INTRODUCTION

The development of industrial systems has led to a shift from automated production to the concept of Digital Production. In Digital Production systems, the information and physical components are closely interconnected; they work within a single industrial circuit [ 1-3 ].

At the same time, the problem of ensuring the security of industrial systems, the specificity of which is autonomy from humans, mutual components control of each other and their availability to communicate using the Internet, is becoming increasingly important [ 4 ]. This specificity opens up wide opportunities for remote destructive impact on the components of industrial systems, as a result of which physical processes can be disturbed. This can cause harm to the environment, life

The study was carried out as part of the scholarship of the President of the Russian Federation to young scientists and graduate students SP- 1932.2019.5. and human health. In such conditions, the task of preventing computer attacks on industrial systems is especially urgent, an important step in solving which is to counter attacks [ 5 ].

In this paper, we propose a bio-inspired approach for industrial network infrastructure self-regulation. The purpose of this approach is to exclude the conditions of successful cyber-attack implementation due to reconfiguration of the network structure.

II.

The study of the problem of developing approaches to automatic self-regulation of the network infrastructure of complex large-scale systems showed that many solutions are aimed at restoring the system after a failure (including that caused by a cyber-attack).

In [ 6 ], the authors propose an approach for automatic proactive response to cybersecurity incidents, which uses data obtained from open sources; analytical models of attacks, events, countermeasures and dependencies between services; hierarchical built-in set of heterogeneous security metrics. The choice of metrics is based on their effectiveness, defined as the difference in risk levels before and after the implementation of the metric. Risk, in turn, is determined by the presence of vulnerabilities in the system and the cost of resources. The main problem of this approach is the use of data presented in open sources. Thus, the method is focused on already known attacks and may prove to be powerless when attackers invent new methods of influencing the system.

A small number of studies are devoted to creating approaches that allow not only detecting cyber-attacks, but also counteracting them by neutralizing them or correcting system behavior [ 7-11 ]. The study [ 7 ] is especially noted, in which the authors propose the correction of destructive effects based on the control method, using the Lyapunov model. This method is designed to ensure system stability. To identify potential computer attacks, the authors use machine learning methods that are widely used for clustering and regression, as well as methods based on neural networks. The use of control based on the Lyapunov model allows a neutralizing effect on the subsystem when a cyber-attack is detected. The disadvantage of this method as applied to its integration with PS is the rather high complexity of mathematical transformations and calculations, in particular, the construction of the Lyapunov model. We should also highlight the works devoted to the implementation of the bio-inspired homeostatic concept [ 12,13 ]. This concept implies maintaining a constant state of the environment under the conditions of destructive influences, provided by the implementation of the homeostatic control loop, which carries out automatic self-regulation of the system. The approach [ 13 ] can be used for self-regulation of the network infrastructure of small-scale industrial systems. This approach is based on the development of self-regulation scenarios and the application of a specific scenario, depending on what destructive effect the system has on the system. Thus, we can conclude that most approaches to self-regulation of complex systems (including industrial ones) are based on the use of behavior models and self-regulation patterns. These approaches, on the one hand, will be effective in case of system failures, but on the other hand, it will not It will be effective in case of massive cyberattacks that immediately affect a large number of system components.

The approach proposed in this paper is aimed at selfregulation of industrial systems with a flexible dynamic network infrastructure. It provides a system response both to the negative impact caused by cyberattacks and to failures caused by technical malfunctions. The approach uses a graph representation of the network infrastructure and a functional representation of the target function.

III.

TARGET FUNCTION

Network infrastructure of industrial system is represented as an oriented graph (Fig. 1). The set of graph vertices characterizes all components of the industrial system that are capable of network interaction. The set of arcs reflects all possible inter-component connections, which manifest as data exchange.

f3

Each component of the system modeled by the vertex is characterized by a set of functions that it is able to implement. Each arc of the graph corresponds to a certain characteristic , which may have different meanings depending on the type of industrial system (channel bandwidth, data transfer rate, etc.).

The target function of an industrial system is presented simultaneously as a set of routes on a graph (where each route characterizes a specific process performed by the system) and as a set of functional sequences: F={F1, F2, …, Fn}, where each system process corresponds to a functional sequence.

The following types of relationships between functions are introduced into the model: • • • •

Sequentially performed functions - one function uses the results of others, it is not required to perform this function immediately after the completion of the previous ones. Parentheses are used to indicate this relationship: fj(fk) - first, the function fk is executed, then the function fj is applied to its result.

Strictly sequentially performed functions - one function uses the results of others, it is required to perform this function immediately after the previous ones are completed. To indicate such a relationship, square brackets are used: fj[fk] - the function fk is first executed, then, immediately after its completion, the function fj is applied to its result.

Parallel functions - must be performed simultaneously. To indicate such a relationship, the sign * is used, the operation is commutative: fj * fk.

Functions performed in random order. To indicate such a relationship, the + sign is used, the operation is commutative: fj + fk + fm.

Then {} is used as an analogue of ordinary brackets.

For functions, a decomposition operation can be performed that implements the representation of some complex function fi as a sequence of several, more computationally simple, functions.

IV.

ANALOGY BETWEEN TARGET FUNCTION AND DNA Both target function of an industrial system and DNA can be represented as a sequence of elements: in the case of an target function, the elements are functions, and in the case of DNA, nucleotides. Under cyber-attacks, one or more components can lose their ability to perform certain functions. In this case, the target function “breaks up” into separate parts, which will need to be connected together again. To do this, it is required to reconfigure the network infrastructure. To restore the functional sequence that determines the target function, it is proposed to apply a mathematical apparatus used in DNA sequencing - the search for overlaps and matching parts of the sequence.

A DNA chain is a sequence of four types of nucleotides: A (adenine), T (thymine), G (guanine), C (cytosine). Modern technologies allow reading reads - sequences of several hundred nucleotides in length from random places; the key step is to combine reads based on their overlapping sections. For this, special programs are used, most of which use de Bruijn and overlap graphs [ 14 ]. The de Bruijn graph is a directed graph whose vertices are rows of length (k − 1), and the edges are rows of length k. The overlap graph is a weighted oriented graph whose vertices are rows (which can be of different lengths). An edge between a pair of vertices is drawn if the corresponding lines overlap.

Examples for target function which could be constructed using by both graphs are presented at Fig. 2, 3. Let the target function be represented by the following sequence: F=f1f3f4f5f8f11.

Thus, the main differences between the graph de Bruijn and the overlap graph in terms of graph structure are as follows: • •

When searching for overlappings in the de Bruijn graph, a fixed length of the prefix and suffix equal to k-1 is used.

De Bruijn graph is characterized by a fixed length of lines characterizing each vertex (length k).

Also proposed an analogy between information functions of industrial systems and DNA fragments (Table 1).

To implement the method, for each function that is part of the target function, is constructed a set of vertices that are able to implement this function. Thus, for each function, a cluster of devices is formed that can replace each other in the event of failure or compromise (Fig. 4).

The proposed approach to self-regulation also uses preformed self-regulation scenarios based on representing the network infrastructure of the industrial system in the form of a graph. Scenarios contain rules for replacing vertices and arcs in a graph, as well as restrictions on the construction of new routes that reflect the performance of the target function. In particular, such routes should not include compromised system components or components with suspicious behavior.

Updating data on the structure of the system in accordance with the identified anomalies and threats to cybersecurity. At this step, the removal of incorrectly functioning vertices from the clusters and their relationships is performed.

Automatic selection of the method of self-regulation (use of scripts, de Bruijn graphs or overlap graphs). Application of the selected method of self-regulation, as a result of which the restoration of the target function is performed.

Type of security breach Violation of several functions (both reads and contigs) related to each other or a combination of various types of violations

Target function recovery

Using self-regulation scenarious, de Bruijn graphs and overlap graphs

To confirm the assumption described in Table 2, an experiment was conducted consisting in simulating cyberattacks and estimating the time of self-regulation, performed in different ways.

The Fig. 5 shows the results of an experiment in which 3 interconnected vertices were removed from the graph characterizing the industrial network. Average time for selfregulation using scenarios was 0.02 seconds, for overlap graphs – 0.003 seconds.

The Fig. 6 shows the results of an experiment in which one vertex was deleted, then 3 interconnected vertices in another part of the graph were deleted and 2 successive vertices were compromised. The time spent on self-regulation turned out to be approximately the same for both approaches (0.004 seconds for scenarios and 0.003 seconds for complex approach), however, the use of an integrated approach gave a greater gain in time.

The results of the experiments confirmed the assumption that when removing interconnected vertices, de Bruijn graphs and overlap graphs should be used, and for massive attacks involving vertices in different parts of the graph, an integrated approach should be used.

To conduct experimental research, a bench simulating an automatic industrial water treatment system was used [ 15 ]. Water treatment includes six subprocesses P1-P6 (Fig. 7): •

P1: collection and storage of untreated water.

P3: primary water treatment involving the use of ultrafiltration and backwash technologies.

F={{{f8(f6(f7(f4)))* f5*f2(f7)}( f3(f3(f1)))}* f4 }(f3(f2(f1))), where: f1 - control of water circulation systems. f2 - parameter adjustment. f3 - access to the database. f4 - command sending and reconfiguration. f5 - adjusting the volume of water in the tanks. f6 - sending a command about moving water. f7 - change system parameters.

f8 - resetting the tank.

The following types of destructive influences were modeled: denial of service attacks on the components of the experimental bench, attacks consisting in modifying data from the components of the experimental bench, illegitimate changes to the structure of the experimental bench. Consider one of the denial of service attacks, as a result of which three interconnected system components fail (in terms of the graph model, three vertices of the graph are removed).

Fig. 8 shows the changes in the target function of the system, as a result of which the functions f1, f3 and f4 ceased to be executed in the target function.

For system self-regulation, de Bruijn graphs and known function decompositions were used: f1=f3(f6). f2=f7(f3). f5=f7(f6(f8)).

The graph obtained as a result of self-regulation is shown in Fig. 9.

Black edges are edges constructed according to the principles of constructing an overlap graph. The dashed edges are based on the neighborhood of the vertices in the original graph. The peaks reachable from the starting peak are marked in gray. The vertices from which the final vertex is reachable are marked in black.

For the considered attack, the time of self-regulation was 25% of the time of its implementation. Thus, for this cyberattack, it was possible to exclude the conditions for its implementation. The restored target function is shown in Fig. 10.

For other attacks, the system’s self-regulation time was 1238% of their implementation time.

The specifics of systems that combine information technology and physical process control devices have made insufficient the use of classical methods of ensuring information security. The work is devoted to a detailed consideration of one of the stages of preventing cyber-attacks on industrial systems, which consists in the self-regulation of their network structure.

In this paper, the similarity between target function restoring and DNA sequencing is investigated. It is proposed to use the principles of constructing de Bruin graphs and overlap graphs to restore system performance. The use of such graphs will reduce assembly time due to faster “coupling” of the restored sections of the target function.

This approach was proposed for the first time, an analysis of related works showed that most studies use behavioral models and pre-formed self-regulation patterns for automatic self-regulation. The combined use of de Bruijn graphs and overlap graphs together with self-regulation scenarios will effectively resist massive cyber-attacks, which is confirmed by the results of experimental studies. [1]