- Email: [email protected]
Fallback and Recovery Control System of Industrial Control System for Cybersecurity
Proceedings of the 20th World The International Federation of Congress Automatic Control Proceedings of the 20th World The International Federation of Congress Automatic Control Proceedings of the 20th World Congress Toulouse, France, July 9-14, 2017 Proceedings of the 20th World Congress The International of Automatic Control Available online at www.sciencedirect.com Toulouse, France,Federation July 9-14, 2017 The International Federation of Automatic The International Federation of Automatic Control Control Toulouse, France, July 9-14, 2017 Toulouse, France, July 9-14, 2017 Toulouse, France, July 9-14, 2017
ScienceDirect
IFAC PapersOnLine 50-1 (2017) 15247–15252 Fallback and Recovery Control System Fallback and Recovery Control System Fallback and System of Industrial SystemControl for Cybersecurity Fallback and Recovery System Fallback Control and Recovery Recovery Control System of Industrial Control SystemControl for Cybersecurity of Industrial Control System for Cybersecurity of Industrial Control System for Cybersecurity of Industrial Control System for Seiichi Cybersecurity Tsubasa Sasaki*. Kenji Sawada*. Shin*.
Tsubasa Sasaki*. Kenji Sawada*. Seiichi Shin*. Shu Hosokawa** Tsubasa Sasaki*. Sasaki*. Kenji Sawada*. Seiichi Shin*. Shin*. Tsubasa Kenji Shu Hosokawa** Sawada*. Tsubasa Sasaki*. Kenji Sawada*. Seiichi Seiichi Shin*. Shu Hosokawa** Shu Hosokawa** Hosokawa** Shu *The University of Electro-Communications, Chofu, Tokyo 1828585 *The University of Electro-Communications, Chofu, Tokyo 1828585 Japan (Tel: +81-42-443-5891; e-mail: {tsubasa-sasaki}{knj.sawada}{seiichi.shin}@uec.ac.jp). *The University of Electro-Communications, Chofu, Tokyo 1828585 *The University of Electro-Communications, Chofu, Tokyo 1828585 Japan (Tel: +81-42-443-5891; e-mail: {tsubasa-sasaki}{knj.sawada}{seiichi.shin}@uec.ac.jp). *The University of Electro-Communications, Chofu, Tokyo 1828585 **Control System Security Center, Tagajo, Miyagi 9850842 Japan (e-mail: Japan (Tel: +81-42-443-5891; e-mail: {tsubasa-sasaki}{knj.sawada}{seiichi.shin}@uec.ac.jp). Japan (Tel: +81-42-443-5891; e-mail: {tsubasa-sasaki}{knj.sawada}{seiichi.shin}@uec.ac.jp). **Control System Security Center, Tagajo, Miyagi 9850842 Japan (e-mail: Japan (Tel: +81-42-443-5891; [email protected]) e-mail: {tsubasa-sasaki}{knj.sawada}{seiichi.shin}@uec.ac.jp). **Control Center, **Control System System Security Security Center, Tagajo, Tagajo, Miyagi Miyagi 9850842 9850842 Japan Japan (e-mail: (e-mail: [email protected]) **Control System Security Center, Tagajo, Miyagi 9850842 Japan (e-mail: [email protected]) [email protected]) [email protected]) Abstract: This paper focuses on the Fallback Control System (FCS), which is an emergency response Abstract: This paper focuses on the Fallback Control System (FCS), which iscyber-attacks. an emergency response method ofThis networked Industrial SystemControl (ICS) asSystem a countermeasure for is The FCS is Abstract: paper focuses focuses onControl the Fallback Fallback (FCS), which which an emergency emergency response Abstract: This paper on the Control System (FCS), is an response method of networked Industrial Control System (ICS) as a countermeasure for cyber-attacks. The FCS is Abstract: This paper focuses on the Fallback Control System (FCS), which is an emergency response disposed on not networked controllers but controlled objects. After some incidents happen, the FCS method ofon networked Industrial Control System System (ICS) as as aa countermeasure countermeasure forincidents cyber-attacks. Thethe FCS is method of Industrial Control (ICS) for The is disposed not networked controllers but controlled After the some happen, FCS method of networked networked Industrial Control System (ICS) asobjects. aand countermeasure for cyber-attacks. cyber-attacks. The FCS FCS is isolates the controlled objects from networked controllers controls objects safely and locally. This disposed on not networked controllers but controlled objects. After some incidents happen, the FCS disposed on not networked controllers controlled objects. After some incidents happen, the isolates the objects from networked controllers and controls the objects safely and locally. This disposed oncontrolled not networked controllers but controlled objects. Afterand some incidents happen, the FCS ICS operation switching is one-way frombut normal one to fallback one the recovery switching fromFCS the isolates the controlled objects from networked controllers and controls the objects safely and locally. This isolates the controlled objects from networked controllers and controls the objects safely and locally. This ICS operation switching is one-way from normal one to fallback one and the recovery switching from the isolates the controlled objects from networked controllers and controls theisobjects safely and locally. This fallback one to the normal one still remains open. This is because there a possibility of cyber-attacks ICS operation switching is one-way from normal one to fallback one and the recovery switching from the ICS operation switching is one-way from normal one to fallback one and the recovery switching from the fallback one to the normal one still remains open. This is because there is a possibility of cyber-attacks ICS operation switching isofone-way from normal one to fallback one and the recovery switching from this the aiming the reconnection the still controlled objects with thebecause network controllers. Motivated by this, fallback one to the normal one remains open. This there is a possibility of cyber-attacks fallback one to normal one still remains open. This is because there is of aiming the ofand theRecovery controlled objects with is the network controllers. Motivated byswitching this, this fallback onereconnection to the the normal one still remains open.System This is because there is aa apossibility possibility of cyber-attacks cyber-attacks paper proposes a Fallback Control (FRCS) by adding safety recovery aiming the reconnection of the controlled objects with the network controllers. Motivated by this, this aiming the of the controlled objects with network controllers. Motivated by this, this paper proposes a Fallback Control System (FRCS) by the adding a safety recovery aiming the reconnection reconnection ofand theRecovery controlled objects with the the network controllers. Motivated byswitching this, this to the FCS. Maintaining the fallback control of theSystem controlled object, virtual operation mode of FRCS paper proposes a Fallback and Recovery Control (FRCS) by adding a safety recovery switching paper proposes a Fallback and Recovery Control System (FRCS) by adding a safety recovery switching to the FCS. Maintaining the fallback control of the controlled object, the virtual operation mode of FRCS paper proposes a Fallback and Recovery Control System (FRCS) by adding a safety recovery switching connects the networked controller with the virtual controlled object (Plant Simulator). The FRCS to the FCS. FCS. Maintaining the fallback control control of virtual the controlled controlled object, the virtual virtual operation mode of FRCS FRCS to the the fallback the mode of connects the networked controller with theof controlled object (Plant Simulator). The to the FCS. Maintaining the fallback control of the thebetween controlled object, the virtual operation mode of evaluates theMaintaining ICS soundness from the responses theobject, controller theoperation virtual object andFRCS then connects the networked controller with the virtual virtual controlled object and (Plant Simulator). The FRCS connects the networked controller with the controlled object (Plant Simulator). The FRCS evaluates ICS soundness from the responses between the controller and the virtual object and then connects the networked controller with one. the virtual controlled object (PlantisSimulator). ThediscreteFRCS reconnects the controller with the actual The ICS soundness evaluation based on the evaluates the ICS soundness from the responses between the controller controller and the theis virtual virtual object and then evaluates the ICS soundness from the responses between the and object and then reconnects the controller with the actual one. The ICS soundness evaluation based on the discreteevaluates the observer. ICS soundness from verifies the responses between theproposed controller and theswitching virtual object then event system This paper the validity of soundness the recovery a and practical reconnects the controller with the actual one. The ICS evaluation based onvia the discretereconnects the controller with the actual The evaluation is based the event system This paper the validity of soundness the proposed recoveryis practical reconnects theobserver. controller with the verifies actual one. one. The ICS ICS soundness evaluation isswitching based on onvia thea discretediscreteexperiment. event system observer. This paper verifies the validity of the proposed recovery switching via a practical event system observer. This paper verifies the of proposed recovery switching via experiment. event systemSecurity, observer.Petri Thisnets, paperControl verifiesover the validity validity of the the proposedfor recovery switching via aa practical practical Keywords: networks, Observers linear systems, Manufacturing experiment. © 2017, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. experiment. experiment. Keywords: Security, Petri nets, Control over networks, Observers for linear systems, Manufacturing automation over networks, Discrete event systems in manufacturing. Keywords: Security, Petri nets, over Observers Keywords: Security, Petri Discrete nets, Control Control over networks, networks, Observers for for linear linear systems, systems, Manufacturing Manufacturing automation over networks, event systems in manufacturing. Keywords: Security, Petri nets, Control over networks, Observers for linear systems, Manufacturing automation over networks, Discrete event systems in manufacturing. automation over networks, Discrete event systems in manufacturing. automation over networks, Discrete event systems in manufacturing. devices (actuators and sensors), while the existing results use 1. INTRODUCTION devices (actuators and sensors), while the existing results use communication contents of network traffics (ex. Onoda 2016). 1. INTRODUCTION devices (actuators and sensors), while the existing results use devices (actuators and sensors), while the existing results use communication contents of network traffics (ex. Onoda 2016). INTRODUCTION devices is(actuators and sensors), while the existing resultswith use because attackers possibly tamper Industrial Control 1. (ICSs) are facing security This 1.Systems INTRODUCTION communication contents of network traffics (ex. Onoda 2016). 1. INTRODUCTION communication contents of network traffics (ex. Onoda 2016). This is because attackers possibly tamper with Industrial Control Systems (ICSs) are facing security contents of The network traffics (ex. Onoda 2016). communication contents. second is that the fallback incidents (Kissel, 2013) including power systems, water This is because attackers possibly with Industrial Control Systems (ICSs) are facing security This attackers possibly tamper with communication contents. is During thattamper the Industrial Control Systems (ICSs) are facing security incidents (Kissel, 2013) including power systems, water control This is is notbecause because attackers possibly tamper with Industrial Control Systems (ICSs) are facing security networked oneThe but second local one. thefallback normal supply facilities, nuclear facilities, and Factory Automation communication contents. The second is that the fallback incidents (Kissel, 2013) including power systems, water communication contents. The second is that the fallback control is not networked one but local one. During the normal incidents (Kissel, 2013) including power systems, water supply facilities, nuclear facilities, and Factory Automation communication contents. Thethesecond is that the fallback incidents (Kissel, 2013) including power systems, water operation, the FCS connects networked controller with (FA) systems and so on (Miller and Rowe, 2012; Zhioua, control is not one but local one. During the normal supply facilities, nuclear facilities, and Factory Automation control is devices not networked one but local one.(which During the normal thenetworked FCS the networked controller with supply facilities, nuclear facilities, and Factory Automation (FA) andet so (Miller and Rowe, Zhioua, control not networked but local one. During normal supplysystems facilities, nuclear facilities, and Factory Automation the filedis viaconnects theone field network isthe based on 2013; Khorrami al.,on 2016). The reason is 2012; that ICSs are operation, operation, the FCS connects the networked controller with (FA) systems and so on (Miller and Rowe, 2012; Zhioua, operation, the FCS connects the networked controller with the filed devices via the field network (which is based on (FA) systems and so on (Miller and Rowe, 2012; Zhioua, 2013; Khorrami et al., 2016). The reason is that ICSs are operation, the FCS connects the networked controller with (FA) systems and so on (Miller and Rowe, 2012; Zhioua, industrial Ethernet technologies). During the fallback being designed and implemented using industry standard the filed filed devices devices via technologies). the field field network network (whichthe is based based on 2013; Khorrami Khorrami et al., al., 2016). The The using reasonindustry is that that ICSs ICSs are industrial the via the (which is on Ethernet During fallback 2013; et 2016). reason is are being designed and implemented standard the filed devices via the field the network (which is from based the on 2013; Khorrami et al.,Systems 2016). The reason is that ICSs are operation, the FCS isolates field devices computers, Operation (OS)using and network industrial Ethernet technologies). During the fallback being designed and implemented implemented industry protocols standard operation, industrial Ethernet technologies). During the fallback the FCS isolates the field devices from the being designed and using industry standard computers, Operation Systems (OS) and network protocols industrial controller Ethernet and technologies). Duringcontroller the fallback being designed and implemented using industry standard networked then the fallback of the and then are resembling Information Technology (IT) operation, the FCS and isolates the fallback field devices from computers, Operation Systems (OS) and network protocols operation, the isolates field devices from the networked then controller of the computers, Operation Systems (OS) network protocols and thenICS are resembling Technology (IT) operation, the FCS FCS isolates the field devices devices from the computers, Operation Systems (OS) and andcostly network protocols takes controller over the control of the the fallback field via not systems. incidents couldInformation endanger equipment or FCS networked controller and then the controller of the and then are resembling Information Technology (IT) networked controller and then the fallback controller of FCS takes over the control of the field devices via not and then are resembling Information Technology (IT) systems. ICS incidents could endanger costly equipment or networked controller and thensignals the fallback controller of the the and then are resembling Information Technology (IT) field network but the analog directly. Field devices human life (Stouffer et al., 2007) and then ICS security is FCS takes over the control of the field devices via not the systems. ICS incidents could endanger costly equipment or FCS takes over the field devices via not fieldisolated network butthe thecontrol analogof directly. Field devices systems. ICS incidents endanger costly equipment or human (Stouffer et could al., 2007) andfields. then ICS security is are FCS takes over the control ofsignals the field devices viaalthough not the the systems.life ICS incidents could endanger costlyHu equipment or from cyber-attacks or secondary injury attracting attention of various research et al. (2016) field network but the analog signals directly. Field devices human lifeattention (Stouffer et al., 2007) and then ICS security is field network but the signals directly. Field devices are from cyber-attacks or secondary injury although human (Stouffer et and then ICS security is attracting of monitoring various research al. (2016) fieldisolated network butlogic the analog analog signals directly. Field devices human life life (Stouffer et al., al., 2007) 2007) andfields. then Hu ICS security is the local control of the fallback controller is restricted proposes the security architecture for et smart grids. are isolated from cyber-attacks or secondary injury although attracting attention of various research fields. Hu et al. (2016) are isolated from cyber-attacks or secondary injury although the local control logic of the fallback controller is restricted attracting attention of various research fields. Hu et al. (2016) proposes the security monitoring architecture for smart grids. are isolated from cyber-attacks or secondary injury although attractingetattention of various research fields. Hu methods et al. (2016) due to the network isolation. Focusing on “maintaining after Kogiso al. (2015) proposes encryption of the local local control logic of the the Focusing fallback controller controller is restricted restricted proposes the security monitoring architecture for smart the logic of fallback is due to thecontrol network isolation. onet“maintaining after proposes the security monitoring architecture forcyber-attacks smart grids. grids. Kogiso et al. (2015) proposes encryption methods of incident”, the local control logic of the fallback controller is restricted proposes the security monitoring architecture for smart grids. the our previous works (Sasaki al. 2015; Sawada controller parameters for ICS. Some intrusion, due to to the the the network isolation. Focusing onet“maintaining “maintaining after Kogiso etparameters al. (2015) (2015) proposes encryption methods of of incident”, due network isolation. Focusing on after our previous works (Sasaki al. 2015; Sawada Kogiso et al. proposes encryption methods controller for ICS. Some intrusion, cyber-attacks dueal.to 2015) the network isolation. Focusing on “maintaining aftera Kogiso et detection al. (2015) proposes encryption methods of et implements an incident detection function, or incidents methods machinecyber-attacks learning and incident”, the our previous works (Sasaki et al. 2015; Sawada controller parameters for ICS. ICS. focus Someon intrusion, incident”, the our previous works (Sasaki et al. 2015; Sawada et al. 2015) implements an incident detection function, aa controller parameters for Some intrusion, cyber-attacks or incidents detection methods focus on machine learning and incident”,switching the our previous works (Sasaki et al.function, 2015; Sawada controller parameters for ICS. Some intrusion, cyber-attacks fallback (network disconnection) and sequence characteristics of network traffics (Hoehn and et al. 2015) implements an incident detection function, a or incidents detection methods focus on machine learning and et al. 2015) implements an incident detection function, fallback switching (network disconnection) function, and or incidents detection methods focus on machine learning and sequence characteristics of network traffics (Hoehn et al. 2015) implements incident detection function, aa or incidents detection methods focus machine learningetand control function byanFCS. Zhang 2016; Onoda 2016; Ozay et on al.traffics 2016; Isozaki al. fallback fallback switching (network disconnection) function, and a sequence characteristics of network (Hoehn and switching (network disconnection) function by FCS. sequence network (Hoehn Zhang Onoda authors 2016;of et al.traffics 2016; al. fallback fallback control switching (network disconnection) function, function, and and aa sequence characteristics ofOzay network traffics (Hoehnetand and 2016). 2016; Thecharacteristics current are interested in Isozaki “maintaining fallback control function by FCS. Zhang 2016; Onoda 2016; Ozay et al. 2016; Isozaki et al. On the other hand, this operation is one-way from control function by Zhang Onoda 2016; et al. et al. 2016). 2016; The current authors are in Isozaki “maintaining fallback control function by FCS. FCS. switching Zhang 2016; Onoda 2016; Ozay Ozay et“safety al. 2016; 2016; Isozaki etafter al. fallback functionality after incident” andinterested recovering On normal the other hand, this operation switching is one-way from 2016). The current authors are interested in “maintaining the one to the fallback one and the recovery switching 2016). The current authors are interested in “maintaining functionality after incident” and “safety recovering after On the other hand, this operation switching is one-way from 2016). TheIn current authors are interested in “maintaining incident”. particular, we propose Fallback Control System On the other hand, this operation switching is one-way from the normal one to the fallback one and the recovery switching functionality after incident” and “safety recovering after switching is remains one-way open. from On thetheother hand,one thistooperation from fallback the normal one still functionality after incident” and “safety recovering after incident”. In particular, we propose Fallback Control System fallback one and the recovery switching the normal one to the functionality after incident” and “safety recovering after from (FCS) for maintaining functionality after an incident (Sasaki the normal one to the fallback one and the recovery switching the fallback one to the normal one still remains open. incident”. In particular, we propose Fallback Control System the normal one to the fallback one and the recovery switching This is because there is a possibility of cyber-attacks aiming incident”. In particular, we propose Fallback Fallback Control System System (FCS) for In maintaining functionality after an incident (Sasaki from the fallback one to the normal one still remains open. incident”. particular, we propose Control et al. 2015; Sawada et al. 2015). from fallback one to normal one still open. isthe there possibility of aiming (FCS) for maintaining functionality after an incident (Sasaki This fromreconnection thebecause fallback oneiscontrolled toa the the normal onecyber-attacks still remains open. the the objects withremains the network (FCS) for functionality after et al. 2015; Sawada et al. 2015). Thisreconnection is because because there there iscontrolled a possibility possibility of cyber-attacks cyber-attacks aiming (FCS) for maintaining maintaining functionality after an an incident incident (Sasaki (Sasaki This is is a of aiming the the objects with the network et al. 2015; Sawada et al. 2015). This is because there isbya this, possibility of cyber-attacks aiming controllers. Motivated this paper proposes a Fallback The FCS is disposed on not networked controllers but et al. 2015; Sawada et al. 2015). the reconnection the controlled controlled objects with the the network network et al. 2015; Sawada et al. 2015). the the objects controllers. Motivated this, this paper proposes The FCS objects is disposed notmain networked but and the reconnection reconnection the by controlled objects with thea Fallback Recovery Control System (FRCS) bywith adding anetwork safety controlled and hason two features. controllers The first is that controllers. Motivated by this, this paper proposes a Fallback The FCS is disposed on not networked controllers but controllers. Motivated by this, this paper proposes Fallback and Recovery Control System (FRCS) bywords, addingaathis a safety The FCS is disposed on not networked controllers but controlled and has two features. The firstofisfield that controllers. Motivated by this, this paper proposes Fallback Theincident FCS objects isdetection disposed onbased notmain networked controllers but recovery switching to the FCS. In other paper its is on analog signals and Recovery Control System (FRCS) by adding adding aa safety safety controlled and two The that and Control System switching to the FCS.(FRCS) In otherby paper controlled objects and has has two main main features. The first firstofis isfield that recovery its incidentobjects detection is based on features. analog signals and Recovery Recovery Control System (FRCS) bywords, addingthis a safety controlled objects and has two main features. The first is that recovery switching switching to to the the FCS. FCS. In In other other words, words, this this paper paper its incident detection is based on analog signals of field recovery its incident detection is based on analog signals of field its incident detection is based on analog signals of field recovery switching to the FCS. In other words, this paper
Copyright © 2017 IFAC 15812 Copyright 2017 IFAC 15812 2405-8963 © 2017, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Copyright 2017 IFAC 15812 Peer review© of International Federation of Automatic Control. Copyright ©under 2017 responsibility IFAC 15812 Copyright © 2017 IFAC 15812 10.1016/j.ifacol.2017.08.2402
Proceedings of the 20th IFAC World Congress 15248 Tsubasa Sasaki et al. / IFAC PapersOnLine 50-1 (2017) 15247–15252 Toulouse, France, July 9-14, 2017
aims to implement “safety recovering after incident” to the FCS. Maintaining the fallback control of the controlled object, the FRCS judges the soundness of the networked controller (the ICS soundness). The FRCS confirms the integrity and then reconnects the networked controller. For checking integrity, we adopt Plant Simulator and the incident detection method proposed in Sawada et al. (2015). The Plant Simulator simulates the behaviour of the controlled object and the detection method is based on the discrete-event observer. Also, we call the operation mode for checking soundness by the virtual operation. During the operation, the actual controlled object is connected with the FRCS via analog signals and only the Plant Simulator is connected with the networked controller via the field network. The observer checks the integrity from the feedback loop between the Plant Simulator and the controller without influencing the actual controlled object. This paper executes practical experiments to verify the capability of FRCS.
Fig. 2 Appearance of Ball-Sorter
The contribution of this paper is to implement “safety recovering after incident” by the virtual operation. Since the actual controlled objects is not connected with field network during the virtual operation, FRS can confirm the integrity of controller safety. FRCS designed in this paper contributes to enhance the cyber-security of ICS. 2. EXPERIMENTAL CONTROL SYSTEM Fig. 3 Schematic of Ball-Sorter Fig. 1 Networked control system Fig. 1 shows a constitution of the networked control system in this paper. Plant is controlled remotely by the networked controller. The software for control implemented in the networked controller is developed by MATLAB/Simulink (MathWorks, 2016). The network protocol between the network devices such as the networked controller and Remote I/O is Modbus/TCP (Modbus-IDA 2012). Modbus/TCP is a common industrial protocol based on Ethernet (Rojas and Peter, 2010). MATLAB/Simulink can deal with Modbus/TCP. The remote I/O interconverts between Modbus/TCP packets and the analog signals for actuators and sensors. The networked controller makes the actuators of Plant drive via the remote I/O. The sensor signals are sent to the networked controller via the remote I/O.
When a ball exits at the sorting section, P-sensor1 reacts (ON). When the ball is a ping-pong ball, S-sensor does not react (OFF). When the ball is a golf ball, S-sensor reacts (ON). After that, when the ball flows to BOX1, P-sensor2 reacts (ON). When the ball flows to BOX2, P-sensor3 reacts (ON). Fig. 4 shows a state transition diagram of control logic to implement the sorting function. In this paper, the notation of a state transition diagram is based on Stateflow for MATLAB/Simulink because we have implemented the control logic by Stateflow. In Fig. 4, “Cylinder1 stops (drives)” or “Cylinder3 stops (drives)” mean that they drive in the downward (upward) direction as shown in Cylinder1 (Cylinder3) of Fig. 3. “Cylinder2 stops (drives)” means that Cylinder2 drives in the upward (downward) direction.
Fig. 2 is the Ball-Sorter plant for the experiments. Fig. 3 shows a schematic of Ball-Sorter. The function of Ball-Sorter is sorting two kinds of ball according to their weight. Used balls are a ping-pong ball and golf ball. Ball-Sorter is consisted of three sections: a supply section, a sorting section, and a collection section. Only one ball can exist at the sorting section. Ball-Sorter has three air cylinders (Cylinder1, Cylinder2, and Cylinder3), a sorting sensor (S-sensor), and three proximity sensors (P-sensor1, P-sensor2, and Psensor3). In Fig. 3, P1, P2, and P3 represent P-sensor1, Psensor2, and P-sensor3 respectively. Ball-Sorter sorts the ping-pong balls to BOX1 and the golf balls to BOX2 by these actuators and sensors.
Select/ Cylinder1 drives Cylinder2 stops Cylinder3 stops P-sensor2 ON
P-sensor3 ON
P-sensor1 ON Unknown_ball/ S-sensor OFF BOX1/ Cylinder1 stops Cylinder2 stops Cylinder3 drives
S-sensor ON BOX2/ Cylinder1 stops Cylinder2 drives Cylinder3 stops
Fig. 4 State transition diagram of control logic for sorting 15813
Proceedings of the 20th IFAC World Congress Toulouse, France, July 9-14, 2017 Tsubasa Sasaki et al. / IFAC PapersOnLine 50-1 (2017) 15247–15252
15249
4.
Fig. 5 Mixing prevention mechanism at sorting section This paper supposes that Ball-Sorter is the subsystem in production lines as FA systems and there are upper subsystems from the supply section. The balls in the collection section flow to the lower process. Ball-Sorter sorts the ping-pong balls as the non-defective products to BOX1 and the golf balls as the defective products to BOX2. BallSorter has a mixing prevention mechanism at the sorting section such that golf balls cannot go to BOX 1. When a golf ball goes through the sorting section, the supporting frame of the sorting section tilts. Otherwise, the frame does not tilt. If the networked controller confuses a golf ball with a pingpong ball, the golf ball continues to exist at the sorting section and then the interruption of the balls flow can happen via the frame tilt. This ball-jamming is corresponding to a stop or overflow of a production line in FA systems.
When operation failures are not detected during the test operation, the operation is switched to the normal one. The test operation of the above flow (Steps 3 and 4) is recovery switching from the fallback operation to the normal operation. The test operation does not consider a possibility of cyber-attacks and is in danger of the incident recurrence if the measure is insufficient. Therefore, this paper proposes a safety recovery switching mechanism as the virtual operation to implement “safety recovering after incident”. This paper calls the FCS with the virtual operation by the Fallback and Recovery Control System (FRCS). Table 1 shows the comparison of the test operation and the virtual operation. During the virtual operation, the controlled object of the networked controller is Plant Simulator that simulates the behaviour of Ball-Sorter. The virtual operation implements the new test operation without the connection between the field network and the actual controlled object. Table 1 Comparison of two operations Test operation Virtual operation Controlled Plant Ball-Sorter Object Simulator Networked Networked Controller Controller Controller
Normal
3. SUPPOSED INCIDENT AND FALLBACK
4. FALLBACK AND RECOVERY CONTROL This paper aims to implement “maintaining functionality after incident” and “safety recovering after incident”. The existing FCS does not achieve the latter yet. This is due to its recovery flow after the fallback operation as follows:
2. 3.
Virtual
Normal
Fig. 6 Operation transition of FRCS
This paper supposes that the attackers aims to stop BallSorter. When the networked controller detects balls erroneously, ball-jamming occurs. The attackers exploit this feature to achieve their aim. Specifically, the attackers insert themselves into the conversation between the Remote Input and the networked controller and manipulate the S-sensor information included in Modbus/TCP such that S-sensor never reacts. This attack is called by Man In The Middle attack (MITM). We consider the situation that defenders take measure to inhibit the damage expansion caused by the cyber-attacks from the perspective of “maintaining functionality after incident”. The previous works (Sasaki et al. 2015; Sawada et al. 2015) considers the fallback operation that all balls are sorted to BOX2 (Defective products BOX). This operation sets the priority order of the limited operation for the maintenance higher than that of the sorting. Further, the previous works develop the Fallback Control System (FCS) achieving the fallback operation.
1.
Fallback
Operators of Ball-Sorter pursue the factors of the security incident during the fallback operation. Operators take measure to resolve the incident. Operators execute the test operation in which Ball-Sorter is controlled via the field network and check operation failures.
During the virtual operation, the incident detection function of the FRCS checks whether the incident is resolved and allows Ball-Sorter to avoid a recurrence of incident and to guarantee the networked controller integrity. The virtual operation requires input (actuator) signals from the networked controller to Ball-Sorter and output (sensor) signals from Ball-Sorter to the networked controller. The virtual operation executes the following recovery flow. 1.
Operators of Ball-Sorter pursue the factors of the incident during the fallback operation. 2. Operators take measure to resolve the incident. 3. The networked controller controls Plant Simulator of FRCS for a certain time. 4. When the incident detection function does not detect the incident, FRCS switches the operation from the virtual one to the normal one automatically. Fig. 6 shows the operation transition diagram by the above recovery flow by the virtual operation. 4.1 Expansion of control system of Ball-Sorter Fig. 7 shows the control system of Ball-Sorter in the previous works (Sawada et al., 2015). In Fig. 7, the solid lines represent the analog signals, and the dashed lines represent the signals of Modbus/TCP. The existing FCS is consisted of two units: Fallback Operation Unit (FOU) and Selector Unit. FOU carries out an incident detection function and fallback control. Selector Unit switches the input signal of Ball Sorter from the remote output to the fallback controller according to the operation mode. See the previous work (Sasaki et al., 2015) about the realization of the FOU and selector unit via
15814
Proceedings of the 20th IFAC World Congress 15250 Tsubasa Sasaki et al. / IFAC PapersOnLine 50-1 (2017) 15247–15252 Toulouse, France, July 9-14, 2017
Arduino. Table 2 shows the flow of the signals during the normal operation. Table 3 shows the flow of the signals during the fallback operation. The FCS carries out the following fallback switching flow when an incident occurs. 1. 2. 3. 4. 5. 6.
and Incident Detector 2. That is, the proposed FRCS is consisted of three units: VOU, FOU, and Selector Unit with the operator tact switch. This paper implements these units by three Arduino respectively.
Incident Detector1 drives via the sensor signals from Ball-Sorter. An incident occurs. Incident Detector 1 catches the incident. Selector switches the input signal of Ball Sorter from the remote output to the fallback controller. The signals from the networked controller to Ball-Sorter is cut off. The controller for Ball-Sorter is switched from the networked controller to the fallback controller. Networked Controller
Initial state ball=0; Psensor1=0; Psensor2=0; Psensor3=0; Ssensor=0;
Buffer Psensor1=0; Psensor2=0; Psensor3=0; Ssensor=0;
Remote Output
Clyinder1==1
Mod(ball,2)==0
N E T W O R K
Fallback Controller FOU
Selector Unit
Ball Sorter (Plant)
Unknown ball ball=ball+1; Psensor1=0; Psensor2=0; Psensor3=0; Ssensor=0;
Ping-pong Psensor1=1; Psensor2=0; Psensor3=0; Ssensor=0;
Incident Detector1
Cylinder3==1
Remote Input
P-sensor2 Psensor1=0 Psensor2=1 Psensor3=0 Ssensor=0
Fig. 7 Ball-Sorter control system (FCS) Table 2 Signal flow during normal operation Source Destination Remote Output Ball-Sorter Ball-Sorter Remote Input Ball-Sorter Incident Detector 1
Remote Output
N E T W O R K
VOU
Plant Simulator
FOU
Human (Tact Switch)
Selector Unit
Clyinder2==1
P-sensor3 Psensor1=0; Psensor2=0; Psensor3=1; Ssensor=0;
Plant Simulator imitates the Ball-Sorter and is the control object of the network controller during the virtual operation. Fig. 9 shows the state machine of Plant Simulator. Plant Simulator receives the actuator commands (Cylinder 1, Cylinder 2 and Cylinder 3) from the networked controller and then replies sensor signals to the networked controller according to its state machine.
Incident Detector2 Fallback Controller
Golf Psensor1=1; Psensor2=0; Psensor3=0; Ssensor=1;
Fig. 9 Plant behaviour on Plant Simulator
Table 3 Signal flow during fallback operation Source Destination Fallback Controller Ball-Sorter Ball-Sorter Incident Detector 1 Networked Controller
Mod(ball,2)==1
Ball Sorter (Plant)
Incident Detector1
Remote Input
Fig. 8 Ball-Sorter control system (FRCS) This paper implements the virtual operation by adding new units as shown in Fig. 8 and realizes the FRCS. In Fig. 8, the solid lines represent the analog signals, and the dashed lines represent the signals of Modbus/TCP. The added units are as follows: The tact switch for Human (Operator) and the Virtual Operation Unit (VOU) consisted of Plant Simulator
Selector Unit switches actuator/sensor signals according to the FRCS operation mode. Table 4, Table 5, and Table 6 show the connection of the devices during each operation mode. This paper does not consider the full automatic switching of the FRCS operation mode. The operator triggers the switching from the fallback mode to the virtual mode (Tact Switch of Selector Unit) because it takes the operator time to remove the cause of the incident. On the other hand, the transitions from the normal one to the fallback one and from the virtual one to normal one are automatic. When Incident Detector1 catches an incident in the normal operation, Selector Unit switches the signal connection from Table 4 to Table 5. When Incident Detector 2 detects no incident for a certain time, Selector Unit switches the signal connection from Table 7 to Table 4. This paper supposes that the integrity of the networked controller is confirmed when Incident Detector 2 catches no incident for a certain time. The incident detection method is the discrete-event system observer used in the previous work (Sawada et al., 2015). The details are described in the next subsection.
15815
Proceedings of the 20th IFAC World Congress Toulouse, France, July 9-14, 2017 Tsubasa Sasaki et al. / IFAC PapersOnLine 50-1 (2017) 15247–15252
15251
Simulator via Remote Input after it receives the sensor signals from Ball-Sorter or Plant Simulator via Remote Output.
Table 4 Normal operation Source Destination Remote Output Ball-Sorter Ball-Sorter Remote Input Ball-Sorter Incident Detector 1
The state space model of Fig. 9 is given by
𝑥𝑥(𝑘𝑘 + 1) = 𝑥𝑥(𝑘𝑘) + 𝐵𝐵𝐵𝐵(𝑘𝑘) + 𝐸𝐸𝐸𝐸(𝑘𝑘) { , 𝑦𝑦(𝑘𝑘) = 𝑥𝑥(𝑘𝑘) 𝑥𝑥1 (𝑘𝑘) 1 −1 −1 −1 𝐵𝐵 = [0 1 0 ] , 𝐸𝐸 = [ 0 ] , 𝑥𝑥(𝑘𝑘) = [𝑥𝑥2 (𝑘𝑘)] . 𝑥𝑥3 (𝑘𝑘) 0 0 1 0
Table 5 Fallback operation Source Destination Fallback Controller Ball-Sorter Ball-Sorter Incident Detector 1
(1)
The values of 𝑥𝑥1 , 𝑥𝑥2 , and 𝑥𝑥3 represent the number of tokens in the places in Fig. 10. 𝑥𝑥1 , 𝑥𝑥2 , 𝑥𝑥3 , 𝑢𝑢1 , 𝑢𝑢2 , 𝑢𝑢3 , and 𝑑𝑑 are same with the names of the transitions and the places in Fig. 10. For example, consider the case 𝑥𝑥2 is equal to 3. This indicates there are three tokens in the place “𝑥𝑥2 (BOX1)” for Fig. 10 and there are three balls in BOX1 for Ball-Sorter and Plant Simulator. From (1), the disturbance observer is expressed by
Table 6 Virtual operation Source Destination Fallback Controller Ball-Sorter Ball-Sorter Incident Detector 1 Remote Output Plant Simulator Plant Simulator Remote Input Plant Simulator Incident Detector 2 4.2 Incident detection by disturbance observer This paper applies Petri net and a disturbance observer (Meditch and Hostetter, 1973) to the incident detection method. This method has been proposed in the previous work (Sawada et al., 2015). The incident this paper considers is as follows: S-sensor never reacts by the MITM. The networked controller sends the illegal commands. A golf ball continues to exist at the sorting section and then the ball-jamming happens. We model such the balls flow by Petri net (Murata, 1989) as shown in Fig. 10. No reaction of S-sensor means that the number of the token of 𝑥𝑥1 is always zero even if a ball enters the sorting section (the transition “𝑢𝑢1 (P-sensor1)” fires). This situation is expressed by the transition “ 𝑑𝑑 (Incident)”. Consider the case 𝑢𝑢1 fires twice. The number of tokens is two in the place “𝑥𝑥1 (Sorting)”, while only one ball can exist at the sorting section in Ball-Sorter. Firing once, 𝑑𝑑 reduces this deviation. In other words, the firing of 𝑑𝑑 indicates the ball-jamming. This modelling is applicable for Plant Simulator with the state machine of Fig. 9.
𝑥𝑥̃ (𝑘𝑘 + 1) = 𝐴𝐴𝑑𝑑 𝑥𝑥̃𝑑𝑑 (𝑘𝑘) + 𝐵𝐵𝑑𝑑 𝑢𝑢(𝑘𝑘) − 𝐾𝐾(𝑦𝑦̃(𝑘𝑘) − 𝑦𝑦(𝑘𝑘)) { 𝑑𝑑 , (2) 𝑦𝑦̃(𝑘𝑘) = 𝐶𝐶𝑑𝑑 𝑥𝑥̃𝑑𝑑 (𝑘𝑘) 𝐼𝐼 𝐸𝐸 𝐵𝐵 𝐴𝐴𝑑𝑑 = [ ], 𝐵𝐵𝑑𝑑 = [ ], 𝐶𝐶𝑑𝑑 = [𝐼𝐼 0], 0 𝐼𝐼 0 2 0 0 𝑥𝑥̃(𝑘𝑘) 0 1 0 𝑥𝑥̃𝑑𝑑 (𝑘𝑘) = [ ̃ ] , 𝐾𝐾 = [ ]. 0 0 1 𝑑𝑑 (𝑘𝑘) −1 0 0 where 𝐾𝐾 ∈ 𝑹𝑹4×3 is the observer gain. 𝑥𝑥̃ and 𝑑𝑑̃ are the estimated values of 𝑥𝑥 and 𝑑𝑑, respectively. The above gain is designed such that 𝐴𝐴𝑑𝑑 − 𝐾𝐾𝐶𝐶𝑑𝑑 is stable (Sawada et al., 2015). The disturbance observer is implemented in the both detectors. When 𝑑𝑑̃ (𝑘𝑘) is equal to 1, the both detectors alert. When Incident Detector 1 alerts, Selector Unit switches the signal connection from Table 4 to Table 5 automatically. When Incident Detector 2 does not alert for a certain time, Selector Unit switches the flow of signal from Table 5 to Table 6 automatically. The initial states of the observers are not always the same as those of Ball Sorter or Plant Simulator because stable 𝐴𝐴𝑑𝑑 − 𝐾𝐾𝐶𝐶𝑑𝑑 .guarantees that the estimated states converge to the true ones. 5. PRACTICAL EXPERIMENTS
(P-sensor2)
(P-sensor1)
(Sorting)
(P-sensor3)
This section shows the capability of FRCS by a practical experiment. Table 7 shows the ball sequences in the experiments. P represents Ping-pong ball, and G represents Golf ball. The experimental flow is shown as follows.
(BOX1)
(BOX2)
1. 2.
(Incident)
Fig. 10 Petri net for incident detection In the previous work (Sawada et al., 2015), Incident Detector 1 of FOU catches the firing of 𝑑𝑑 and detects the incident during the normal operation. In addition to this, this paper proposes a method in which Incident Detector 2 of VOU catches the firing of 𝑑𝑑 and detects the incident during the virtual operation. As shown in Fig. 8, both detectors drives via the analog signals from the Selector Unit. The networked controller sends the commands to Ball-Sorter or Plant
MITM occurs at the beginning of the experiments. Ball-jamming (the incident) occurs when the golf ball of the input sequence number 2 shown in Table8 is put in Ball-Sorter. 3. FRCS catches the incident. 4. All balls are sorted to BOX2 by the fallback operation. 5. MITM is resolved (by the operator). 6. The virtual operation starts by the operator’s pushing the tact switch. 7. Plant Simulator drives according to the ball sequence shown in Table 8. 8. No incident occurs in Plant Simulator. 9. Recovery from the virtual operation to normal operation. 10. Balls are put in Ball-Sorter again according to the ball sequence shown in Table 8.
15816
Proceedings of the 20th IFAC World Congress 15252 Tsubasa Sasaki et al. / IFAC PapersOnLine 50-1 (2017) 15247–15252 Toulouse, France, July 9-14, 2017
Table 7 Ball sequence Input sequence 1 2 3 4 5 6 7 Ball P G P G P G P
Fig. 11 Operation mode transition Fig. 11 shows the time series plot of the operation mode transition. The data are acquired from Arduino as Selector Unit. According to Fig. 11, the operation mode transitions as follows: the transition from the normal operation to the fallback one at 13 sec, the transition from the fallback one to the virtual one at 30 sec, and the transition from the virtual one to the normal one at 51 sec. This experiment shows that FRCS implements “maintaining functionality after incident” and “safety recovering after incident”. 6. CONCLUSION This paper implements “safety recovering after incident” additional to “maintaining functionality after incident” by FRCS. The proposed FRCS solves the open problem of the previous works (Sawada et al., 2015) (Sasaki et al., 2015) which is the evaluation of the control system soundness and the safety recovery switching from the fallback operation to the normal operation. The existing FCS focuses on the availability of control systems, in addition to this, the FRCS can evaluates the soundness of control systems from the responses between the controller and Plant Simulator. The current FRCS does not deal with the incident during the normal operation after the recovery. Moreover, it is necessary to implement FRCS by Programmable Logic Controller (PLC) because PLC is usually used in FA system as a controller. Those are future works. This work was partially supported by Council for Science, Technology and Innovation (CSTI), Cross-ministerial Strategic Innovation Promotion Program (SIP), “CyberSecurity for Critical Infrastructure” (funding agency: NEDO). REFERENCES Hoehn, A and Zhang, P. (2016). Detection of replay attacks in cyber-physical systems. Proceedings of 2016 American Control Conference (ACC), pp. 290-295. Hu, R., Hu, W., and Chen, Z. (2016). Research of smart grid cyber architecture and standards deployment with high adaptability for Security Monitoring. Proceedings of 2015 International Conference on Sustainable Mobility Applications, Renewables and Technology (SMART), pp. 1-6.
Isozaki, Y., Yoshizawa, S., Fujimoto, Y., Ishii, H., Ono, I., Onoda, T., and Hayashi, Y. (2014). Detection of cyber attacks against voltage control in distribution power grids with PVs. IEEE Transactions on Smart Grid, 7 (4), pp. 1824-1835. Khorrami, F., Krishnamurthy, P., and Karri, R. (2016). Cybersecurity for control systems: A process-aware perspective. IEEE Design & Test. 33 (5). pp. 75-83. Kissel, R. (2013). Glossary of key information security terms. NIST, NISTIR 729 (Revision 2). Kogiso, K. (2015). Cyber-security enhancement of networked control systems using homomorphic encryption. Proceedings of 2015 54th IEEE Conference on Decision and Control, pp. 6836-6843. MathWorks. (2016). MathWorks. http://www.mathworks.com/index.html?s_tid=gn_loc_dr op (accessed 2016-10-19). Meditch, S.J. and Hostetter, H.G. (1973). Observers for systems with unknown and inaccessible inputs. Proceedings of 1973 IEEE Conference on Decision and Control including the 12th Symposium on Adaptive processes, pp. 120-124. Miller, B. and Rowe, D. (2012). A survey of SCADA and critical infrastructure incidents, Proceedings of Annual Conference on Research in Information Technology. pp. 51-56. Modbus-IDA (2012). MODBUS Application Protocol Specification v1.1b3. pp.1–50. Murata, T. (1989). Petri nets: Properties, analysis and applications, Proceedings of the IEEE, 77 (4), pp. 541580. Onoda,T. (2016). Probabilistic models-based intrusion detection using sequence characteristics in control system. Neural Computing and Applications, 27 (5), pp. 1119-1127. Ozay, M., Esnaola, I., Tunay, F., Vural, Y., Kulkarni, R.S., Poor, H.V. (2016). Machine learning methods for attack detection in the smart grid. IEEE Transactions on Neural Networks and Learning Systems, pp. 1773-1786. Rojas, C., Morell, P. (2010). Guidelines for industrial Ethernet infrastructure implementation: A control engineer’s guide. Proceedings of 2010 IEEE-IAS/PCA 52nd Cement Industry Technical Conference. pp. 1-18. Sasaki, T., Sawada, K., Shin, S., and Hosokawa, S. (2015). Model based fallback control for networked control system via switched Lyapunov function. 41st Annual Conference of the IEEE Industrial Electronics Society, IECON2015. pp. 2000-2005. Sawada, K., Sasaki, T., Shin, S., and Hosokawa, S. (2015). A fallback control study of networked control systems for cybersecurity. 2015 10th Asian Control Conference, ASCC2015. pp. 1-6. Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., and Hahn, A. (2015). Guide to Industrial Control System (ICS) security. Recommendations of the National Institute od Standards and Technology, (SP 800-82). Zhioua, S. (2013). The middle east under malware attack dissecting cyber weapons, Proceedings of International Conference on Distributed Computing Systems. pp. 1116.
15817
ScienceDirect
IFAC PapersOnLine 50-1 (2017) 15247–15252 Fallback and Recovery Control System Fallback and Recovery Control System Fallback and System of Industrial SystemControl for Cybersecurity Fallback and Recovery System Fallback Control and Recovery Recovery Control System of Industrial Control SystemControl for Cybersecurity of Industrial Control System for Cybersecurity of Industrial Control System for Cybersecurity of Industrial Control System for Seiichi Cybersecurity Tsubasa Sasaki*. Kenji Sawada*. Shin*.
Tsubasa Sasaki*. Kenji Sawada*. Seiichi Shin*. Shu Hosokawa** Tsubasa Sasaki*. Sasaki*. Kenji Sawada*. Seiichi Shin*. Shin*. Tsubasa Kenji Shu Hosokawa** Sawada*. Tsubasa Sasaki*. Kenji Sawada*. Seiichi Seiichi Shin*. Shu Hosokawa** Shu Hosokawa** Hosokawa** Shu *The University of Electro-Communications, Chofu, Tokyo 1828585 *The University of Electro-Communications, Chofu, Tokyo 1828585 Japan (Tel: +81-42-443-5891; e-mail: {tsubasa-sasaki}{knj.sawada}{seiichi.shin}@uec.ac.jp). *The University of Electro-Communications, Chofu, Tokyo 1828585 *The University of Electro-Communications, Chofu, Tokyo 1828585 Japan (Tel: +81-42-443-5891; e-mail: {tsubasa-sasaki}{knj.sawada}{seiichi.shin}@uec.ac.jp). *The University of Electro-Communications, Chofu, Tokyo 1828585 **Control System Security Center, Tagajo, Miyagi 9850842 Japan (e-mail: Japan (Tel: +81-42-443-5891; e-mail: {tsubasa-sasaki}{knj.sawada}{seiichi.shin}@uec.ac.jp). Japan (Tel: +81-42-443-5891; e-mail: {tsubasa-sasaki}{knj.sawada}{seiichi.shin}@uec.ac.jp). **Control System Security Center, Tagajo, Miyagi 9850842 Japan (e-mail: Japan (Tel: +81-42-443-5891; [email protected]) e-mail: {tsubasa-sasaki}{knj.sawada}{seiichi.shin}@uec.ac.jp). **Control Center, **Control System System Security Security Center, Tagajo, Tagajo, Miyagi Miyagi 9850842 9850842 Japan Japan (e-mail: (e-mail: [email protected]) **Control System Security Center, Tagajo, Miyagi 9850842 Japan (e-mail: [email protected]) [email protected]) [email protected]) Abstract: This paper focuses on the Fallback Control System (FCS), which is an emergency response Abstract: This paper focuses on the Fallback Control System (FCS), which iscyber-attacks. an emergency response method ofThis networked Industrial SystemControl (ICS) asSystem a countermeasure for is The FCS is Abstract: paper focuses focuses onControl the Fallback Fallback (FCS), which which an emergency emergency response Abstract: This paper on the Control System (FCS), is an response method of networked Industrial Control System (ICS) as a countermeasure for cyber-attacks. The FCS is Abstract: This paper focuses on the Fallback Control System (FCS), which is an emergency response disposed on not networked controllers but controlled objects. After some incidents happen, the FCS method ofon networked Industrial Control System System (ICS) as as aa countermeasure countermeasure forincidents cyber-attacks. Thethe FCS is method of Industrial Control (ICS) for The is disposed not networked controllers but controlled After the some happen, FCS method of networked networked Industrial Control System (ICS) asobjects. aand countermeasure for cyber-attacks. cyber-attacks. The FCS FCS is isolates the controlled objects from networked controllers controls objects safely and locally. This disposed on not networked controllers but controlled objects. After some incidents happen, the FCS disposed on not networked controllers controlled objects. After some incidents happen, the isolates the objects from networked controllers and controls the objects safely and locally. This disposed oncontrolled not networked controllers but controlled objects. Afterand some incidents happen, the FCS ICS operation switching is one-way frombut normal one to fallback one the recovery switching fromFCS the isolates the controlled objects from networked controllers and controls the objects safely and locally. This isolates the controlled objects from networked controllers and controls the objects safely and locally. This ICS operation switching is one-way from normal one to fallback one and the recovery switching from the isolates the controlled objects from networked controllers and controls theisobjects safely and locally. This fallback one to the normal one still remains open. This is because there a possibility of cyber-attacks ICS operation switching is one-way from normal one to fallback one and the recovery switching from the ICS operation switching is one-way from normal one to fallback one and the recovery switching from the fallback one to the normal one still remains open. This is because there is a possibility of cyber-attacks ICS operation switching isofone-way from normal one to fallback one and the recovery switching from this the aiming the reconnection the still controlled objects with thebecause network controllers. Motivated by this, fallback one to the normal one remains open. This there is a possibility of cyber-attacks fallback one to normal one still remains open. This is because there is of aiming the ofand theRecovery controlled objects with is the network controllers. Motivated byswitching this, this fallback onereconnection to the the normal one still remains open.System This is because there is aa apossibility possibility of cyber-attacks cyber-attacks paper proposes a Fallback Control (FRCS) by adding safety recovery aiming the reconnection of the controlled objects with the network controllers. Motivated by this, this aiming the of the controlled objects with network controllers. Motivated by this, this paper proposes a Fallback Control System (FRCS) by the adding a safety recovery aiming the reconnection reconnection ofand theRecovery controlled objects with the the network controllers. Motivated byswitching this, this to the FCS. Maintaining the fallback control of theSystem controlled object, virtual operation mode of FRCS paper proposes a Fallback and Recovery Control (FRCS) by adding a safety recovery switching paper proposes a Fallback and Recovery Control System (FRCS) by adding a safety recovery switching to the FCS. Maintaining the fallback control of the controlled object, the virtual operation mode of FRCS paper proposes a Fallback and Recovery Control System (FRCS) by adding a safety recovery switching connects the networked controller with the virtual controlled object (Plant Simulator). The FRCS to the FCS. FCS. Maintaining the fallback control control of virtual the controlled controlled object, the virtual virtual operation mode of FRCS FRCS to the the fallback the mode of connects the networked controller with theof controlled object (Plant Simulator). The to the FCS. Maintaining the fallback control of the thebetween controlled object, the virtual operation mode of evaluates theMaintaining ICS soundness from the responses theobject, controller theoperation virtual object andFRCS then connects the networked controller with the virtual virtual controlled object and (Plant Simulator). The FRCS connects the networked controller with the controlled object (Plant Simulator). The FRCS evaluates ICS soundness from the responses between the controller and the virtual object and then connects the networked controller with one. the virtual controlled object (PlantisSimulator). ThediscreteFRCS reconnects the controller with the actual The ICS soundness evaluation based on the evaluates the ICS soundness from the responses between the controller controller and the theis virtual virtual object and then evaluates the ICS soundness from the responses between the and object and then reconnects the controller with the actual one. The ICS soundness evaluation based on the discreteevaluates the observer. ICS soundness from verifies the responses between theproposed controller and theswitching virtual object then event system This paper the validity of soundness the recovery a and practical reconnects the controller with the actual one. The ICS evaluation based onvia the discretereconnects the controller with the actual The evaluation is based the event system This paper the validity of soundness the proposed recoveryis practical reconnects theobserver. controller with the verifies actual one. one. The ICS ICS soundness evaluation isswitching based on onvia thea discretediscreteexperiment. event system observer. This paper verifies the validity of the proposed recovery switching via a practical event system observer. This paper verifies the of proposed recovery switching via experiment. event systemSecurity, observer.Petri Thisnets, paperControl verifiesover the validity validity of the the proposedfor recovery switching via aa practical practical Keywords: networks, Observers linear systems, Manufacturing experiment. © 2017, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. experiment. experiment. Keywords: Security, Petri nets, Control over networks, Observers for linear systems, Manufacturing automation over networks, Discrete event systems in manufacturing. Keywords: Security, Petri nets, over Observers Keywords: Security, Petri Discrete nets, Control Control over networks, networks, Observers for for linear linear systems, systems, Manufacturing Manufacturing automation over networks, event systems in manufacturing. Keywords: Security, Petri nets, Control over networks, Observers for linear systems, Manufacturing automation over networks, Discrete event systems in manufacturing. automation over networks, Discrete event systems in manufacturing. automation over networks, Discrete event systems in manufacturing. devices (actuators and sensors), while the existing results use 1. INTRODUCTION devices (actuators and sensors), while the existing results use communication contents of network traffics (ex. Onoda 2016). 1. INTRODUCTION devices (actuators and sensors), while the existing results use devices (actuators and sensors), while the existing results use communication contents of network traffics (ex. Onoda 2016). INTRODUCTION devices is(actuators and sensors), while the existing resultswith use because attackers possibly tamper Industrial Control 1. (ICSs) are facing security This 1.Systems INTRODUCTION communication contents of network traffics (ex. Onoda 2016). 1. INTRODUCTION communication contents of network traffics (ex. Onoda 2016). This is because attackers possibly tamper with Industrial Control Systems (ICSs) are facing security contents of The network traffics (ex. Onoda 2016). communication contents. second is that the fallback incidents (Kissel, 2013) including power systems, water This is because attackers possibly with Industrial Control Systems (ICSs) are facing security This attackers possibly tamper with communication contents. is During thattamper the Industrial Control Systems (ICSs) are facing security incidents (Kissel, 2013) including power systems, water control This is is notbecause because attackers possibly tamper with Industrial Control Systems (ICSs) are facing security networked oneThe but second local one. thefallback normal supply facilities, nuclear facilities, and Factory Automation communication contents. The second is that the fallback incidents (Kissel, 2013) including power systems, water communication contents. The second is that the fallback control is not networked one but local one. During the normal incidents (Kissel, 2013) including power systems, water supply facilities, nuclear facilities, and Factory Automation communication contents. Thethesecond is that the fallback incidents (Kissel, 2013) including power systems, water operation, the FCS connects networked controller with (FA) systems and so on (Miller and Rowe, 2012; Zhioua, control is not one but local one. During the normal supply facilities, nuclear facilities, and Factory Automation control is devices not networked one but local one.(which During the normal thenetworked FCS the networked controller with supply facilities, nuclear facilities, and Factory Automation (FA) andet so (Miller and Rowe, Zhioua, control not networked but local one. During normal supplysystems facilities, nuclear facilities, and Factory Automation the filedis viaconnects theone field network isthe based on 2013; Khorrami al.,on 2016). The reason is 2012; that ICSs are operation, operation, the FCS connects the networked controller with (FA) systems and so on (Miller and Rowe, 2012; Zhioua, operation, the FCS connects the networked controller with the filed devices via the field network (which is based on (FA) systems and so on (Miller and Rowe, 2012; Zhioua, 2013; Khorrami et al., 2016). The reason is that ICSs are operation, the FCS connects the networked controller with (FA) systems and so on (Miller and Rowe, 2012; Zhioua, industrial Ethernet technologies). During the fallback being designed and implemented using industry standard the filed filed devices devices via technologies). the field field network network (whichthe is based based on 2013; Khorrami Khorrami et al., al., 2016). The The using reasonindustry is that that ICSs ICSs are industrial the via the (which is on Ethernet During fallback 2013; et 2016). reason is are being designed and implemented standard the filed devices via the field the network (which is from based the on 2013; Khorrami et al.,Systems 2016). The reason is that ICSs are operation, the FCS isolates field devices computers, Operation (OS)using and network industrial Ethernet technologies). During the fallback being designed and implemented implemented industry protocols standard operation, industrial Ethernet technologies). During the fallback the FCS isolates the field devices from the being designed and using industry standard computers, Operation Systems (OS) and network protocols industrial controller Ethernet and technologies). Duringcontroller the fallback being designed and implemented using industry standard networked then the fallback of the and then are resembling Information Technology (IT) operation, the FCS and isolates the fallback field devices from computers, Operation Systems (OS) and network protocols operation, the isolates field devices from the networked then controller of the computers, Operation Systems (OS) network protocols and thenICS are resembling Technology (IT) operation, the FCS FCS isolates the field devices devices from the computers, Operation Systems (OS) and andcostly network protocols takes controller over the control of the the fallback field via not systems. incidents couldInformation endanger equipment or FCS networked controller and then the controller of the and then are resembling Information Technology (IT) networked controller and then the fallback controller of FCS takes over the control of the field devices via not and then are resembling Information Technology (IT) systems. ICS incidents could endanger costly equipment or networked controller and thensignals the fallback controller of the the and then are resembling Information Technology (IT) field network but the analog directly. Field devices human life (Stouffer et al., 2007) and then ICS security is FCS takes over the control of the field devices via not the systems. ICS incidents could endanger costly equipment or FCS takes over the field devices via not fieldisolated network butthe thecontrol analogof directly. Field devices systems. ICS incidents endanger costly equipment or human (Stouffer et could al., 2007) andfields. then ICS security is are FCS takes over the control ofsignals the field devices viaalthough not the the systems.life ICS incidents could endanger costlyHu equipment or from cyber-attacks or secondary injury attracting attention of various research et al. (2016) field network but the analog signals directly. Field devices human lifeattention (Stouffer et al., 2007) and then ICS security is field network but the signals directly. Field devices are from cyber-attacks or secondary injury although human (Stouffer et and then ICS security is attracting of monitoring various research al. (2016) fieldisolated network butlogic the analog analog signals directly. Field devices human life life (Stouffer et al., al., 2007) 2007) andfields. then Hu ICS security is the local control of the fallback controller is restricted proposes the security architecture for et smart grids. are isolated from cyber-attacks or secondary injury although attracting attention of various research fields. Hu et al. (2016) are isolated from cyber-attacks or secondary injury although the local control logic of the fallback controller is restricted attracting attention of various research fields. Hu et al. (2016) proposes the security monitoring architecture for smart grids. are isolated from cyber-attacks or secondary injury although attractingetattention of various research fields. Hu methods et al. (2016) due to the network isolation. Focusing on “maintaining after Kogiso al. (2015) proposes encryption of the local local control logic of the the Focusing fallback controller controller is restricted restricted proposes the security monitoring architecture for smart the logic of fallback is due to thecontrol network isolation. onet“maintaining after proposes the security monitoring architecture forcyber-attacks smart grids. grids. Kogiso et al. (2015) proposes encryption methods of incident”, the local control logic of the fallback controller is restricted proposes the security monitoring architecture for smart grids. the our previous works (Sasaki al. 2015; Sawada controller parameters for ICS. Some intrusion, due to to the the the network isolation. Focusing onet“maintaining “maintaining after Kogiso etparameters al. (2015) (2015) proposes encryption methods of of incident”, due network isolation. Focusing on after our previous works (Sasaki al. 2015; Sawada Kogiso et al. proposes encryption methods controller for ICS. Some intrusion, cyber-attacks dueal.to 2015) the network isolation. Focusing on “maintaining aftera Kogiso et detection al. (2015) proposes encryption methods of et implements an incident detection function, or incidents methods machinecyber-attacks learning and incident”, the our previous works (Sasaki et al. 2015; Sawada controller parameters for ICS. ICS. focus Someon intrusion, incident”, the our previous works (Sasaki et al. 2015; Sawada et al. 2015) implements an incident detection function, aa controller parameters for Some intrusion, cyber-attacks or incidents detection methods focus on machine learning and incident”,switching the our previous works (Sasaki et al.function, 2015; Sawada controller parameters for ICS. Some intrusion, cyber-attacks fallback (network disconnection) and sequence characteristics of network traffics (Hoehn and et al. 2015) implements an incident detection function, a or incidents detection methods focus on machine learning and et al. 2015) implements an incident detection function, fallback switching (network disconnection) function, and or incidents detection methods focus on machine learning and sequence characteristics of network traffics (Hoehn et al. 2015) implements incident detection function, aa or incidents detection methods focus machine learningetand control function byanFCS. Zhang 2016; Onoda 2016; Ozay et on al.traffics 2016; Isozaki al. fallback fallback switching (network disconnection) function, and a sequence characteristics of network (Hoehn and switching (network disconnection) function by FCS. sequence network (Hoehn Zhang Onoda authors 2016;of et al.traffics 2016; al. fallback fallback control switching (network disconnection) function, function, and and aa sequence characteristics ofOzay network traffics (Hoehnetand and 2016). 2016; Thecharacteristics current are interested in Isozaki “maintaining fallback control function by FCS. Zhang 2016; Onoda 2016; Ozay et al. 2016; Isozaki et al. On the other hand, this operation is one-way from control function by Zhang Onoda 2016; et al. et al. 2016). 2016; The current authors are in Isozaki “maintaining fallback control function by FCS. FCS. switching Zhang 2016; Onoda 2016; Ozay Ozay et“safety al. 2016; 2016; Isozaki etafter al. fallback functionality after incident” andinterested recovering On normal the other hand, this operation switching is one-way from 2016). The current authors are interested in “maintaining the one to the fallback one and the recovery switching 2016). The current authors are interested in “maintaining functionality after incident” and “safety recovering after On the other hand, this operation switching is one-way from 2016). TheIn current authors are interested in “maintaining incident”. particular, we propose Fallback Control System On the other hand, this operation switching is one-way from the normal one to the fallback one and the recovery switching functionality after incident” and “safety recovering after switching is remains one-way open. from On thetheother hand,one thistooperation from fallback the normal one still functionality after incident” and “safety recovering after incident”. In particular, we propose Fallback Control System fallback one and the recovery switching the normal one to the functionality after incident” and “safety recovering after from (FCS) for maintaining functionality after an incident (Sasaki the normal one to the fallback one and the recovery switching the fallback one to the normal one still remains open. incident”. In particular, we propose Fallback Control System the normal one to the fallback one and the recovery switching This is because there is a possibility of cyber-attacks aiming incident”. In particular, we propose Fallback Fallback Control System System (FCS) for In maintaining functionality after an incident (Sasaki from the fallback one to the normal one still remains open. incident”. particular, we propose Control et al. 2015; Sawada et al. 2015). from fallback one to normal one still open. isthe there possibility of aiming (FCS) for maintaining functionality after an incident (Sasaki This fromreconnection thebecause fallback oneiscontrolled toa the the normal onecyber-attacks still remains open. the the objects withremains the network (FCS) for functionality after et al. 2015; Sawada et al. 2015). Thisreconnection is because because there there iscontrolled a possibility possibility of cyber-attacks cyber-attacks aiming (FCS) for maintaining maintaining functionality after an an incident incident (Sasaki (Sasaki This is is a of aiming the the objects with the network et al. 2015; Sawada et al. 2015). This is because there isbya this, possibility of cyber-attacks aiming controllers. Motivated this paper proposes a Fallback The FCS is disposed on not networked controllers but et al. 2015; Sawada et al. 2015). the reconnection the controlled controlled objects with the the network network et al. 2015; Sawada et al. 2015). the the objects controllers. Motivated this, this paper proposes The FCS objects is disposed notmain networked but and the reconnection reconnection the by controlled objects with thea Fallback Recovery Control System (FRCS) bywith adding anetwork safety controlled and hason two features. controllers The first is that controllers. Motivated by this, this paper proposes a Fallback The FCS is disposed on not networked controllers but controllers. Motivated by this, this paper proposes Fallback and Recovery Control System (FRCS) bywords, addingaathis a safety The FCS is disposed on not networked controllers but controlled and has two features. The firstofisfield that controllers. Motivated by this, this paper proposes Fallback Theincident FCS objects isdetection disposed onbased notmain networked controllers but recovery switching to the FCS. In other paper its is on analog signals and Recovery Control System (FRCS) by adding adding aa safety safety controlled and two The that and Control System switching to the FCS.(FRCS) In otherby paper controlled objects and has has two main main features. The first firstofis isfield that recovery its incidentobjects detection is based on features. analog signals and Recovery Recovery Control System (FRCS) bywords, addingthis a safety controlled objects and has two main features. The first is that recovery switching switching to to the the FCS. FCS. In In other other words, words, this this paper paper its incident detection is based on analog signals of field recovery its incident detection is based on analog signals of field its incident detection is based on analog signals of field recovery switching to the FCS. In other words, this paper
Copyright © 2017 IFAC 15812 Copyright 2017 IFAC 15812 2405-8963 © 2017, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Copyright 2017 IFAC 15812 Peer review© of International Federation of Automatic Control. Copyright ©under 2017 responsibility IFAC 15812 Copyright © 2017 IFAC 15812 10.1016/j.ifacol.2017.08.2402
Proceedings of the 20th IFAC World Congress 15248 Tsubasa Sasaki et al. / IFAC PapersOnLine 50-1 (2017) 15247–15252 Toulouse, France, July 9-14, 2017
aims to implement “safety recovering after incident” to the FCS. Maintaining the fallback control of the controlled object, the FRCS judges the soundness of the networked controller (the ICS soundness). The FRCS confirms the integrity and then reconnects the networked controller. For checking integrity, we adopt Plant Simulator and the incident detection method proposed in Sawada et al. (2015). The Plant Simulator simulates the behaviour of the controlled object and the detection method is based on the discrete-event observer. Also, we call the operation mode for checking soundness by the virtual operation. During the operation, the actual controlled object is connected with the FRCS via analog signals and only the Plant Simulator is connected with the networked controller via the field network. The observer checks the integrity from the feedback loop between the Plant Simulator and the controller without influencing the actual controlled object. This paper executes practical experiments to verify the capability of FRCS.
Fig. 2 Appearance of Ball-Sorter
The contribution of this paper is to implement “safety recovering after incident” by the virtual operation. Since the actual controlled objects is not connected with field network during the virtual operation, FRS can confirm the integrity of controller safety. FRCS designed in this paper contributes to enhance the cyber-security of ICS. 2. EXPERIMENTAL CONTROL SYSTEM Fig. 3 Schematic of Ball-Sorter Fig. 1 Networked control system Fig. 1 shows a constitution of the networked control system in this paper. Plant is controlled remotely by the networked controller. The software for control implemented in the networked controller is developed by MATLAB/Simulink (MathWorks, 2016). The network protocol between the network devices such as the networked controller and Remote I/O is Modbus/TCP (Modbus-IDA 2012). Modbus/TCP is a common industrial protocol based on Ethernet (Rojas and Peter, 2010). MATLAB/Simulink can deal with Modbus/TCP. The remote I/O interconverts between Modbus/TCP packets and the analog signals for actuators and sensors. The networked controller makes the actuators of Plant drive via the remote I/O. The sensor signals are sent to the networked controller via the remote I/O.
When a ball exits at the sorting section, P-sensor1 reacts (ON). When the ball is a ping-pong ball, S-sensor does not react (OFF). When the ball is a golf ball, S-sensor reacts (ON). After that, when the ball flows to BOX1, P-sensor2 reacts (ON). When the ball flows to BOX2, P-sensor3 reacts (ON). Fig. 4 shows a state transition diagram of control logic to implement the sorting function. In this paper, the notation of a state transition diagram is based on Stateflow for MATLAB/Simulink because we have implemented the control logic by Stateflow. In Fig. 4, “Cylinder1 stops (drives)” or “Cylinder3 stops (drives)” mean that they drive in the downward (upward) direction as shown in Cylinder1 (Cylinder3) of Fig. 3. “Cylinder2 stops (drives)” means that Cylinder2 drives in the upward (downward) direction.
Fig. 2 is the Ball-Sorter plant for the experiments. Fig. 3 shows a schematic of Ball-Sorter. The function of Ball-Sorter is sorting two kinds of ball according to their weight. Used balls are a ping-pong ball and golf ball. Ball-Sorter is consisted of three sections: a supply section, a sorting section, and a collection section. Only one ball can exist at the sorting section. Ball-Sorter has three air cylinders (Cylinder1, Cylinder2, and Cylinder3), a sorting sensor (S-sensor), and three proximity sensors (P-sensor1, P-sensor2, and Psensor3). In Fig. 3, P1, P2, and P3 represent P-sensor1, Psensor2, and P-sensor3 respectively. Ball-Sorter sorts the ping-pong balls to BOX1 and the golf balls to BOX2 by these actuators and sensors.
Select/ Cylinder1 drives Cylinder2 stops Cylinder3 stops P-sensor2 ON
P-sensor3 ON
P-sensor1 ON Unknown_ball/ S-sensor OFF BOX1/ Cylinder1 stops Cylinder2 stops Cylinder3 drives
S-sensor ON BOX2/ Cylinder1 stops Cylinder2 drives Cylinder3 stops
Fig. 4 State transition diagram of control logic for sorting 15813
Proceedings of the 20th IFAC World Congress Toulouse, France, July 9-14, 2017 Tsubasa Sasaki et al. / IFAC PapersOnLine 50-1 (2017) 15247–15252
15249
4.
Fig. 5 Mixing prevention mechanism at sorting section This paper supposes that Ball-Sorter is the subsystem in production lines as FA systems and there are upper subsystems from the supply section. The balls in the collection section flow to the lower process. Ball-Sorter sorts the ping-pong balls as the non-defective products to BOX1 and the golf balls as the defective products to BOX2. BallSorter has a mixing prevention mechanism at the sorting section such that golf balls cannot go to BOX 1. When a golf ball goes through the sorting section, the supporting frame of the sorting section tilts. Otherwise, the frame does not tilt. If the networked controller confuses a golf ball with a pingpong ball, the golf ball continues to exist at the sorting section and then the interruption of the balls flow can happen via the frame tilt. This ball-jamming is corresponding to a stop or overflow of a production line in FA systems.
When operation failures are not detected during the test operation, the operation is switched to the normal one. The test operation of the above flow (Steps 3 and 4) is recovery switching from the fallback operation to the normal operation. The test operation does not consider a possibility of cyber-attacks and is in danger of the incident recurrence if the measure is insufficient. Therefore, this paper proposes a safety recovery switching mechanism as the virtual operation to implement “safety recovering after incident”. This paper calls the FCS with the virtual operation by the Fallback and Recovery Control System (FRCS). Table 1 shows the comparison of the test operation and the virtual operation. During the virtual operation, the controlled object of the networked controller is Plant Simulator that simulates the behaviour of Ball-Sorter. The virtual operation implements the new test operation without the connection between the field network and the actual controlled object. Table 1 Comparison of two operations Test operation Virtual operation Controlled Plant Ball-Sorter Object Simulator Networked Networked Controller Controller Controller
Normal
3. SUPPOSED INCIDENT AND FALLBACK
4. FALLBACK AND RECOVERY CONTROL This paper aims to implement “maintaining functionality after incident” and “safety recovering after incident”. The existing FCS does not achieve the latter yet. This is due to its recovery flow after the fallback operation as follows:
2. 3.
Virtual
Normal
Fig. 6 Operation transition of FRCS
This paper supposes that the attackers aims to stop BallSorter. When the networked controller detects balls erroneously, ball-jamming occurs. The attackers exploit this feature to achieve their aim. Specifically, the attackers insert themselves into the conversation between the Remote Input and the networked controller and manipulate the S-sensor information included in Modbus/TCP such that S-sensor never reacts. This attack is called by Man In The Middle attack (MITM). We consider the situation that defenders take measure to inhibit the damage expansion caused by the cyber-attacks from the perspective of “maintaining functionality after incident”. The previous works (Sasaki et al. 2015; Sawada et al. 2015) considers the fallback operation that all balls are sorted to BOX2 (Defective products BOX). This operation sets the priority order of the limited operation for the maintenance higher than that of the sorting. Further, the previous works develop the Fallback Control System (FCS) achieving the fallback operation.
1.
Fallback
Operators of Ball-Sorter pursue the factors of the security incident during the fallback operation. Operators take measure to resolve the incident. Operators execute the test operation in which Ball-Sorter is controlled via the field network and check operation failures.
During the virtual operation, the incident detection function of the FRCS checks whether the incident is resolved and allows Ball-Sorter to avoid a recurrence of incident and to guarantee the networked controller integrity. The virtual operation requires input (actuator) signals from the networked controller to Ball-Sorter and output (sensor) signals from Ball-Sorter to the networked controller. The virtual operation executes the following recovery flow. 1.
Operators of Ball-Sorter pursue the factors of the incident during the fallback operation. 2. Operators take measure to resolve the incident. 3. The networked controller controls Plant Simulator of FRCS for a certain time. 4. When the incident detection function does not detect the incident, FRCS switches the operation from the virtual one to the normal one automatically. Fig. 6 shows the operation transition diagram by the above recovery flow by the virtual operation. 4.1 Expansion of control system of Ball-Sorter Fig. 7 shows the control system of Ball-Sorter in the previous works (Sawada et al., 2015). In Fig. 7, the solid lines represent the analog signals, and the dashed lines represent the signals of Modbus/TCP. The existing FCS is consisted of two units: Fallback Operation Unit (FOU) and Selector Unit. FOU carries out an incident detection function and fallback control. Selector Unit switches the input signal of Ball Sorter from the remote output to the fallback controller according to the operation mode. See the previous work (Sasaki et al., 2015) about the realization of the FOU and selector unit via
15814
Proceedings of the 20th IFAC World Congress 15250 Tsubasa Sasaki et al. / IFAC PapersOnLine 50-1 (2017) 15247–15252 Toulouse, France, July 9-14, 2017
Arduino. Table 2 shows the flow of the signals during the normal operation. Table 3 shows the flow of the signals during the fallback operation. The FCS carries out the following fallback switching flow when an incident occurs. 1. 2. 3. 4. 5. 6.
and Incident Detector 2. That is, the proposed FRCS is consisted of three units: VOU, FOU, and Selector Unit with the operator tact switch. This paper implements these units by three Arduino respectively.
Incident Detector1 drives via the sensor signals from Ball-Sorter. An incident occurs. Incident Detector 1 catches the incident. Selector switches the input signal of Ball Sorter from the remote output to the fallback controller. The signals from the networked controller to Ball-Sorter is cut off. The controller for Ball-Sorter is switched from the networked controller to the fallback controller. Networked Controller
Initial state ball=0; Psensor1=0; Psensor2=0; Psensor3=0; Ssensor=0;
Buffer Psensor1=0; Psensor2=0; Psensor3=0; Ssensor=0;
Remote Output
Clyinder1==1
Mod(ball,2)==0
N E T W O R K
Fallback Controller FOU
Selector Unit
Ball Sorter (Plant)
Unknown ball ball=ball+1; Psensor1=0; Psensor2=0; Psensor3=0; Ssensor=0;
Ping-pong Psensor1=1; Psensor2=0; Psensor3=0; Ssensor=0;
Incident Detector1
Cylinder3==1
Remote Input
P-sensor2 Psensor1=0 Psensor2=1 Psensor3=0 Ssensor=0
Fig. 7 Ball-Sorter control system (FCS) Table 2 Signal flow during normal operation Source Destination Remote Output Ball-Sorter Ball-Sorter Remote Input Ball-Sorter Incident Detector 1
Remote Output
N E T W O R K
VOU
Plant Simulator
FOU
Human (Tact Switch)
Selector Unit
Clyinder2==1
P-sensor3 Psensor1=0; Psensor2=0; Psensor3=1; Ssensor=0;
Plant Simulator imitates the Ball-Sorter and is the control object of the network controller during the virtual operation. Fig. 9 shows the state machine of Plant Simulator. Plant Simulator receives the actuator commands (Cylinder 1, Cylinder 2 and Cylinder 3) from the networked controller and then replies sensor signals to the networked controller according to its state machine.
Incident Detector2 Fallback Controller
Golf Psensor1=1; Psensor2=0; Psensor3=0; Ssensor=1;
Fig. 9 Plant behaviour on Plant Simulator
Table 3 Signal flow during fallback operation Source Destination Fallback Controller Ball-Sorter Ball-Sorter Incident Detector 1 Networked Controller
Mod(ball,2)==1
Ball Sorter (Plant)
Incident Detector1
Remote Input
Fig. 8 Ball-Sorter control system (FRCS) This paper implements the virtual operation by adding new units as shown in Fig. 8 and realizes the FRCS. In Fig. 8, the solid lines represent the analog signals, and the dashed lines represent the signals of Modbus/TCP. The added units are as follows: The tact switch for Human (Operator) and the Virtual Operation Unit (VOU) consisted of Plant Simulator
Selector Unit switches actuator/sensor signals according to the FRCS operation mode. Table 4, Table 5, and Table 6 show the connection of the devices during each operation mode. This paper does not consider the full automatic switching of the FRCS operation mode. The operator triggers the switching from the fallback mode to the virtual mode (Tact Switch of Selector Unit) because it takes the operator time to remove the cause of the incident. On the other hand, the transitions from the normal one to the fallback one and from the virtual one to normal one are automatic. When Incident Detector1 catches an incident in the normal operation, Selector Unit switches the signal connection from Table 4 to Table 5. When Incident Detector 2 detects no incident for a certain time, Selector Unit switches the signal connection from Table 7 to Table 4. This paper supposes that the integrity of the networked controller is confirmed when Incident Detector 2 catches no incident for a certain time. The incident detection method is the discrete-event system observer used in the previous work (Sawada et al., 2015). The details are described in the next subsection.
15815
Proceedings of the 20th IFAC World Congress Toulouse, France, July 9-14, 2017 Tsubasa Sasaki et al. / IFAC PapersOnLine 50-1 (2017) 15247–15252
15251
Simulator via Remote Input after it receives the sensor signals from Ball-Sorter or Plant Simulator via Remote Output.
Table 4 Normal operation Source Destination Remote Output Ball-Sorter Ball-Sorter Remote Input Ball-Sorter Incident Detector 1
The state space model of Fig. 9 is given by
𝑥𝑥(𝑘𝑘 + 1) = 𝑥𝑥(𝑘𝑘) + 𝐵𝐵𝐵𝐵(𝑘𝑘) + 𝐸𝐸𝐸𝐸(𝑘𝑘) { , 𝑦𝑦(𝑘𝑘) = 𝑥𝑥(𝑘𝑘) 𝑥𝑥1 (𝑘𝑘) 1 −1 −1 −1 𝐵𝐵 = [0 1 0 ] , 𝐸𝐸 = [ 0 ] , 𝑥𝑥(𝑘𝑘) = [𝑥𝑥2 (𝑘𝑘)] . 𝑥𝑥3 (𝑘𝑘) 0 0 1 0
Table 5 Fallback operation Source Destination Fallback Controller Ball-Sorter Ball-Sorter Incident Detector 1
(1)
The values of 𝑥𝑥1 , 𝑥𝑥2 , and 𝑥𝑥3 represent the number of tokens in the places in Fig. 10. 𝑥𝑥1 , 𝑥𝑥2 , 𝑥𝑥3 , 𝑢𝑢1 , 𝑢𝑢2 , 𝑢𝑢3 , and 𝑑𝑑 are same with the names of the transitions and the places in Fig. 10. For example, consider the case 𝑥𝑥2 is equal to 3. This indicates there are three tokens in the place “𝑥𝑥2 (BOX1)” for Fig. 10 and there are three balls in BOX1 for Ball-Sorter and Plant Simulator. From (1), the disturbance observer is expressed by
Table 6 Virtual operation Source Destination Fallback Controller Ball-Sorter Ball-Sorter Incident Detector 1 Remote Output Plant Simulator Plant Simulator Remote Input Plant Simulator Incident Detector 2 4.2 Incident detection by disturbance observer This paper applies Petri net and a disturbance observer (Meditch and Hostetter, 1973) to the incident detection method. This method has been proposed in the previous work (Sawada et al., 2015). The incident this paper considers is as follows: S-sensor never reacts by the MITM. The networked controller sends the illegal commands. A golf ball continues to exist at the sorting section and then the ball-jamming happens. We model such the balls flow by Petri net (Murata, 1989) as shown in Fig. 10. No reaction of S-sensor means that the number of the token of 𝑥𝑥1 is always zero even if a ball enters the sorting section (the transition “𝑢𝑢1 (P-sensor1)” fires). This situation is expressed by the transition “ 𝑑𝑑 (Incident)”. Consider the case 𝑢𝑢1 fires twice. The number of tokens is two in the place “𝑥𝑥1 (Sorting)”, while only one ball can exist at the sorting section in Ball-Sorter. Firing once, 𝑑𝑑 reduces this deviation. In other words, the firing of 𝑑𝑑 indicates the ball-jamming. This modelling is applicable for Plant Simulator with the state machine of Fig. 9.
𝑥𝑥̃ (𝑘𝑘 + 1) = 𝐴𝐴𝑑𝑑 𝑥𝑥̃𝑑𝑑 (𝑘𝑘) + 𝐵𝐵𝑑𝑑 𝑢𝑢(𝑘𝑘) − 𝐾𝐾(𝑦𝑦̃(𝑘𝑘) − 𝑦𝑦(𝑘𝑘)) { 𝑑𝑑 , (2) 𝑦𝑦̃(𝑘𝑘) = 𝐶𝐶𝑑𝑑 𝑥𝑥̃𝑑𝑑 (𝑘𝑘) 𝐼𝐼 𝐸𝐸 𝐵𝐵 𝐴𝐴𝑑𝑑 = [ ], 𝐵𝐵𝑑𝑑 = [ ], 𝐶𝐶𝑑𝑑 = [𝐼𝐼 0], 0 𝐼𝐼 0 2 0 0 𝑥𝑥̃(𝑘𝑘) 0 1 0 𝑥𝑥̃𝑑𝑑 (𝑘𝑘) = [ ̃ ] , 𝐾𝐾 = [ ]. 0 0 1 𝑑𝑑 (𝑘𝑘) −1 0 0 where 𝐾𝐾 ∈ 𝑹𝑹4×3 is the observer gain. 𝑥𝑥̃ and 𝑑𝑑̃ are the estimated values of 𝑥𝑥 and 𝑑𝑑, respectively. The above gain is designed such that 𝐴𝐴𝑑𝑑 − 𝐾𝐾𝐶𝐶𝑑𝑑 is stable (Sawada et al., 2015). The disturbance observer is implemented in the both detectors. When 𝑑𝑑̃ (𝑘𝑘) is equal to 1, the both detectors alert. When Incident Detector 1 alerts, Selector Unit switches the signal connection from Table 4 to Table 5 automatically. When Incident Detector 2 does not alert for a certain time, Selector Unit switches the flow of signal from Table 5 to Table 6 automatically. The initial states of the observers are not always the same as those of Ball Sorter or Plant Simulator because stable 𝐴𝐴𝑑𝑑 − 𝐾𝐾𝐶𝐶𝑑𝑑 .guarantees that the estimated states converge to the true ones. 5. PRACTICAL EXPERIMENTS
(P-sensor2)
(P-sensor1)
(Sorting)
(P-sensor3)
This section shows the capability of FRCS by a practical experiment. Table 7 shows the ball sequences in the experiments. P represents Ping-pong ball, and G represents Golf ball. The experimental flow is shown as follows.
(BOX1)
(BOX2)
1. 2.
(Incident)
Fig. 10 Petri net for incident detection In the previous work (Sawada et al., 2015), Incident Detector 1 of FOU catches the firing of 𝑑𝑑 and detects the incident during the normal operation. In addition to this, this paper proposes a method in which Incident Detector 2 of VOU catches the firing of 𝑑𝑑 and detects the incident during the virtual operation. As shown in Fig. 8, both detectors drives via the analog signals from the Selector Unit. The networked controller sends the commands to Ball-Sorter or Plant
MITM occurs at the beginning of the experiments. Ball-jamming (the incident) occurs when the golf ball of the input sequence number 2 shown in Table8 is put in Ball-Sorter. 3. FRCS catches the incident. 4. All balls are sorted to BOX2 by the fallback operation. 5. MITM is resolved (by the operator). 6. The virtual operation starts by the operator’s pushing the tact switch. 7. Plant Simulator drives according to the ball sequence shown in Table 8. 8. No incident occurs in Plant Simulator. 9. Recovery from the virtual operation to normal operation. 10. Balls are put in Ball-Sorter again according to the ball sequence shown in Table 8.
15816
Proceedings of the 20th IFAC World Congress 15252 Tsubasa Sasaki et al. / IFAC PapersOnLine 50-1 (2017) 15247–15252 Toulouse, France, July 9-14, 2017
Table 7 Ball sequence Input sequence 1 2 3 4 5 6 7 Ball P G P G P G P
Fig. 11 Operation mode transition Fig. 11 shows the time series plot of the operation mode transition. The data are acquired from Arduino as Selector Unit. According to Fig. 11, the operation mode transitions as follows: the transition from the normal operation to the fallback one at 13 sec, the transition from the fallback one to the virtual one at 30 sec, and the transition from the virtual one to the normal one at 51 sec. This experiment shows that FRCS implements “maintaining functionality after incident” and “safety recovering after incident”. 6. CONCLUSION This paper implements “safety recovering after incident” additional to “maintaining functionality after incident” by FRCS. The proposed FRCS solves the open problem of the previous works (Sawada et al., 2015) (Sasaki et al., 2015) which is the evaluation of the control system soundness and the safety recovery switching from the fallback operation to the normal operation. The existing FCS focuses on the availability of control systems, in addition to this, the FRCS can evaluates the soundness of control systems from the responses between the controller and Plant Simulator. The current FRCS does not deal with the incident during the normal operation after the recovery. Moreover, it is necessary to implement FRCS by Programmable Logic Controller (PLC) because PLC is usually used in FA system as a controller. Those are future works. This work was partially supported by Council for Science, Technology and Innovation (CSTI), Cross-ministerial Strategic Innovation Promotion Program (SIP), “CyberSecurity for Critical Infrastructure” (funding agency: NEDO). REFERENCES Hoehn, A and Zhang, P. (2016). Detection of replay attacks in cyber-physical systems. Proceedings of 2016 American Control Conference (ACC), pp. 290-295. Hu, R., Hu, W., and Chen, Z. (2016). Research of smart grid cyber architecture and standards deployment with high adaptability for Security Monitoring. Proceedings of 2015 International Conference on Sustainable Mobility Applications, Renewables and Technology (SMART), pp. 1-6.
Isozaki, Y., Yoshizawa, S., Fujimoto, Y., Ishii, H., Ono, I., Onoda, T., and Hayashi, Y. (2014). Detection of cyber attacks against voltage control in distribution power grids with PVs. IEEE Transactions on Smart Grid, 7 (4), pp. 1824-1835. Khorrami, F., Krishnamurthy, P., and Karri, R. (2016). Cybersecurity for control systems: A process-aware perspective. IEEE Design & Test. 33 (5). pp. 75-83. Kissel, R. (2013). Glossary of key information security terms. NIST, NISTIR 729 (Revision 2). Kogiso, K. (2015). Cyber-security enhancement of networked control systems using homomorphic encryption. Proceedings of 2015 54th IEEE Conference on Decision and Control, pp. 6836-6843. MathWorks. (2016). MathWorks. http://www.mathworks.com/index.html?s_tid=gn_loc_dr op (accessed 2016-10-19). Meditch, S.J. and Hostetter, H.G. (1973). Observers for systems with unknown and inaccessible inputs. Proceedings of 1973 IEEE Conference on Decision and Control including the 12th Symposium on Adaptive processes, pp. 120-124. Miller, B. and Rowe, D. (2012). A survey of SCADA and critical infrastructure incidents, Proceedings of Annual Conference on Research in Information Technology. pp. 51-56. Modbus-IDA (2012). MODBUS Application Protocol Specification v1.1b3. pp.1–50. Murata, T. (1989). Petri nets: Properties, analysis and applications, Proceedings of the IEEE, 77 (4), pp. 541580. Onoda,T. (2016). Probabilistic models-based intrusion detection using sequence characteristics in control system. Neural Computing and Applications, 27 (5), pp. 1119-1127. Ozay, M., Esnaola, I., Tunay, F., Vural, Y., Kulkarni, R.S., Poor, H.V. (2016). Machine learning methods for attack detection in the smart grid. IEEE Transactions on Neural Networks and Learning Systems, pp. 1773-1786. Rojas, C., Morell, P. (2010). Guidelines for industrial Ethernet infrastructure implementation: A control engineer’s guide. Proceedings of 2010 IEEE-IAS/PCA 52nd Cement Industry Technical Conference. pp. 1-18. Sasaki, T., Sawada, K., Shin, S., and Hosokawa, S. (2015). Model based fallback control for networked control system via switched Lyapunov function. 41st Annual Conference of the IEEE Industrial Electronics Society, IECON2015. pp. 2000-2005. Sawada, K., Sasaki, T., Shin, S., and Hosokawa, S. (2015). A fallback control study of networked control systems for cybersecurity. 2015 10th Asian Control Conference, ASCC2015. pp. 1-6. Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., and Hahn, A. (2015). Guide to Industrial Control System (ICS) security. Recommendations of the National Institute od Standards and Technology, (SP 800-82). Zhioua, S. (2013). The middle east under malware attack dissecting cyber weapons, Proceedings of International Conference on Distributed Computing Systems. pp. 1116.
15817