1. Introduction

• For a given original ICS dataset, we reproduce the ICS network environment where the dataset was collected with a virtualized container.
• Each container contains a PLC or SCADA, and the control logic of the PLC is regressed from the given ICS data set.
• SCADA uses setpoints to control PLCs, and the values of setpoints are set probabilistically to ensure the randomness of the collected data sets.

2. Related Work

3. Proposal

3.3. Stochastic setpoint generation

In PLC, setpoints are reference values to compare measured values from sensors or other inputs. This value ensures that the system operates within acceptable parameters. Typically, a programmer or operator controls the system by manually or automatically determining setpoints. To fully simulate the ICS environment in software, it is necessary to automatically generate setpoints values. Since the setpoint value is determined according to the state of the control system, it inevitably has time series characteristics. There are various machine learning models for modeling time series data, such as autoregressive (AR), moving average (MA), and autoregressive integrated moving average (ARIMA). However, although these models show high prediction performance for training data, they are unsuitable for artificially generating new data. Therefore, we model setpoints stochastically using a hidden Markov model (HMM)[23]. HMM is a probabilistic model to describe a system where Markovian is assumed without explicit observation of the system’s state.

For instance, let’s consider a hypothetical PLC in a water treatment system. The HMM model, as illustrated in Figure 2, could represent different states such as ’Normal Operation,’ ’Low Flow,’ or ’High Contaminant Levels.’ Figure 2 illustrates an HMM model for the setpoint of an arbitrary PLC. We assume that the setpoint of the PLC is emitted from N hidden states, denoted as $Q=\{q_1,q_2,\dots ,q_N\}$, and observed as a sequence of observations $O=o_1{o}_2\dots o_T$. Our HMM model is parameterized as $\lambda =(A,B)$. Here $A=a_{11}{a}_{12}\dots a_{ij}\dots a_{NN}$ is the transition probability matrix between states, $B=b_1\left(o_1\right)\dots b_i\left(o_t\right)\dots b_N\left(o_T\right)$ is the emission probability. The element $a_{ij}$ of A is the probability of transition from state $q_i$ to $q_j$. The element $b_i\left(o_t\right)$ of B is the probability that the setpoint value $o_t$ comes from state $q_i$. We assume the emission probability $b_i\left(o_t\right)$ to be Gaussian distributed. That is, state $q_i$ is defined by mean ${\mu }_i\in \mathbb{R}$ and standard deviation ${\sigma }_i\in \mathbb{R}$. Then, based on this definition, we define forward probability ${\alpha }_t\left(j\right)$ and backward probability ${\beta }_t\left(j\right)$ (Eq. 2 and 3).

$${\alpha }_t\left(j\right)=P(o_1,o_2,\dots ,o_t,Q_t=q_i|\lambda )=\sum _{i=1}^N{\alpha }_{t-1}\left(i\right)\times a_{ij}\times b_j\left(o_t\right)$$

(2)

$${\beta }_t\left(j\right)=P(o_{t+1},o_{t+2},\dots ,o_T,Q_t=q_j|\lambda )=\sum _{i=1}^N{a}_{ij}\times b_j\left(o_{t+1}\right)\times {\beta }_{t+1}\left(j\right)$$

(3)

Forward probability ${\alpha }_t\left(j\right)$ is the probability of observing the first t setpoints and being in a specific state $q_j$. Backward probability ${\beta }_t\left(j\right)$, on the other hand, is the probability of observing $T-t+1$ setpoints starting from timestep $t+1$, assuming that the system is in state $q_j$ at timestep t. As expressed in Eq 2 and 3, obviously, ${\alpha }_1\left(j\right)$ and ${\beta }_T\left(j\right)$ are defined recursively, and dynamic programming is used for efficient calculation. At this time, ${\alpha }_1\left(j\right)$ and ${\beta }_T\left(j\right)$ are defined as ${\pi }_j\times b_j\left(o_1\right)$ and 1, respectively ($\pi =({\pi }_1{\pi }_2\dots {\pi }_N)$ is the probability for the initial state). Based on the above definition, we learn the HMM model for the PLC’s setpoint using the standard Baum-Welch algorithm. This algorithm is a type of expectation-maximization (EM) algorithm, and as a learning result, we obtain $\sigma =(A,B)$, the parameter of the HMM model (Algorithm 1).

With the learned HMM model $\lambda =(A,B)$, we probabilistically generate artificial setpoint values. First, the initial state $Q_1$ is drawn from the probability distribution $\Pi$ for the initial state. Once the initial state is determined, a new setpoint $o_1$ is sampled from the emission distribution for that state. We use a Gaussian distribution as the emission distribution, as mentioned above. Then, the next state, $Q_2$, is determined using the potential probability matrix A. $o_2$ is generated from the emission distribution for $Q_2$. Repeating the above process creates as many setpoint values as necessary. Once this setpoint is set in the SCADA system, it is passed to the PLC to simulate the ICS environment. Algorithm 2 is an algorithm for creating an artificial setpoint.

4. Evaluation of Simulated ICS

5. Conclusion

Abbreviations

References

1. Subramanian, D., Murali, P., Zhou, N., Ma, X., Cesar Da Silva, G., Pavuluri, R., & Kalagnanam, J. (2019). A prediction-optimization framework for site-wide process optimization. Proceedings - 2019 IEEE International Congress on Internet of Things, ICIOT 2019 - Part of the 2019 IEEE World Congress on Services. [CrossRef]
2. Min, Q., Lu, Y., Liu, Z., Su, C., & Wang, B. (2019). Machine Learning based Digital Twin Framework for Production Optimization in Petrochemical Industry. International Journal of Information Management, 49. [CrossRef]
3. Mathur, A. P., & Tippenhauer, N. O. (2016). SWaT: A water treatment testbed for research and training on ICS security. 2016 International Workshop on Cyber-Physical Systems for Smart Water Networks, CySWater 2016. [CrossRef]
4. Shin, H. K., Lee, W., Yun, J. H., & Kim, H. C. (2020). HAI 1.0: HIL-based augmented ICS security dataset. CSET 2020 - 13th USENIX Workshop on Cyber Security Experimentation and Test, Co-Located with USENIX Security 2020.
5. Craggs, B., Rashid, A., Hankin, C., Antrobus, R., Serban, O., & Thapen, N. (2019). A reference architecture for IIoT and industrial control systems testbeds. IET Conference Publications, 2019(CP756). [CrossRef]
6. Goodfellow, I. J., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A., & Bengio, Y. (2014). Generative adversarial nets. Advances in Neural Information Processing Systems.
7. Kingma, D. P., & Welling, M. (2014). Auto-encoding variational bayes. 2nd International Conference on Learning Representations, ICLR 2014 - Conference Track Proceedings.
8. Beaver, J. M., Borges-Hink, R. C., & Buckner, M. A. (2013). An evaluation of machine learning methods to detect malicious SCADA communications. Proceedings - 2013 12th International Conference on Machine Learning and Applications, ICMLA 2013, 2. [CrossRef]
9. Morris, Tommy. Industrial Control System (ICS) Cyber Attack Datasets. Available online: https://sites.google.com/a/uah.edu/tommy-morris-uah/ics-data-sets (accessed on 20 January 2023).
10. Morris, T., & Gao, W. (2014). Industrial control system traffic data sets for intrusion detection research. IFIP Advances in Information and Communication Technology, 441. [CrossRef]
11. Morris, T. H., Thornton, Z., & Turnipseed, I. (2015). Industrial Control System Simulation and Data Logging for Intrusion Detection System Research. Seventh Annual Southeastern Cyber Security Summit.
12. Zhang, C., Kuppannagari, S. R., Kannan, R., & Prasanna, V. K. (2018). Generative Adversarial Network for Synthetic Time Series Data Generation in Smart Grids. 2018 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids, SmartGridComm 2018. [CrossRef]
13. Tushar, W., Huang, S., Yuen, C., Zhang, J. A., & Smith, D. B. (2015). Synthetic generation of solar States for smart grid: A multiple segment Markov chain approach. IEEE PES Innovative Smart Grid Technologies Conference Europe, 2015-January (January). [CrossRef]
14. Iftikhar, N., Liu, X., Nordbjerg, F. E., & Danalachi, S. (2016). A Prediction-Based Smart Meter Data Generator. NBiS 2016 - 19th International Conference on Network-Based Information Systems. [CrossRef]
15. Esteban, C., Hyland, S. L., & Rätsch, G. (2017). Real-valued (Medical) Time Series Generation with Recurrent Conditional GANs. ArXiv:1706.02633v2. [CrossRef]
16. Iftikhar, N., Liu, X., Danalachi, S., Nordbjerg, F. E., & Vollesen, J. H. (2017). A scalable smart meter data generator using spark. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 10573 LNCS. [CrossRef]
17. Dahmen, J., & Cook, D. (2019). SynSys: A synthetic data generation system for healthcare applications. Sensors (Switzerland), 19(5). [CrossRef]
18. Zheng, X., Wang, B., & Xie, L. (2019). Synthetic dynamic PMU data generation: A generative adversarial network approach. 2019 International Conference on Smart Grid Synchronized Measurements and Analytics, SGSMA 2019. [CrossRef]
19. Imtiaz, S., Arsalan, M., Vlassov, V., & Sadre, R. (2021). Synthetic and Private Smart Health Care Data Generation using GANs. Proceedings - International Conference on Computer Communications and Networks, ICCCN, 2021-July. [CrossRef]
20. Razghandi, M., Zhou, H., Erol-Kantarci, M., & Turgut, D. (2022). Variational Autoencoder Generative Adversarial Network for Synthetic Data Generation in Smart Home. ArXiv:2201.07387v1. [CrossRef]
21. Ayodeji, A., Liu, Y. kuo, Chao, N., & Yang, L. qun. (2020). A new perspective towards the development of robust data-driven intrusion detection for industrial control systems. In Nuclear Engineering and Technology (Vol. 52, Issue 12). [CrossRef]
22. Ling, J., Zhu, Z., Luo, Y., & Wang, H. (2021). An intrusion detection method for industrial control systems based on bidirectional simple recurrent unit. Computers and Electrical Engineering, 91. [CrossRef]
23. Ghahramani, Z. (2001). An introduction to hidden Markov models and Bayesian networks. International Journal of Pattern Recognition and Artificial Intelligence, 15(1). [CrossRef]
24. Docker, Inc. Docker, Inc. https://www.docker.com/, Access date: 2023-03-08. Available online: https://www.docker.com/ (accessed on 08 March 2023).
25. SCADA-BR. Available online: https://www.scadabr.com.br/ (accessed on 08 March 2023).
26. Arduino. Available online: https://www.arduino.cc/ (accessed on 09 March 2023).
27. Raspberry, Pi. Available online: https://www.raspberrypi.com/ (accessed on 09 March 2023).
28. Alves, T., & Morris, T. (2018). OpenPLC: An IEC 61,131–3 compliant open-source industrial controller for cyber security research. Computers and Security, 78. [CrossRef]