Coevolving Cybersecurity Adversaries for Industrial Control Systems in Failure-Prone Environments

Wicks, Kathryn

Author(s)

Wicks, Kathryn

DownloadThesis PDF (2.300Mb)

Advisor

O’Reilly, Una-May

Hemberg, Erik

Terms of use

In Copyright - Educational Use Permitted Copyright retained by author(s) https://rightsstatements.org/page/InC-EDU/1.0/

Metadata

Show full item record

Abstract

As industrial control systems become universally integrated with software and connected to the internet, they have become targets for cyberattacks and sabotage. Detecting cyberattacks on these networks is difficult because existing datasets on attacks is minimal and the bulk of intrusion detection systems are designed for enterprise environments rather than industrial environments. In industrial environments, mechanical failures, stress states, and electrical problems are expected, with repairs included in daily operations. In enterprise environments, such failures are rarer and more high-impact as a result. We investigate the extent to which this mismatch in the impact of physical stressors failures degrades the ability of traditional intrusion detection algorithms to perform in the industrial environment. In the sub-area that this thesis focuses on, power microgrids, such disturbances can come in the form of line-line faults, line-ground faults, lack of generation capacity to meet demand, and unintentional islanding, among many others. Microgrids must be resilient to these events, and this thesis investigates to what extent they are currently and if they can be improved. Specifically, this thesis asks: do traditional IDSs cause false alarms when placed in a failure-prone environment? How do these intrusion detectors perform overall? Can they be improved with additional training? And finally, can intrusion detection systems be tricked by attacks which appear to be "benign" failure modes? This thesis answers these questions by comparing the performance of different anomaly detection methods on cyberattack datasets with varying levels of stressor complexity and severity, and finds that stress on an industrial system can degrade anomaly-based intrusion detector performance. Expanding on this idea, an attacker is then trained to adversarially mask a dataset, and a detector is co-evolved alongside it to detect the attacks. Finally, the coevolution is brought into the hardware-in-theloop simulation environment, where attackers and defenders act in real time to change the state of a realistic microgrid simulation. From these experiments, it is found that attackers can leverage grid disturbances to hide their actions, and that accurate realtime simulations are highly useful for identifying vulnerabilities in a cyberphysical system.

Date issued

2023-06

URI

https://hdl.handle.net/1721.1/157861

Department

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Publisher

Massachusetts Institute of Technology

Collections

Graduate Theses