Digital Twin-Based Cyber-Attack Detection Framework for Cyber-Physical Manufacturing Systems

Smart manufacturing (SM) systems utilize run-time data to improve productivity via intelligent decision-making and analysis mechanisms on both machine and system levels. The increased adoption of cyber-physical systems in SM leads to the comprehensive framework of cyber-physical manufacturing systems (CPMS) where data-enabled decision-making mechanisms are coupled with cyber-physical resources on the plant floor. Due to their cyber-physical nature, CPMS are susceptible to cyber-attacks that may cause harm to the manufacturing system, products, or even the human workers involved in this context. Therefore, detecting cyber-attacks efficiently and timely is a crucial step toward implementing and securing high-performance CPMS in practice. This paper addresses two key challenges to CPMS cyber-attack detection. The first challenge is distinguishing expected anomalies in the system from cyber-attacks. The second challenge is the identification of cyber-attacks during the transient response of CPMS due to closed-loop controllers. Digital twin (DT) technology emerges as a promising solution for providing additional insights into the physical process (twin) by leveraging run-time data, models, and analytics. In this work, we propose a DT framework for detecting cyber-attacks in CPMS during controlled transient behavior as well as expected anomalies of the physical process. We present a DT framework and provide details on structuring the architecture to support cyber-attack detection. Additionally, we present an experimental case study on off-the-shelf 3D printers to detect cyber-attacks utilizing the proposed DT framework to illustrate the effectiveness of our proposed approach.Note to Practitioners—This work is motivated by developing a general-purpose and extensible digital twin-enabled cyber-attack detection framework for manufacturing systems. Existing works in the field consider specialized attack scenarios and models that may not be extensible in practical manufacturing scenarios. We utilize digital twin (DT) technology as a key enabler to develop a systematic and extensible framework where we identify the abnormality of a resource and detect if the abnormality is due to an attack or an expected anomaly. We provide several remarks on how our proposed framework can extend existing industrial control systems (ICS) and can accommodate further extensions. The presented DTs utilize data-driven machine learning models, physics-based models, and subject matter expert knowledge to perform detection and differentiation tasks in the context of expected anomalies and model-based controllers that control the manufacturing process between multiple setpoints. We utilize a model predictive controller on an off-the-shelf 3D printer to run the process, and stage anomalies and cyber-attacks that are successfully detected by the proposed framework.


Introduction
• SMART manufacturing (SM) is an increasingly important paradigm that promotes the use of run-time and historical data collected via onboard and additional Internet of Things (IoT) sensing in the manufacturing system to derive decisions for the plant floor [1], [2], [3], [4].
• The decisions are implemented, often in run-time, on the resources in the manufacturing system to minimize disruptions, by integrating cyber and physical systems in modern manufacturing resources, allowing them to be reconfigurable and robust in response to disturbances.

Introduction
• Decision-making logic designed for the nominal conditions of a CPMS may underperform or fail to detect certain abnormalities in the system due to complex interdependencies between multiple resources in a manufacturing process [7], [8].

Introduction
• However, detecting cyber-attacks through traditional IT-based attack detection technology deployed on or in operational technology (OT) devices and environments can sometimes adversely impact OT performance or safety.Therefore, new and effective methods to monitor CPMS and detect cyber-attacks are required.
• Detecting cyber-attacks on CPMS is not a trivial task for several reasons.Systems routinely undergo faults and expected abnormalities, namely, physical degradation, anomalies.

Introduction
• A DT implementation consists of one or more compute resources as required to meet scalability, modularity, and maintainability requirements.
• Use of a single DT (i.e., one compute resource) for complex CPMS has been proposed [5], [12], [15] However, scalability, modularity, and maintainability of such solutions often becomes a challenge in practice.
• More recently, a framework of multiple DTs that utilize structured abstractions to improve scalability, flexibility, maintainability, and modularity of DT-based solutions has been proposed [2], [14], [16], which is the DT architecture adopted in this work.
• The DT framework presented here utilizes multiple compute resources to distribute different data collection and analysis tasks supporting the anomaly and cyber-attack detection processes in a flexible, modular, and reconfigurable fashion.
• As DTs themselves are software entities, they may also bring along the additional burden of vulnerabilities that could compromise the physical components through cyber-attacks.
• Traditional enterprise cybersecurity control implementations are not always possible or feasible within Industrial Control Systems (ICS) network environments and improper implementations can have unintended consequences [17].

Introduction
-Many of the afore mentioned methods on CPS and CPMS cybersecurity from the literature are often referred to as physics-based attack detection methods (see [28] for a detailed survey).
-Most notably, the majority of the existing literature considers the cyber-attack detection problem for a CPMS with no anomalies, which is often unrealistic in practical scenarios.Additionally, most existing methods in the literature rely on threshold-checking on the residual signals, which may underperform for controlled processes with setpoint changes during transients.We propose novel approaches to overcome these challenges in our proposed framework and methods.
• Recent work provides a methodology to detect and differentiate specific types of cyber-attacks from equipment failure [29].The method in [29] utilizes specific models and assumptions, which may be difficult to extend and scale for a general CPMS with various types of attacks.
• Therefore, there exists an opportunity to address the afore mentioned short comings and support both manufacturing and cybersecurity automation enhancements by leveraging common technological enablers such as DT and the Industrial Internet of Things (IIoT).
• Previous research, such as [30], demonstrates techniques to utilize Industry 4.0 technologies and methodologies such as IIoT, Industrial Internet of Services (IIoS), and DTs to create smart factories and establish "Knowledge as a Service" manufacturing processes to monitor product or service quality.
• Our research builds on the previous literature and investigates utilizing cybersecurity DT technology to monitor devices and processes for abnormal conditions that could be indicators of cybersecurity events in the context of runtime controller inputs and anomalies.
• These cybersecurity DTs could be implemented to support a passive/active hybrid approach to protect the ICS environment from advanced device-level risks.

Preliminaries and problem statement
• In this section, we first present definitions and background knowledge that will be useful in further discussions.Then, we formally state our problem in the context of the introduced formal concepts.

A. Classification of Abnormality Types
To address the challenge of cyber-attack detection for a CPMS, we first present a classification of anomalies, attacks, and faults in the context of the present work.
Figure 1 presents various types of attacks and anomalies for a CPMS resource.

Preliminaries and problem statement
Preliminaries and problem statement

B. Problem Statement
• The set of attacks depicted in Fig. 1 has three distinct sub-spaces; attacks that are not output measurable (e.g., sidechannel attacks), attacks that are output measurable but do not necessarily cause anomalies, and attacks that are output measurable and cause anomalies.
• Within the scope of this work, we are focusing on attacks that have output measurable effects on the system.Thus, the goal of our proposed DT is to detect the aforementioned output measurable attacks.
• Remark 1: Within the context of cyber-attacks on CPMS, we do not necessarily require malicious intent.For example, we consider a miscalibrated sensor as a nonmalicious attack.
• Additionally, we note that the physical system is a controlled CPMS resource, thus the operational characteristics of the system may be modified by a controller.This results in transient behavior and multiple setpoint references that must be analyzed in run-time to mitigate false-positives in attack detection.
• Remark 2: We note that our work differs from the past literature as we do not rely on a specific system model or analysis tool to provide our results.Instead, we present a general-purpose DT framework where data-driven and physics-based information about the CPMS may be utilized efficiently to detect cyber-attacks in an extensible and systematic manner.

PROPOSED DT-Based METHODOLOGY
• In this section, we present the proposed methodology to utilize DTs for attack detection in the context of anomalies and controllers in the system..We discuss how related methodologies from the literature can be implemented by the proposed DTs in our architecture.
A. Framwork Architecture • Figure 2 illustrates the architecture of the controlled CPS framework with the proposed DTs considered in this work.
• To avoid confusion of terminology, we use the term process instead of system in this section (e.g., a physical system is a physical process).

Proposed DT-based methobology
Proposed DT-based methobology -The physical process may be discrete or continuous depending on the application domain.The execution of discrete manufacturing processes is often considered in terms of runs where a single unit (or batch) is manufactured.We consider the data collected during the run as in-situ and the data collected after a run is completed as ex-situ (e.g., for post-process quality control).The framework architecture presented in Fig. 2  Proposed DT-based methobology • 1) Physical Process: We assume that the physical process (referred to as process for the rest of the paper) is a manufacturing process that has sensors in place to collect in-and ex-situ data and the measurements are available to the DTs in the framework for data analysis purposes in run-time as well as in the form of historical data through a database.A discretetime representation of the process is then given in a general form as

Proposed DT-based methobology
• An SME monitors the process through the DTs in the framework as illustrated in Fig. 2, and implements reconfigurations or changes to the process through a decisionmaker.
• We assume that a decision-maker exists in the framework without loss of generality.The decision-maker provides setpoint references r(t) for the process to track (in the sense that ||r(t) − y(t)|| is as small as possible in a suitable norm).
• While we assume that the process has the form in (1) for our further discussions and developments, systems of various forms and dynamics can be considered here (e.g., discrete event systems).Additionally, the process itself can be modeled as a separate DT to perform simulation-based analysis on the process.

Proposed DT-based methobology
• 2) Controller DT: The Controller DT houses the run-time controller with the control logic, as well as observers, process models, and simulation tools.The Controller DT employs various control methods and logic (e.g., feedback, feedforward, rule-based, hybrid, etc.) to regulate the process measurements y(t) toward the reference setpoints r(t) provided by the decision-maker.
• To perform state-based control, the Controller DT may incorporate various types of filters and estimators to estimate the current and future states of the process by using the measurements and information such as historical data, or model adaptation information provided by other DTs in the framework (e.g., models of the noises v(t) and w(t)).
• Control inputs u(t) ∈ U are implemented on the process, where U denotes an input constraint set.In practical implementations, there may be additional safety control loops that bypass the control input implementation (e.g., emergency stop switch for a robotic manipulator).

Proposed DT-based methobology
• 3) Feature DT: The Feature DT provides uniform data streams to the DTs in the framework to improve the interoperability of the framework.
• We assume that an SME defines the desired residual signals with specific features, and implements them as part of the Feature DT so that the residual information is shared with other DTs for further data analysis.Another important task of the Feature DT is to evaluate key process indicators (KPIs) for the process.
• Various types of KPIs include health indicators, performance indicators, and efficiency indicators [34], [36].Similarly, the Feature DT may be tasked to preprocess or partition large scale or high sampling-rate measurement data for another DT that performs statistical learning on the measurement data.

Proposed DT-based methobology
• 4) FD/AD DT: The FD/AD DT performs fault and anomaly detection on run-time data streams.Preliminary detection capabilities are included in most CPS for reliable run-time performance.
• Such detection mechanisms are considered as part of the FD/AD DT here.The FD/AD DT is usually built to perform threshold-based limit-checking on the physical process.
• The FD/AD DT may include safety monitoring and performance monitoring systems to detect anomalies and faults.
Proposed DT-based methobology -5) The Cybersecurity DT: The Cybersecurity DT provides predictions about attacks on the system in the context of anomalies and transient response of the controlled process.We assume that the Cybersecurity DT is designed by an SME knowledgeable on the cybersecurity of the process and we focus on attacks with output measurable effects as stated earlier.
-In the absence of such prior knowledge, historical data may be used to understand the normal system behavior initially.In this context, abnormalities can be recorded during operation and labeled as normal, anomalous, or attack data by an SME.If an SME or enough historical data is not available to initialize the framework, the proposed approaches may not be applicable.The Cybersecurity DT is a novel contribution of this work to distinguish cyber-attacks from expected anomalies for a controlled process, and we provide a detailed analysis of the Cybersecurity DT in later sections.
-6) SME Operator: The operator monitors the outputs of the FD/AD DT and the Cybersecurity DT to further analyze if the physical process has an anomaly or is under a cyber-attack.For this purpose, the DTs report their prediction quality and the features found in the data so that a human SME may further investigate any abnormalities.
• To mitigate false positives of the Detector DT during transients, we utilize the solution map of the process (1), φ : X ×U ∞ ×Z+ → X , where X is the state space of (1) and U ∞ is the space of sequential control inputs on (1).Given an initial state x(t0) and a control sequence u ∈ U ∞ over a time interval including the interval [t0, tc], we have where x(tc) is the state at time tc (i.e., the current state).
• Our motivation for the proposed abnormality detection method is to utilize the trained data boundaries B(D) during transient response.Roughly speaking, as B(D) is trained for the process at a given setpoint, we define a projection using φ to estimate state of the process at a previous setpoint given the transient observations (i.e., as the process moves away from the said setpoint) and the control inputs.If the process is normal, (i.e., no attacks or anomalies), the projected state should be within B(D).

The Cybersecurity DT
-Remark 4: Forward projections of the set B(D) for the transient control inputs can also be used for abnormality detection.However defining such projections may in general be computationally expensive as B(D) may be control and state dependent, and new computations are needed at each control step.Therefore, we focus on the proposed projection type method for abnormality detection in this work.
-Formally, the goal of the Detector DT during transients is to estimate the initial state x¯(t0) of the process at time t0 based on the observed sequence of states and control input u until the current time tc.Let us denote the model of the state progression as The Cybersecurity DT -Additionally, let x denote the sequence of estimated states of the process between the times [t0, tc].Then, the Detector DT solves the following minimization to estimate the initial state x¯(t0) by using the control input u and the state sequence x.
-where z is an intermediate variable for the notation.For a normal process (i.e., process outputs with ψ( y(t′)) ∈ B(D)), the solution of (4) is close (in the normed distance sense) to the actual initial state x(t0).
-. Therefore, the Detector DT evaluates the abnormality of the projected state x¯(t0) to evaluate the label η(ˆ tc) for the current state x(tc).Namely, if x¯(t0) ∈ B(D), then the current state x(tc) is predicted as normal by the Detector DT.

The Cybersecurity DT
-We omit a detailed background on STL and refer interested readers to [47].An STL formula π is formed by the following syntax: -where, ⊤ is logical true, p is a predicate, ¬π is the logical negation of the proposition π, πi ∧πj is the logical conjunction of two propositions, and πi U[a,b]πj is the until operator defined as the proposition πi being true at least until the proposition πj is true in the time interval [t +a, t +b], where t is the current time.
-A signal s(t) at time t is satisfied by a predicate p if ℓ(s(t)) > 0 for some function ℓ (i. e., s(t) |H p ⇐⇒ ℓ(s(t)) > 0).Here the operator |H is used to indicate that the condition on the left side satisfies the condition on the right side.Additionally, ⊥ = ¬⊤ is the logical false, the eventually operator is ♢[a,b]π ≜ ⊤ U[a,b]π, and the always operator is □[a,b]π ≜ ¬(♢[a,b]¬π ).