.e., w k ∼ N ( 0 , Q ) and v k ∼ N ( 0 , R ) , respecti vely). The monitoring system is able to detect both faults and attacks. T o this aim, it is implemented as a fault detection system [19] and it is composed by a state observer and a detector . The state observer is able to replicate the behavior of the plant (i.e., the estimate of the state ˆ x k ), kno wing the input from the controller and the output from the sensors at each transmission time k . It is implemented by means of an Extended Kalman Filter (EKF), which estimates the state according to a prediction/correction scheme. In the prediction, an a priori estimate ˆ x ( − ) k and its cov ariance P ( − ) k is computed as: ˆ x ( − ) k = f ( ˆ x k − 1 , u k − 1 ) P ( − ) k = F P (+) k − 1 F T + Q (2) where F is the Jacobian of the state transition map f ( · ) . The update of the estimate and 4 its cov ariance are obtained as K k = ( P ( − ) k G T )( GP ( − ) k G T + R ) − 1 ˆ x (+) k = ˆ x ( − ) k + K k ( y k − g ( ˆ x ( − ) k ) P (+) k = ( I − K k G ) P ( − ) k (3) where K k represents the Kalman gain, G is the Jacobian of the observation map g ( · ) , and I is the identity matrix. Due to the nonlinearity of the system, a validation gate based on Mahalanobis distance and χ -square test is implemented to exclude the out- liers and av oid non-con ver gence. The update is performed only when the following inequality holds [ y k − g ( ˆ x ( − ) k )] T ( GP ( − ) k G T + R )[ y k − g ( ˆ x ( − ) k )] ≤ χ 2 . (4) The detector ev aluates the residual r k = y k − g ( ˆ x (+) k ) (5) by comparing it with a threshold β ∈ R n y computed during a f ault/attack free operating condition during the time interval [ 0 , . . . , T ) , so that β i = max k = 0 ,..., T r k , i ∀ i = 1 , . . . , n y . (6) Finally , the follo wing decision rule R k is applied R k = ( H 0 if r k ≤ β H 1 if r k > β (7) where H 0 is the healthy and H 1 is the under attack hypothesis, respectiv ely . When H 1 is accepted, the monitoring system triggers an alarm and forwards the information to the HMI. The contr oller is de v oted to regulate the desired output implementing a feedback control la w and it is represented by a Programmable Logic Controller (PLC). The HMI is represented by a Supervisory Control And Data Acquisition system. 3.2 Adversary model In this work, the adv ersary is assumed to know the network topologies and the re- sources connected (i.e., the controller , the monitoring system, the sensors, and the actuators). The adversary objecti ve is to reduce the av ailability of the resources by compromising data integrity . T o this end, the target of the attacker is the communica- tion channel between the sensors and the controller: the adversary is able manipulate the controller by injecting false data into this channel. Therefore, the adversary is as- sumed to be able to corrupt the communication channel between the concentrator and the state observer bypassing the attack detection tool (e.g., a con ventional intrusion detection system). According to [12], the disruption resour ces of the adversary en- compass both the plant and the monitoring systems, the disclosur e r esour ces exploited 5 during the attack are represented by the data in the communication channels, and the model knowledge is not required. The challenge of the attack is to remain stealthy with respect to the monitoring sys- tem. In [16] and [14], the conditions under which a stealth attack can be successfully set up are presented, ho we ver they consider only linear time in variant systems. F or stable non-linear systems, a stealth attack can be set up to get insights on the vulnera- bilities of the netw ork. For e xample, the adv ersary can set up a replay attack exploiting steady state output to test if the man in the middle attack is successful: at steady state, indeed, the output does not change and the monitoring system can be easily misled. 4 Detection strategy As previously mentioned, the proposed approach protects the communication channel between sensors and controller/monitoring system by coding the system output, ac- cording to a secret and predefined pattern. More specifically , the coding scheme is obtained by modifying the order of the elements in the output vector and e ventually their sign. It is implemented by multiplying the output of the system, collected by the concentrator , with a signed permutation matrix having only one non-zero entry (either 1 or − 1) in each row and column. The signed permutation matrices form a group with integer in verse, thus the encoding procedure does not introduce quantization errors. The coding matrix is modified at each transmission time according to a shared k ey , that depends on the Fibonacci p-numbers and on the packet number . The set of all the signed permutation matrices S Π of a vector y k ∈ R m is generated and sorted: at each transmission time, the shared key is used to select the coding matrix from the sorted set. In more details, security is giv en by: • the seed of the sequence used for selecting the coding matrices; • the sorting of the set S Π ; • the output coding (i.e., scrambling). The coding matrices are continuously updated according to a rule based on the Fibonacci p-sequences . A Fibonacci p-sequence F p ( n ) is defined by the follo wing recursiv e formula: F p ( n ) =    0 , n < 0; 1 , n = 0; F p ( n − 1 ) + F p ( n − p − 1 ) , ot herwise . (8) Since the number of feasible rotations and flipping performed to obtain the coded output is limited to n y , there is the need for mapping the selected Fibonacci p-sequence to the interval [ 1 , . . . , n y ] . In order to do this, the modulo operation with base n y is performed. It should be noticed that, as demonstrated in [20], the sequence F p (mod n y ) forms a periodic series, that is, it repeats by returning to its starting values. This could be a se- curity issue since an eav esdropping could rev eal the adopted secret sequence. T o cope 6 with this situation, in the en visaged system the sequences are periodically changed, although in this contribution the attacker is supposed to set up a blind replay attack. The period depends on the dimension of the observ ation space n y and the p and can be easily computed [20]. Overall, the use of these sequences grants an increased security to the system thanks to two elements: • it a v oids the problem of synchronization in case of packet loss; in fact, the se- lected n depends on the sequence number of the packet in the data stream; • the order of the matrices used for coding the output signal depends on the se- lected Fibonacci p-sequence ; by changing the p-value , the order can be modified without increasing the computational complexity of the system. The proposed detection strategy impro ves the state of the art under se veral perspec- tiv es. It adopts the same approach as proposed in [6]. Instead of being encrypted [18], the outputs are coded. In fact, the encryption of each message requires increased com- putational complexity that may be not af fordable in a real time and low ener gy con- sumption distributed system [21], especially when considering legac y systems. More- ov er , with respect to [6], we update the coding matrix at each transmission time thus reducing the probability of disclosure of the matrix. In [6] the coding matrix is updated periodically since its computation is hard. Furthermore, this approach is applied to nonlinear systems, that hav e not been yet considered in the literature. 5 Case Study on Hydra testbed The testbed Hydra [22] has been used to v alidate the proposed monitoring system. The Hydra testbed emulates a water distribution system that combines gravity and pumps to move the fluid inside the system. The physical structure of the testbed has been designed using a low-cost approach, ho wever , it is interfaced to the control system by an industrial PLC over a Modbus/TCP network. In the following the testbed is described and a simple replay attack is performed. 5.1 Hydra testbed The physical system of the testbed is composed by 3 tanks and a reservoir (see Fig. 2). T anks 1 and 2 are connected by a serial pipeline: the fluid cascades due to gravity and the flo w is regulated by the proportional valv e v 1 , 2 . T ank 2 and 3 are connected in a parallel configuration: the fluid mo ves due to Ste vin’ s Law (communicant v essels) and the flow is re gulated by the proportional valve v 2 , 3 . Each tank is equipped with two redundant le vel sensors: the first one is represented by a pressure sensor , the second one by a sonar sensor . The whole system is fed by a reserv oir: the centrifugal pump P 1 provides water to T ank 1, while the centrifugal pump P 2 links T ank 3 and 1. The SCAD A is implemented using Mango Automation that provides also a HMI. The contr oller is developed using a Modicon M340 PLCs by Schneider Electric pro- grammed in Ladder Logic using Unity Pro XL v7.0. It collects real-time data from the 7 Figure 2: The physical system of the Hydra testbed: the left-hand figure shows the single tank system, the right-hand one the whole system. water lev el sensors and controls the actuators and ex ecutes the low-le vel control (e.g., it performs operator or SCAD A commands, or the automatic maximum level control). The proposed monitoring system is implemented on a Galileo board. The continuous time state transition model is represented by the following equations: A ˙ x 1 = P 1 + P 2 − Q 1 , 2 A ˙ x 2 = Q 1 , 2 − Q 2 , 3 − Q 2 , 3 , h + Q 3 , 2 , h A ˙ x 3 = Q 2 , 3 + Q 2 , 3 , h − Q 3 , 2 , h − P 2 (9) where: Q 1 , 2 = av 1 , 2 √ 2 gx 1 Q 2 , 3 = av 2 , 3 δ − 1 ( x 2 − h con ) δ − 1 ( x 3 − h con ) · sign ( x 2 − x 3 ) p 2 g | x 2 − x 3 | Q 2 , 3 , h = av 2 , 3 δ − 1 ( x 2 − x con ) δ − 1 ( x con − x 3 ) p 2 g ( x 2 − h con ) Q 3 , 2 , h = av 2 , 3 δ − 1 ( x 3 − x con ) δ − 1 ( x con − x 2 ) p 2 g ( x 3 − h con ) P 2 = k 2 a √ 2 gx 3 P 1 = k 1 Q i , j is the flow through tanks i and j , δ − 1 ( · ) is the step signal, g the gravitational acceleration, h con is the height of the connection between tanks 2 and 3, k i the gain of the i -th pump, A and a the area of the cross-section of the tanks and the pipes, respectiv ely . The discrete-time version of this model is used as state transition map in the prediction step of the EKF . The observation map is giv en by: y k = g ( x k ) = I x k . (10) 8 Figure 3: The communication architecture of the Hydra testbed. The network architecture of the Hydra testbed is shown in Fig. 3: two Arduino boards and two Galileo boards control all the sensors and actuators. Specifically , one Arduino board is dev oted to control the proportional valv es and the centrifugal pumps that represent the actuators of the water distrib ution systems. The second Arduino board is used to interface the le vel sensors. The Galileo boards are used to interface the Arduino ones on a ModBus/TCP network. The first one, Galileo #1, collects data from the Arduino board devoted to interface the sensor and dispatch the measurements to the network by encapsulating the measurements in Modbus/TCP packets after applying the proposed coding scheme. The second one, Galileo #2 is connected to the Arduino dev oted to control the motors. It collects the input from the controller and forwards it to the corresponding Arduino board. Finally , another Galileo, Galileo #3, is connected to the PLC: it runs the monitoring system and is able to decode the data from the sensors. All the modules are connected by a local network by means of an Ethernet router . 5.2 V alidation test T o pro ve the ef fecti veness of the proposed approach, an integrity attack has been set up. By means of a MITM attack, the communication link between the Galileo #1 and #3 has been corrupted by injecting false data. W e wrote code that exploits a vulnerability of the network to implement the attack and W ireshark had been exploited to collect network packets. The attack starts using ARP cache poisoning, in this way the links between IP 9 (a) Output without encoding. (b) Coded Output. addresses and MAC addresses in the ARP table of the hosts (i.e., the Galileo #1 and the Galileo #3) are corrupted. Consequently , the data stream from the Galileo #1 to the Galileo #3 is redirected to the malicious agent. The replay attack starts when the system reaches the steady state. This status of the system can be easily identified by eav esdropping the actuator controls, since these signals do not change when the system is at steady state. During the attack, the adversary forwards to the Galileo #3 (and the PLC) wrong information about the le vel of fluid in the tanks. Specifically , the malicious agent repli- cates at each instant the le vels recorded when the attack started. The result of the replay attack without coding the output is reported in Fig. 4(a): in this case the attack cannot be perceived by the monitoring system, since the attacked measurements look like the expected ones and are inside the tolerance introduced by the threshold. In this case, the monitoring system does not provide an y alarm to the SCAD A system and the attack can escalate. On the contrary , by applying the proposed coding method, the monitoring system is able to timely identify the attack. The output analysis is shown in Fig 4(b): as it can be seen, the monitoring system clearly identifies the anomalies. The output vector changes at each transmission time since the attack er is not able to reproduce the correct scrambling sequence. As a result, all the thresholds of the residuals related to the state of each tank are violated and the detector triggers the alarm. 6 Conclusion IoT based CPSs represent a rev olution in many sectors: from industrial plants or en- ergy generation systems, to distributed health systems. Smart services, cost production reduction, and quality assessment are only fe w of the possible advantages that results from this industrial rev olution. Howe ver , due to the interdisciplinary nature of these systems, they are prone to security flaws. In this conte xt, c yber attacks may result in physical damage of the system up to creating threats to the human life. In this contribu- tion, a method for securing IoT based CPSs through the timely detection of deception attacks is presented. The proposed approach is based on coding the output of the system by using permutation matrices selected from a set. This set is obtained through opera- tions of scrambling and flipping. The selection of the permutation matrix is based on 10 Fibonacci p-sequences . The proposed detection strategy can cope with all issues re- lated to the computational complexity of the coding step thus assuring the compliance with the time delay constraints typical of CPSs. Furthermore, quantization errors, that may have a nonlinear behavior and can compromise the con vergence of the residual estimator , are av oided. The approach has been validated on an testbed that emulates industrial control systems. Future work will be de voted to apply more complex coding scheme to identify attacks that can be mislead by the monitoring system. Refer ences [1] A. Sajid, H. Abbas, and K. Saleem, “Cloud-assisted IoT-based SCAD A systems security: A re view of the state of the art and future challenges, ” IEEE Access , vol. 4, pp. 1375–1384, 2016. [2] W . Zeng and M. Y . Chow , “ A trade-of f model for performance and security in secured network ed control systems, ” in IEEE Int. Symp. on Industrial Electr onics , pp. 1997–2002, 2011. [3] K. Rose, S. Eldridge, and L. Chapin, “The Internet of Things: An o vervie w- understanding the issues and challenges of a more connected w orld., ” The Internet Society (ISOC) , pp. 1–50, 2015. [4] M. Stolpe, “The Internet of Things: Opportunities and challenges for distributed data analysis, ” SIGKDD Explor . Newsl. , v ol. 18, no. 1, pp. 15–34, 2016. [5] J. Rubio-Hernan, L. De Cicco, and J. Garcia-Alfaro, “On the use of watermark- based schemes to detect cyber-physical attacks, ” EURASIP J ournal on Information Security , vol. 2017, no. 1, pp. 8, 2017. [6] F . Miao, Q. Zhu, M. Pajic, and G. J. P appas, “Coding schemes for securing cyber- physical systems against stealthy data injection attacks, ” IEEE T ransactions on Contr ol of Network Systems , vol. PP , no. 99, pp. 1, 2016. [7] F . Battisti, M. Carli, F . Pascucci, “Securing cyber physical systems from injec- tion attacks by exploiting random sequences, ” IEEE Inter . Conf. on W ireless and Mobile Computing, Networking and Communications, 2017. [8] A. R. Sadeghi, C. W achsmann, and M. W aidner , “Security and priv acy challenges in industrial Internet of Things, ” in 52nd ACM/ED AC/IEEE Design Automation Confer ence (DA C) ,pp. 1–6, 2015. [9] L. Cazorla, C. Alcaraz, and J. Lopez, “Cyber stealth attacks in critical information infrastructures, ” IEEE Systems Journal , v ol. PP , no. 99, pp. 1–15, 2016. [10] P . Srikantha and D. K undur , “Denial of service attacks and mitigation for stability in cyber -enabled power grid, ” in IEEE P ower Ener gy Society Innovative Smart Grid T echnologies Confer ence (ISGT) , pp. 1–5, 2015. 11 [11] A. A. C ´ ardenas, S. Amin, and S. Sastry , “Research challenges for the security of control systems, ” in Pr oc. Conf. on Hot T opics in Security , HOTSEC’08, pp. 6:1–6, 2008. [12] A. T eixeira, I. Shames, H. Sandberg, and K. H. Johansson, “ A secure control framew ork for resource-limited adversaries, ” Automatica , vol. 51, pp. 135 – 148, 2015. [13] R. R. Rejimol Robinson and C. Thomas, “Evaluation of mitigation methods for distributed denial of service attacks, ” in IEEE Conf. on Industrial Electr onics and Applications (ICIEA) , pp. 713–718, 2012. [14] C. Kwon, W . Liu, and I. Hwang, “Security analysis for cyber -physical systems against stealthy deception attacks, ” in Pr oc. American Contr ol Conf. , pp. 3344– 3349, 2013. [15] T . T . Kim and H. V . Poor, “Strategic protection against data injection attacks on power grids, ” IEEE T ransactions on Smart Grid , vol. 2, no. 2, pp. 326–333, 2011. [16] Y . Mo and B. Sinopoli, “False data injection attacks in cyber physical systems, ” in F irst W orkshop on Secur e Control Systems , 2010. [17] R. Zhang and P . V enkitasubramaniam, “Stealthy control signal attacks in linear quadratic gaussian control systems: Detectability re ward tradeof f, ” IEEE T ransac- tions on Information F orensics and Security , vol. PP , no. 99, pp. 1–12, 2017. [18] P . Ganesan, R. V enugopalan, P . Peddabachagari, A. Dean, F . Mueller , and M. Si- chitiu, “ Analyzing and modeling encryption overhead for sensor network nodes, ” in A CM Int. Conf . on W ir eless Sensor Networks and Applications , WSN A, pp. 151–159, 2003. [19] G. Bernieri, E. Etchevs Miciolino, F . Pascucci, R. Setola, “Monitoring system reaction in cyber -physical testbed under cyber -attacks, ” Computer s and Electrical Engineering , 59, pp. 86–98, 2017. [20] D. D. W all, “Fibonacci series modulo m, ” The American Mathematical Monthly , vol. 67, no. 6, pp. 525–532, 1960. [21] O. Goldreich, F oundations of Cryptography: V olume 2, Basic Applications , Cam- bridge Univ ersity Press, New Y ork, NY , USA, 2004. [22] G. Bernieri, F . Del Moro, L. Faramondi, F . Pascucci, A testbed for inte grated fault diagnosis and cyber security investigation Int. Conf. on Control, Decision and Information T echnologies, pp. 454–459, 2016. 12