Full Text:   <1969>

Summary:  <10>

CLC number: TP316.4

On-line Access: 2022-04-20

Received: 2020-10-13

Revision Accepted: 2022-05-04

Crosschecked: 2021-01-21

Cited: 0

Clicked: 3878

Citations:  Bibtex RefMan EndNote GB/T7714




Qiang WEI


-   Go to

Article info.
Open peer comments

Frontiers of Information Technology & Electronic Engineering  2022 Vol.23 No.4 P.587-603


Detection and localization of cyber attacks on water treatment systems: an entropy-based approach

Author(s):  Ke LIU, Mufeng WANG, Rongkuan MA, Zhenyong ZHANG, Qiang WEI

Affiliation(s):  State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China; more

Corresponding email(s):   bendawang@gmail.com, csewmf@zju.edu.cn, rongkuan233@gmail.com, zhangzhenyong@zju.edu.cn, funnywei@163.com

Key Words:  Industrial cyber-physical system, Water treatment system, Intrusion detection, Abnormal state, Detection and localization, Information theory

Ke LIU, Mufeng WANG, Rongkuan MA, Zhenyong ZHANG, Qiang WEI. Detection and localization of cyber attacks on water treatment systems: an entropy-based approach[J]. Frontiers of Information Technology & Electronic Engineering, 2022, 23(4): 587-603.

@article{title="Detection and localization of cyber attacks on water treatment systems: an entropy-based approach",
author="Ke LIU, Mufeng WANG, Rongkuan MA, Zhenyong ZHANG, Qiang WEI",
journal="Frontiers of Information Technology & Electronic Engineering",
publisher="Zhejiang University Press & Springer",

%0 Journal Article
%T Detection and localization of cyber attacks on water treatment systems: an entropy-based approach
%A Mufeng WANG
%A Rongkuan MA
%A Zhenyong ZHANG
%A Qiang WEI
%J Frontiers of Information Technology & Electronic Engineering
%V 23
%N 4
%P 587-603
%@ 2095-9184
%D 2022
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.2000546

T1 - Detection and localization of cyber attacks on water treatment systems: an entropy-based approach
A1 - Ke LIU
A1 - Mufeng WANG
A1 - Rongkuan MA
A1 - Zhenyong ZHANG
A1 - Qiang WEI
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 23
IS - 4
SP - 587
EP - 603
%@ 2095-9184
Y1 - 2022
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.2000546

With the advent of Industry 4.0, water treatment systems (WTSs) are recognized as typical industrial cyber-physical systems (iCPSs) that are connected to the open Internet. Advanced information technology (IT) benefits the WTS in the aspects of reliability, efficiency, and economy. However, the vulnerabilities exposed in the communication and control infrastructure on the cyber side make WTSs prone to cyber attacks. The traditional IT system oriented defense mechanisms cannot be directly applied in safety-critical WTSs because the availability and real-time requirements are of great importance. In this paper, we propose an entropy-based intrusion detection (EBID) method to thwart cyber attacks against widely used controllers (e.g., programmable logic controllers) in WTSs to address this issue. Because of the varied WTS operating conditions, there is a high false-positive rate with a static threshold for detection. Therefore, we propose a dynamic threshold adjustment mechanism to improve the performance of EBID. To validate the performance of the proposed approaches, we built a high-fidelity WTS testbed with more than 50 measurement points. We conducted experiments under two attack scenarios with a total of 36 attacks, showing that the proposed methods achieved a detection rate of 97.22% and a false alarm rate of 1.67%.




Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article


[1]Barbosa RRR, Sadre R, Pras A, 2012. Towards periodicity based anomaly detection in SCADA networks. Proc 17th IEEE Int Conf on Emerging Technologies & Factory Automation, p.1-4.

[2]Bereziński P, Jasiul B, Szpyrka M, 2015. An entropy-based network anomaly detection method. Entropy, 17(4):2367-2408.

[3]Carcano A, Coletta A, Guglielmi M, et al., 2011. A multi-dimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Trans Ind Inform, 7(2):179-186.

[4]Cover TM, Thomas JA, 2012. Elements of Information Theory. John Wiley & Sons, New York, USA, p.250-252.

[5]Farwell JP, Rohozinski R, 2011. Stuxnet and the future of cyber war. Survival, 53(1):23-40.

[6]Feng C, Reddy Palleti V, Mathur A, et al., 2019. A systematic framework to generate invariants for anomaly detection in industrial control systems. Proc Network and Distributed Systems Security Symp, p.1-22.

[7]Formby D, Srinivasan P, Leonard A, et al., 2016. Who's in control of your control system? Device fingerprinting for cyber-physical systems. Proc Network and Distributed Systems Security Symp, p.1-15.

[8]Fovino IN, Coletta A, Carcano A, et al., 2012. Critical state-based filtering system for securing SCADA network protocols. IEEE Trans Ind Electron, 59(10):3943-3950.

[9]Geng YY, Wang Y, Liu WW, et al., 2019. A survey of industrial control system testbeds. IOP Conf Ser Mater Sci Eng, 569(4):042030.

[10]Goldenberg N, Wool A, 2013. Accurate modeling of Modbus/ TCP for intrusion detection in SCADA systems. Int J Crit Infrastruct Protect, 6(2):63-75.

[11]Hadeli H, Schierholz R, Braendle M, et al., 2009. Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration. Proc IEEE Conf on Emerging Technologies & Factory Automation, p.1-8.

[12]Hu Y, Li H, Luan TH, et al., 2020. Detecting stealthy attacks on industrial control systems using a permutation entropy-based method. Fut Gener Comput Syst, 108:1230-1240.

[13]ICS-CERT, 2016. ICS-CERT Annual Assessment Report. Technical Report. NCCIC/ICS-CERT, Washington DC, USA.

[14]Kaspersky ICS CERT, 2019. Threat Landscape for Industrial Automation Systems. H2 2018. Kaspersky. Available from https://ics-cert.kaspersky.com/publications/reports/2019/03/27/threat-landscape-for-industrial-automation-systems-h2-2018/ [Accessed on Jan. 1, 2021].

[15]Kaspersky ICS CERT, 2020a. Targeted Attacks on Israeli Water Supply and Wastewater Treatment Facilities. Available from https://ics-cert.kaspersky.com/news/2020/04/29/israel-water-cyberattacks/ [Accessed on Jan. 1, 2021].

[16]Kaspersky ICS CERT, 2020b. Threat Landscape for Industrial Automation Systems. Vulnerabilities Identified in 2019. Kaspersky. Available from https://ics-cert.kaspersky.com/reports/2020/04/24/threat-landscape-for-industrial-automation-systems-vulnerabilities-identified-in-2019/ [Accessed on Jan. 1, 2021].

[17]Khraisat A, Gondal I, Vamplew P, et al., 2019. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity, 2:20.

[18]Kleinmann A, Wool A, 2014. Accurate modeling of the Siemens S7 SCADA protocol for intrusion detection and digital forensics. J Dig Forens Secur Law, 9(2):37-50.

[19]Lee R, Slowik J, Miller B, et al., 2017. Industroyer/ Crashoverride: Zero Things Cool about a Threat Group Targeting the Power Grid. Technical Report. Black Hat, USA.

[20]Lin H, Slagell A, di Martino C, et al., 2013. Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol. Proc 8th Annual Cyber Security and Information Intelligence Research Workshop, p.1-4.

[21]Linda O, Manic M, Vollmer T, et al., 2011a. Fuzzy logic based anomaly detection for embedded network security cyber sensor. Proc IEEE Symp on Computational Intelligence in Cyber Security, p.202-209.

[22]Linda O, Manic M, Alves-Foss J, et al., 2011b. Towards resilient critical infrastructures: application of type-2 fuzzy logic in embedded network security cyber sensor. Proc 4th Int Symp on Resilient Control Systems, p.26-32.

[23]Ma RK, Cheng P, Zhang ZY, et al., 2019. Stealthy attack against redundant controller architecture of industrial cyber-physical system. IEEE Int Things J, 6(6):9783-9793.

[24]Maglaras LA, Jiang JM, 2014. Intrusion detection in SCADA systems using machine learning techniques. Proc Science and Information Conf, p.626-631.

[25]Mathur AP, Tippenhauer NO, 2016. SWaT: a water treatment testbed for research and training on ICS security. Proc Int Workshop on Cyber-Physical Systems for Smart Water Networks, p.31-36.

[26]Morris T, Vaughn R, Dandass Y, 2012. A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems. Proc 45th IEEE Hawaii Int Conf on System Sciences, p.2338-2345.

[27]Navaz ASS, Sangeetha V, Prabhadevi C, 2013. Entropy based anomaly detection system to prevent DDoS attacks in cloud. Int J Comput Appl, 62(15):42-47.

[28]Nelson T, Chaffin M, 2011. Common Cybersecurity Vulnerabilities in Industrial Control Systems. Technical Report. The U.S. Department of Homeland Security (DHS) National Cyber Security Division, Washington DC, USA.

[29]Ponomarev S, Atkison T, 2016. Industrial control system network intrusion detection by telemetry analysis. IEEE Trans Depend Sec Comput, 13(2):252-260.

[30]Qian Q, Che HY, Zhang R, 2009. Entropy based method for network anomaly detection. Proc 15th IEEE Pacific Rim Int Symp on Dependable Computing, p.189-191.

[31]Sample C, Schaffer K, 2013. An overview of anomaly detection. IT Prof, 15(1):8-11.

[32]SecurityWeek, 2016. Attackers Alter Water Treatment Systems in Utility Hack: Report. Available from https://www.securityweek.com/attackers-alter-water-treatment-systems-utility-hack-report [Accessed on Jan. 1, 2021].

[33]Song ZW, Liu ZH, 2019. Abnormal detection method of industrial control system based on behavior model. Comput Secur, 84:166-178.

[34]Stouffer K, Pillitteri V, Lightman S, et al., 2011. Guide to Industrial Control Systems (ICSs) Security. NIST Special Publication 800-82.

[35]Tate RF, 1954. Correlation between a discrete and a continuous variable. Point-biserial correlation. Ann Math Stat, 25(3):603-607.

[36]Ten CW, Manimaran G, Liu CC, 2010. Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans Syst Man Cybern A, 40(4):853-865.

[37]Terai A, Abe S, Kojima S, et al., 2017. Cyber-attack detection for industrial control system monitoring with support vector machine based on communication profile. Proc IEEE European Symp on Security and Privacy Workshops, p.132-138.

[38]The Wall Street Journal's San Francisco Bureau, 2015. Iranian Hackers Infiltrated New York Dam in 2013. Available from https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559 [Accessed on Jan. 1, 2021].

[39]Vollmer T, Manic M, 2009. Computationally efficient neural network intrusion security awareness. Proc 2nd Int Symp on Resilient Control Systems, p.25-30.

[40]Vollmer T, Alves-Foss J, Manic M, 2011. Autonomous rule creation for intrusion detection. Proc IEEE Symp on Computational Intelligence in Cyber Security, p.1-8.

[41]Walton B, 2016. Water Sector Prepares for Cyberattacks. Available from https://www.circleofblue.org/2016/world/water-sector-prepares-cyberattacks [Accessed on Jan. 1, 2021].

[42]Wang YS, Fan KF, Lai YX, et al., 2017. Intrusion detection of industrial control system based on Modbus TCP protocol. Proc 13th IEEE Int Symp on Autonomous Decentralized System, p.156-162.

[43]Wikipedia, 2020a. Critical Infrastructure. Available from https://en.wikipedia.org/wiki/Critical_infrastructure [Accessed on Jan. 1, 2021].

[44]Wikipedia, 2020b. Water Treatment. Available from https://en.wikipedia.org/wiki/Water_treatment [Accessed on Jan. 1, 2021].

[45]Yu W, Wang X, Xuan D, et al., 2006. Effective detection of active worms with varying scan rate. Proc Securecomm and Workshops, p.1-10.

[46]Zhang F, Kodituwakku HADE, Hines JW, et al., 2019. Multi-layer data-driven cyber-attack detection system for industrial control systems based on network, system, and process data. IEEE Trans Ind Inform, 15(7):4362-4369.

Open peer comments: Debate/Discuss/Question/Opinion


Please provide your name, email address and a comment

Journal of Zhejiang University-SCIENCE, 38 Zheda Road, Hangzhou 310027, China
Tel: +86-571-87952783; E-mail: cjzhang@zju.edu.cn
Copyright © 2000 - 2022 Journal of Zhejiang University-SCIENCE