Analysis Of Attacks In Modern Cyberphysical Systems Yurii Shcherbyna Nadiia Kazakova Oleksii Fraze-Frazenko Dept. Automated Systems and Dept. Information Technologies Dept. Information Technologies Cybersecurity Odesa State Environmental Odesa State Environmental Odesa State Academy of Technical University University Regulation and Quality Odesa, Ukraine Odesa, Ukraine Odesa, Ukraine kaz2003@ukr.net frazenko@gmail.com shcherbinayura53@gmail.com Lubomir Parchuts Sergey Schneider dep. protection of information dep. Information Security Lviv Polytechnic National Lviv Polytechnic National University University Lviv, Ukraine Lviv, Ukraine par7@i.ua shnapi007@gmail.com Abstract—Cyber-physical systems, representing the integration of computing, network and physical processes, are I. INTRODUCTION increasingly being implemented into critical infrastructure, The use of cyberphysical systems to improve the processes of community management and private life of people. management of society and complex technological processes, Due to their excessive complexity, the number of vulnerabilities lead to radical changes in society itself. Such systems are in both the software and the physical part of the equipment based on intelligent networks (Smart Grid), which can significantly increases, which in turn leads to increased risks from the implementation of possible threats. Implementation of significantly increase the efficiency of automation of power the overwhelming part of cyber threats occurs through infrastructure management, telecommunications and defense intelligent telecommunication networks, attacks on data systems and other objects of strategic importance. Smart Grid transmission protocols, intellectual part of data sources in first appeared as a term in the West to use a description of executive mechanisms of systems, as well as local control everything related to the automation, control and management centers of the system. The construction of adequate of power supply systems components [1]. Today, the term requirements for the system of cybernetic protection implies a Smart Grid is used in those areas where information careful approach to the study of the architecture and technical collection and processing systems are implemented, and features of the cyberphysical system to be protected. As in any equipment condition monitoring in large complex systems real engineering system, in systems of protection of cyber- [2]. Along with the benefits of public life = , production and physics systems, modeling of internal processes plays a key role business digitalization, the threat of using digital systems to in the analysis of their dynamic behavior. It is shown that the interfere in the sphere of other people's interests with only model of the cyberphysical system is to describe at the malicious purposes is growing. As a result, there is a growing formal level in spatial and temporal measure all possible need to explore issues related to responding to operational connections between the cybernetic and physical parts of the events related to resource recovery, security control, and functioning environment and to substantiate the characteristics automation. that determine the quality of its functioning. This analysis of published works shows that the most dangerous attacks used by The use of cyberphysical systems involves the security breachers in cybernetic space are divided into attacks implementation of appropriate infrastructure, which should such as DoS attacks, Replay attacks and Deception attacks. It is increase the reliability and security of all aspects of its against the attacks of this type that the efforts of specialists in operation. Due to its complexity and the fact that the basis of the field of cybernetic defense are concentrated. It is shown that such infrastructure is intelligent information and ensuring stability, security and reliability of protection is based telecommunications networks, increases the probability of on solving the problem of multi-purpose optimization. attacks from the external environment on critical management procedures, the implementation of which may allow attackers Keywords—Cyber-physical system, Cyber-security, Cyber- to manipulate measurements, load conditions and other Attack, DoS attack, Replay attack, Deception attacks, Wormhole attack, cyberspace, physical space. critical system parameters [3]. Thus, the importance of constant monitoring of risks in the operating environment of Copyright © 2019 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0) the system and timely prevention of illegal interference is . From a practical and theoretical point of view, it is important obvious. It follows that the cybersecurity system is one of the to build a model of a single system before any analysis. An main components of any modern cyberphysical system [4]. example of a model that considers a cyberphysical system as a dynamic system with distributed parameters and a high II. FORMULATION OF THE PROBLEM degree of automation and is used by specialists in various fields is the model described in [8]. It makes it possible to With the cyberphysical systems development , security formally determine such system characteristics as asynchrony problems arise in both their physical and cyber spaces [5]. of measurements in time and control, network packet delays The modern cyberphysical systems architecture allows the and the state of coherence of processes in the system. Within violator to carry out parallel coordinated attacks from external modeling-based analysis, it is important that attacks be cyberspace on elements of their infrastructure and formally described at the mathematical level. Currently, the management. The consequences of such attacks can be events most popular and described in scientific journals attacks can that pose a threat to human life, man-made disasters and large be divided into the following categories: attacks such as material losses. "denial of service" (DoS attacks), Replay attacks and The cybersecurity system should reduce the risks of Deception attacks. threats, detect and identify abnormal system behavior, The most common attack type is DoS attack. With their respond to intrusions, and initiate countermeasures to mitigate help, violators manage to make system resources inaccessible. the effects of such threats and quickly restore normal Typically, they constantly send "empty" messages to the operation. smart network domain buffers and thus block them by Extensive security research on modern cyberphysical overloading. This allows you to block one or another of its systems has identified a significant number of attack resources and make it impossible to exchange data between scenarios based on specific vulnerabilities, their targets, and system entities or change the routing protocol. For the resources required to implement them. The results of such quantitative analysis of the reduction of system performance an analysis form the basis for the organization of appropriate from such attacks use queuing models, and also Markov and protection [6]. Bernoulli models. The security systems reliability is determined by careful Attacks build on queuing models can be described as analysis of physical and cyber environments for the presence time-delayed systems, which will effectively solve the of intentional and unintentional events that lead to threats, so problem of stability [9]. In [10], based on the analysis of the the purpose of this work is to review the current state of the schedule of DoS-attacks, the substantiation of the method of most common cyber attacks and defense strategies scenarios. calculating the average error in the operation of the intrusion detection system is given. DoS-attack models based on the Bernoulli scheme, although describing different mechanisms, III. MAIN PART are the same, which makes it possible to effectively analyze The appear of cyberphysical systems does not require a the performance of cyberphysical systems, using typical fundamental revision of the protection theory. Its main part is approaches for missed measurements. still network protection, and the main attacks type are attacks on communication protocols, identification and authentication The next type of dangerous that is common in cyberspace mechanisms, as well as key distribution mechanisms. At the are Replay attacks. This is an attack on the authentication same time, the features of cyberphysical systems and their system by recording and then playing the correct message or gradual improvement give rise to new scenarios and types of part of it [11]. Any immutable information, such as a attacks. In relation to traditional security systems, cyberspace password or biometric data, is used to simulate authenticity. protection systems are still in their infancy, and studies have Such an attack makes it possible to gain unauthorized access already identified a large number of vulnerabilities that could to resources or transmit false data to disrupt the system. lead to catastrophic attacks. Although a strategy for protection An example of a Replay attack is an attack on and detection or mitigation already exists for most of the cyberphysical system actuators, where packets that were detected attacks, this problem is far from being resolved. previously transmitted are transmitted instead of packets Given the vulnerabilities of cyberphysical systems, containing control commands. Such an attack is not easy to attacks can be implemented covertly and unpredictably [7]. identify due to the possibility of authentication procedures Thus, an attacker could alter control information by forging and, as a consequence, the normal functioning of the packets intercepted in the control loop using viral software, cyberphysical system may be disrupted. illegally accessing process monitoring centers to disrupt their Using a wormhole attack, attackers intercept information normal operation. Thus, the dynamics of the system can be between two endpoints and pass it on to other attackers, thus disrupted if its protection is not provided at the appropriate creating a "tunnel" of control. Using this Replay-attack, level and, therefore, cyber attacks are considered the main violators have the ability to control management processes. type of threats in cyberspace. Obviously, violators do not need any system information to Effective defense can be organized if it is based on carry out attacks. mathematical models of attacks. Modeling plays a key role in analyzing and understanding the violators' behavior dynamics A cryptographic authentication system is required to fight intelligent networks on which cyberphysical systems are Replay attacks. It should provide for the availability of built. original keys for each session. In addition to the password, the packages must include timestamps and other additional The design of cyberphysical systems requires control data that limit the capabilities of potential violators. simultaneous consideration of security tasks with limited The presence of such parameters makes the packets resources and compliance with the requirements of the quality retransmission less effective. of their operation. At the same time, to ensure stability, security and reliability, it is necessary to solve the problem of The most common and dangerous in cyberspace is the multi-purpose optimization. Deception attacks. This is a type of cyber attack, the purpose of which is to intervene in physical and cybernetic processes REFERENCES through telecommunications systems to gain control over [1] Janssen M.C. The Smart Grid Drivers, PAC World, 2010, 77 p. certain parts of the cyberphysical system [12]. In principle, [2] Amin S.M., Wollenberg B.F. Toward a Smart Grid, IEEE P&E deception can be defined as the interaction between two Magazine, 2005, No. 3, pp. 34-41. subjects - the attacker and the target of deception, in which [3] MoY.KimT.H.J.BrancikK. et al.: ‘Cyber–physical security of a smart the deceiver tries to force the target to accept the false version grid infrastructure’, Proc. IEEE, 2012, 100, (1), pp. 195–209 (doi: of reality desired by the deceiver. 10.1109/JPROC.2011.2161428). [4] National Institute of Standards and Technologies (NIST): ‘Guidelines Cyberspace is very different from the natural for smart grid cybersecurity’ (NIST Special Publication, Gaithersburg, environment. First, it is much easier to hide personal MD, 2014). Available at url: information or identification data in cyberspace than in the http://www.dx.doi.org/10.6028/NIST.IR.7628r1. usual interaction of subjects. Second, information in [5] SridharS.HahnA.GovindarasuM.: ‘Cyber–physical system security for cyberspace is subject to constant change. Both of these the electric power grid’, Proc. IEEE, 2012, 100, (1), pp. 210–224 (doi: factors contribute to the implementation of fraudulent 10.1109/JPROC.2011.2165269). activities in cyberspace. Therefore, deception attacks do not [6] The Industrial Control Systems Cyber Emergency Response Team have a separate typical model. Their scenarios are determined (ICS-CERT): ‘Cyber-attack against Ukrainian critical infrastructure’. Alert (IR-ALERT-H-16-056-01), 2016. Available at url: depending on the goals, vulnerabilities and available https://www.ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01. resources of security violators [13]. [7] A. D’Innocenzo, F. Smarra, M. Benedetto, Resilient stabilization of In the case of an attack on technological systems, the main multi-hop control networks subject to malicious attacks, Automatica 71 (2016) 1–9. purposes of fraud attacks are sensor readings manipulation, [8] X. Guan, B. Yang, C. Chen, W. Dai, Y. Wang, A comprehensive control information forgery and access to system resources. overview of cyber-physical systems: from perspective of feedback system, IEEE/CAA J. Autom. Sin. 3 (1) (2016) 1–14. Over time, the fraud attacks technical complexity will increase, due to improved countermeasures. Today, there are [9] X.-M. Zhang, Q.-L. Han, A. Seuret, F. Gouaisbaut, An improved reciprocally convex inequality and an augmented Lyapunov — a large number of methods to detect and stop attacks of this Krasovskii functional for stability of linear systems with time-varying type. Success is based on the study of vulnerabilities and delay, Automatica 84 (2017) 221–226. attack scenarios that have been used in the past, their [10] H. Zhang, P. Cheng, L. Shi, J. Chen, Optimal denial-of-service attack assessment and finding ways to effectively counter [14]. As scheduling in cyber-physical systems, Technical Report, Zhejiang the attacks intensity increases, so should the variety of University, 2015. (Online). protection means. http://www.sensornet.cn/heng/HengestimationFull.pdf. [11] Dutt, V., Ahn, Y. S., & Gonzalez, C.: Cyber situation awareness modeling detection of cyber-attacks with instance-based learning IV. CONCLUSION theory. Human Factors: The Journal of the Human Factors and Ergonomics Society, 55(3), 605-618 (2013). The main tasks of cybersecurity are to ensure the [12] D. Ding, Z. Wang, Q.-L. Han, G. Wei, Security control for a class of sustainable operation of cyberphysical systems by creating discretetime stochastic nonlinear systems subject to deception attacks, their mathematical models that formally take into account the IEEE Trans. Syst. Man Cybern.Syst. smallest features of the architecture and processes of doi:10.1109/TSMC.2016.2616544. measurement, control and data exchange protocols. The [13] [20] D. Ding, Z. Wang, D.W.C. Ho, G. Wei, Observer-based event- presence of such models makes it possible to analyze the triggering consensus control for multi-agent systems with lossy detected attacks, on the basis of which counteraction sensors and cyber attacks, IEEE Trans. Cybern. 47 (8) (2017) 1936– 1947. mechanisms are built. [14] Sridhar, S., Govindarasu, M.: ‘Model-based attack detection and Given the complexity of such systems and their mitigation for automatic generation control’, IEEE Trans. Smart Grid, components dynamic behavior, it is almost impossible to 2014, 5, (2), pp. 580–591. predict all possible scenarios of attacks in cyberspace. At the moment, this problem is still far from being finally solved. The published literature assumes that violators have all the necessary system information, and defenders - possible scenarios of attacks. For the most part this is the case, but not always. It follows that the main problem is the openness of