隨著工業控制系統(Industrial Control System, ICS)遭受攻擊導致重大危害的事件頻傳，人們越來越重視 ICS 的網路安全。為此本研究改進了現有的主動檢測機制，並提出一被動-主動混合檢測系統以檢測針對 ICS 的虛假數據注入攻擊(False Data InjectionAttack, FDIA)。由於現有營運實踐中不容易檢測到 FDIA，本研究提出的方法除了通過利用被動接收的系統資料與預先定義的規則進行比對以檢測攻擊外，還通過控制致動器發起主動式檢測以發掘攻擊者，以完整檢測針對 ICS 的發起的 FDIA；與其餘研究不同的是本研究通過風險動態調整發起主動檢測之頻率，以求在低風險時降低對營運效率的影響，在高風險時減少檢測攻擊所需時間。實驗結果表明，使用本研究提出之系統，在虛假數據與真實數據相差 10%時，能達到 99.9%的檢出率，較隨機發起主動檢測的方法高 22.5%，在虛假數據與真實數據相差 5%時，能達到 95.4%的檢出率，較隨機發起主動檢測的方法高 18.2%，且即使虛假數據與真實數據僅相差 3%時，仍能達到高達 92.9%的檢出率，較隨機發起主動檢測的方法高 16.5%。

With the increasing occurrence of incidents causing significant damage due to attacks on Industrial Control Systems (ICS), people pay more and more attention to the cyber security of ICS. This study improves existing active detection mechanisms and proposes an integrated passive-active detection system to detect False Data Injection Attacks (FDIA) targeting ICS. Since it is challenging to detect FDIA in current operational practices, the method presented in this research not only compares passive received system data with predefined rules to detect attacks but also launches active detect by controlling actuators to find attackers and achieve comprehensive detection of FDIA targeting ICS. Unlike other studies, this research dynamically adjusts the frequency of launching active detect through risk assessment, aiming to minimize the impact on operational efficiency during low-risk periods and reduce the time required for detecting attacks during high-risk periods. The experimental results show that using the system proposed in this study, when false data differs by 10% from real data, the detection rate can reach 99.9%, which is 22.5% higher than active detect by randomly launch method, when false data differs by 5% from real data, the detection rate can reach 95.4%, which is 18.2% higher than active detect by randomly launch method, and even if false data only differs by 3% from real data, the detection rate can reach 92.9%, which is 16.5% higher than active detect by randomly launch method.

[1] 漫談國家關鍵基礎設施, available in https://www.mjib.gov.tw/FileUploads/eBooks/7142c018bd2a4c5ca62d35e7dd5a924b/Section_file/06e85973c1234f948ff5cdd96fbf18cf.pdf(Last Read on: 2023/06/08)
[2] R. Lipovsky and A. Cherepanov, “Blackenergy – What We Really Know about the Notorious Cyber Attacks,” Proceedings of the Virus Bulletin Conference, 2016.
[3] US fuel pipeline hackers 'didn't mean to create problems', available in https://www.bbc.com/news/business-57050690(Last Read on: 2023/06/08)
[4] K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams and A. Hahn, “NIST Special Publication 800-82 Revision 2：Guide to Industrial Control Systems (ICS) Security,” National Institute of Standards and Technology, 2015.
[5] A. Gowda, H.K. Su and W.K. Kuo, "System Integration of Remote Sensing and Industrial Control with IoT Technologies for Water Purification Plant," Proceedings of the IEEE 3rd Eurasia Conference on IOT, Communication and Engineering, pp. 96-101, 2021.
[6] A. Mileva, V. Dimitrova, O. Kara and M.J. Mihaljevic, “Catalog and Illustrative Examples of Lightweight Cryptographic Primitives,” Security of Ubiquitous Computing Systems, G. Avoine and J.H. Castro, Ed., pp. 21-47, 2021.
[7] G.A. Fink, T.W. Edgar, T.R. Rice, D.G. MacDonald and C.E. Crawford, “Overview of Security and Privacy in Cyber-Physical Systems,” Security and Privacy in Cyber-Physical Systems, H. Song, G.A. Fink and S. Jeschke, Ed., pp. 1-23, 2017.
[8] You Hacked: Cyber-security and the Railways, available in https://www.londonreconnections.com/2017/hacked-cyber-security-railways/(Last Read on: 2023/06/08)
[9] Florida Water Plant Hack: Leaked Credentials Found in Breach Database, available in https://threatpost.com/florida-water-plant-hack-credentials-breach/163919/(Last Read on: 2023/06/08)
[10] The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators, available in https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/(Last Read on: 2023/06/08)
[11] B. Bakic, M. Milic, I. Antovic, D. Savic and T. Stojanovic, "10 Years since Stuxnet: What Have We Learned from This Mysterious Computer Software Worm?," Proceedings of the International Conference on Information Technology, pp. 1-4, 2021.
[12] M. Geiger, J. Bauer, M. Masuch and J. Franke, "An Analysis of Black Energy 3, Crashoverride, and Trisis, Three Malware Approaches Targeting Operational Technology Systems," Proceedings of the IEEE International Conference on Emerging Technologies and Factory Automation, pp. 1537-1543, 2020.
[13] What the EKANS ransomware attack reveals about the future of OT cyber-attacks, available in https://darktrace.com/blog/what-the-ekans-ransomware-attack-reveals-about-the-future-of-ot-cyber-attacks(Last Read on: 2023/06/08)
[14] CHERNOVITE’s PIPEDREAM Malware Targeting Industrial Control Systems (ICS), available in https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/(Last Read on: 2023/06/08)
[15] Chemical distributor pays $4.4 million to DarkSide ransomware, available in https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/(Last Read on: 2023/06/08)
[16] MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone, available in https://www.microsoft.com/en-us/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/(Last Read on: 2023/06/08)
[17] Multinational tech firm ABB hit by Black Basta ransomware attack, available in https://www.bleepingcomputer.com/news/security/multinational-tech-firm-abb-hit-by-black-basta-ransomware-attack/(Last Read on: 2023/06/08)
[18] Meat giant JBS pays $11m in ransom to resolve cyber-attack, available in https://www.bbc.com/news/business-57423008(Last Read on: 2023/06/08)
[19] Ukraine crisis: 'Wiper' discovered in latest cyber-attacks, available in https://www.bbc.com/news/technology-60500618(Last Read on: 2023/06/08)
[20] 駭客攻擊軍方熱成像設備！國防軍事工控資安引關注，available in https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10309(Last Read on: 2023/06/08)
[21] S. Zhao, Q. Yang, P. Cheng, R. Deng and J. Xia, "Adaptive Resilient Control for Variable-Speed Wind Turbines Against False Data Injection Attacks," IEEE Transactions on Sustainable Energy, vol. 13, no. 2, pp. 971-985, 2022.
[22] T. Choi, G. Bai, R. K. L. Ko, N. Dong, W. Zhang, S. Wang, "An Analytics Framework for Heuristic Inference Attacks against Industrial Control Systems," Proceedings of the IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 827-835, 2020.
[23] M. Ahmed and A.S.K. Pathan, "False data injection attack (FDIA): an overview and new metrics for fair evaluation of its countermeasure, " Complex Adaptive Systems Modeling, vol. 8, no. 4, pp. 1-14, 2020.
[24] Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, National Institute of Standards and Technology, 2018.
[25] Post Game Analysis: S4 ICS Detection Challenge, Dale Peterson, available in https://dale-peterson.com/2019/01/31/post-game-analysis-s4-ics-detection-challenge/.
[26] 關鍵基礎設施防護失靈是國安危機，清流雙月刊 2018 年 3 月號，法務部調查局出版。
[27] Y. Zhang, W. Deng, K. Huang and C. Yang, "False Data Injection Attack Testbed of Industrial Cyber-Physical Systems of Process Industry and A Detection Application," Proceedings of the IEEE International Conference on Recent Advances in Systems Science and Engineering, pp. 1-7, 2021.
[28] O. A. Beg, L. V. Nguyen, T. T. Johnson and A. Davoudi, "Signal Temporal Logic-Based Attack Detection in DC Microgrids," IEEE Transactions on Smart Grid, vol. 10, no. 4, pp. 3585-3595, 2019.
[29] S. Zhao, Q. Yang, P. Cheng, R. Deng and J. Xia, "Adaptive Resilient Control for Variable-Speed Wind Turbines Against False Data Injection Attacks," IEEE Transactions on Sustainable Energy, vol. 13, no. 2, pp. 971-985, 2022.
[30] J.J.Q. Yu, Y. Hou and V.O.K. Li, "Online False Data Injection Attack Detection With Wavelet Transform and Deep Neural Networks," IEEE Transactions on Industrial Informatics, vol. 14, no. 7, pp. 3271-3280, 2018.
[31] K. Paridari, N.O. Mahony, A.E.D. Mady, R. Chabukswar, M. Boubekeur and H. Sandberg, "A Framework for Attack-Resilient Industrial Control Systems: Attack Detection and Controller Reconfiguration," Proceedings of the IEEE, vol. 106, no. 1, pp. 113-128, 2018.
[32] S. Tan, P. Xie, J.M. Guerrero, J.C. Vasquez, Y. Li and X. Guo, "Attack detection design for dc microgrid using eigenvalue assignment approach," Energy Reports, vol. 7, no. 1, pp. 469-476, 2021.
[33] R. Kubo, "Detection and Mitigation of False Data Injection Attacks for Secure Interactive Networked Control Systems," Proceedings of the IEEE International Conference on Intelligence and Safety for Robotics, pp. 7-12, 2018.
[34] S. Tan, P. Xie, J.M. Guerrero and J.C. Vasquez, "False Data Injection Cyber-Attacks Detection for Multiple DC Microgrid Clusters," Applied Energy, vol. 310, no. 15, pp. 1-9, 2022.
[35] J. Liu and F. Labeau, "Detection of False Data Injection Attacks in Industrial Wireless Sensor Networks Exploiting Network Numerical Sparsity," IEEE Transactions on Signal and Information Processing over Networks, vol. 7, pp. 676-688, 2021.
[36] Y. Mo, S. Weerakkody and B. Sinopoli, "Physical Authentication of Control Systems: Designing Watermarked Control Inputs to Detect Counterfeit Sensor Outputs," IEEE Control Systems Magazine, vol. 35, no. 1, pp. 93-109, 2015.
[37] Y. Shoukry, P. Martin, Y. Yona, S.N. Diggavi and M.B. Srivastava, "PyCRA: Physical Challenge-Response Authentication For Active Sensors Under Spoofing Attacks," Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, vol. 9, pp. 1004-1015, 2015.
[38] J. R. Hernan, L. D. Cicco and J. G. Alfaro, "Adaptive Control-Theoretic Detection of Integrity Attacks against Cyber-Physical Industrial Systems," EMERGING TELECOMMUICATIONS TECHNOLOGIES, vol. 29, no. 7, pp. 1-17, 2018.