1. Introduction
Industrial control systems (ICSs) are computer-based systems that manage and supervise production, energy generation, water and wastewater management, transportation, and other critical infrastructure. ICSs have various components, such as process control systems (PCS) and distributed control systems (DCS), and ensure centralized monitoring and control, like supervisory control and data acquisition (SCADA) systems.
Cyberattacks on industrial control systems can seriously disrupt critical infrastructure, compromise safety systems, and cause significant financial losses. Deception techniques in cybersecurity refer to methods used to mislead attackers or manipulate their actions. These techniques can include honeypots (luring attackers into a controlled environment), honeytokens (placing false or decoy data that trigger an alert when accessed), or even disinformation campaigns to confuse potential attackers.
However, it is crucial to note that engagement in deceptive practices should be performed ethically and legally. Organizations should consult cybersecurity professionals and adhere to legal requirements or regulations when implementing such measures.
Additionally, while deception can be a valuable tool in defending against cyberthreats, relying on something other than these tactics is essential. Robust security measures, such as network segmentation, access controls, regular vulnerability assessments, employee training programs, and incident response plans, are essential in maintaining industrial control systems’ security. On the one hand, the complexity and diversity of industrial control systems make traditional methods of detecting and preventing cyberattacks inadequate. On the other hand, cyberattackers are constantly developing more advanced and sophisticated attack techniques, which further increases the cybersecurity risks of ICSs.
Software security updates using deception to influence attacker decision-making and exploit generation are called deceptive patches. One standard method of deception is using decoy systems or honeypots within the ICS environment. These decoy systems are designed to mimic fundamental components of the control system, such as SCADA devices or PLCs, but are isolated from critical operations. When an attacker interacts with these deceptive elements, it provides security teams with valuable insights into their tactics and motivations. By implementing deception, organizations can create an additional layer of defense to mislead and confuse potential attackers. It is possible to apply deception to software security patches to impact attackers’ decision-making process. Traditional software security patches can help the exploit generation process. Therefore, it is essential to create and analyze solutions regarding how deception can be applied to software patches as part of a defense strategy to help protect the patches and the programs that they spread from attacks.
In recent years, digitalization and Industry 4.0 transformation have made industrial control systems more vulnerable to cyberattacks [
1]. Therefore, it is vital to consider and develop cybersecurity measures.
The study in [
2] focuses on examining adversarial samples, which are used to mislead machine learning models. Adversarial samples represent specifically designed inputs that cause a model to produce erroneous predictions when classifying. Such samples can lead to security vulnerabilities and the inability of models to deal with real-world data successfully. In the mentioned paper, adversarial training also involves using adversarial samples in the model’s training process. Thus, the model learns to deal with adversarial samples, increasing the classification success.
Deceptive virtual hosts enhance cyber–physical system security in industrial control networks [
3]. The referenced study stresses the importance of research and development in this field, suggesting that deceptive virtual hosts can contribute significantly to the cybersecurity of industrial control networks.
Probability-based models can assess the effectiveness and performance of cyberdeception techniques, which may help to make them more efficient and secure [
4]. Probability models can be employed to predict the success rates of cyberdeception techniques, the probability of detection, and how attackers will react to these techniques; thus, cyberdeception strategies can be better optimized, and cyberdefense mechanisms can be strengthened.
Combining mobile target defense and cyberdeception techniques effectively prevents cyberattacks on IoT systems and increases their security [
5]. This approach will likely reduce attackers’ success and enable cybersecurity teams to react to threats more quickly and effectively.
Cyberdeception technologies, particularly honeypots and honeytokens, can be used in hybrid cyberdefense strategies. How can these technologies increase cybersecurity? Researchers argue that such technologies will help to strengthen cybersecurity by misleading cyberattackers, denying them access to natural systems and data, and providing valuable intelligence to understand attackers’ real intentions and abilities [
6].
A study [
7] examines the possibility of stealthy cyberattacks toward an IDS involving function code attacks, injection attacks, and reconnaissance attacks, improving its robustness to adversarial attacks. The results show that the detector’s robustness to adversarial samples increases after training on a mixture of the original dataset and newly produced samples.
A timeline analysis of the effect of deceptive patches is presented, and, finally, a formal model of deceptive patches investigating the theoretical security of deceptive patches is analyzed. A framework employing the traditional software patching lifecycle is introduced, and the following steps are added to generate different versions of the released patches. The metrics that trigger the release of the diversified patches in question are discussed [
8].
The study in [
9] suggests GRN, an interpretable multivariate time series anomaly detection method based on neural graph networks and gated recurrent units (GRUs). GRN can automatically learn the possible correlations between sensors from multidimensional industrial control time series data. The experimental findings show that the model is more interpretable and provides more effective solutions.
The proposed approach in [
10] combines a structure learning approach with graph neural networks and utilizes attention weights to ensure explainability for the anomalies detected. The experiments conducted on two real-world sensor datasets with ground truth anomalies demonstrate that the method detects anomalies more accurately than baseline approaches.
The current research aims to divert attention from fundamental system components and security vulnerabilities by giving false or misleading information to attackers, thus preventing them from using industrial control systems (ICSs) as a proactive defense mechanism against cybersecurity vulnerabilities in such systems. Furthermore, it proposes an artificial intelligence-based hybrid model to ensure cybersecurity in industrial control systems. The model is innovative in combining deceptive patch and window size manipulation techniques.
The present study aims to integrate and examine deceptive patch solutions with window size manipulation and adversarial training methods to increase cybersecurity in industrial control systems. Adversarial training is a method developed to detect and prevent cyberattacks against artificial neural networks and is thought to strengthen cybersecurity in ICSs when combined with deceptive patch solutions. In general, the purpose of deception patches in protecting ICSs is to provide an additional layer of defense against cyberattacks by deceiving attackers and providing an early warning of a potential attack. This paper first mentions the types of cyberattacks and vulnerabilities for industrial control systems. Then, it focuses on how adversarial training and deceptive patch solutions can be applied in industrial control systems and window size manipulation. Finally, trials and evaluations are performed on the ICS dataset to assess the effectiveness of this integrated approach. Deceptive patching technology increases security by changing the attack surface in a system and making it more challenging for an attacker to perform an attack successfully. Window size manipulation changes how network protocols function, making it more difficult for an attacker to observe and analyze the network traffic. Combining these two techniques enables the analysis of large datasets to detect and respond to potential attacks, preventing attacks from succeeding and disrupting the attacker’s strategy.
This paper explains in detail how the suggested artificial intelligence-based hybrid model functions, how it is implemented, and the consequences. Moreover, it discusses what this model means for future cybersecurity strategies and the roadmap that it presents for further research and development.
The present study, which explains how deceptive patch solutions can be integrated with window size manipulation to increase cybersecurity in ICSs with the adversarial training method, is a significant step toward the better understanding and application of methods to create an effective cybersecurity strategy for industrial control systems.
A summary of the novelties and contributions of the present study is presented below:
Analyzing the suitability of deceptive patching techniques for industrial control systems, developing novel methods, and optimizing the current methods;
Warning system administrators about the presence of an attacker in the system with the early detection of attacks by assessing the effectiveness and performance of the methods developed;
Reducing the risk of system damage by diverting attackers’ attention from fundamental system components and security vulnerabilities and decreasing the risk of critical infrastructure damage;
Developing deceptive patching strategies for industrial control systems and applying dynamic and adaptive deception techniques;
Ensuring real-time threat analysis and response capabilities for system security, analyzing aggressive behavior patterns specific to industrial control systems, and optimizing the deceptive patching strategies with these models.
Our study is organized as follows.
Section 2 presents the background.
Section 3 describes the methods employed.
Section 4 addresses the suggested approach. The experiments and their outcomes are presented in
Section 5. Finally, the conclusions and future research are given in
Section 6.
2. Background
Industrial control systems (ICSs) are widely integrated into our lives nowadays. They ensure that the most critical infrastructure and processes are managed more efficiently. Gas, water, manufacturing, power distribution, and transportation are ICS-dependent to ensure the daily functioning of their processes. This section briefly mentions the types of attacks on critical infrastructure, shedding light on the increasing cyberthreats to ICS devices.
2.1. Attack Types
Spyware is utilized to sabotage ICSs by infiltrating them, manipulating transactions, or accessing sensitive data. Stuxnet is a famous example of spyware designed against Iran’s nuclear facilities in 2010, which disrupted the facility’s operation by changing the speed of centrifuges. In addition, Night Dragon (2010) attackers utilized sophisticated malware to target global energy, oil, and petrochemical companies. In the Duqu/Flame/Gauss (2011) incident, highly developed and sophisticated malware was utilized to target particular organizations, such as ICS producers. In the Shamoon (2012) incident, the malware was utilized to target large energy companies in the Middle East, including RasGas and Saudi Aramco. Havex (2013) is an example of an ICS-focused malware campaign [
11].
A distributed denial of service (DDoS) attack represents a malicious attempt to sabotage a network due to overwhelming its capability to process legitimate requests and traffic. Consecutively, the activity mentioned above denies the victim of service, which leads to expensive setbacks and downtime. A DDoS attack represents a network-based attack, which utilizes network-based internet services, e.g., domain name service (DNS), routers, and network time protocol (NTP). It aims to disrupt network devices connecting the organization to the internet. Load balancers, routers (traditional WAN and ISP edge routers), and firewalls can be listed among these devices.
A significant number of security vulnerabilities in ICSs are caused by human errors such as misconfigurations, outdated software, and user errors. Moreover, malicious insiders can also damage ICSs
Social engineering attacks target human vulnerabilities, defrauding users and causing information leaks. Such attacks are realized especially with phishing and spear phishing attacks via e-mail.
A zero-day attack represents a software vulnerability that attackers use before the vendor realizes it. In this case, there is no patch; therefore, attackers can use the vulnerability easily since they know that defense is absent, which transforms zero-day vulnerabilities into a significant security threat. Such attacks can be used to damage ICSs.
Advanced persistent threats (APTs), which are long-term, targeted, and sophisticated attacks, aim to infiltrate ICSs, gather intelligence from inside systems, and manipulate the infrastructure. MITM attacks are performed to modify, hack, or spoof data in communication channels. These attacks can be utilized to manipulate command and control messages to ICSs.
2.2. Cyberattack History for Industrial Control Systems
ICSs have been integrated into modern life, ensuring that the most essential processes and infrastructure are managed more efficiently. Gas, water, manufacturing, transportation, and power distribution are ICS-dependent, keeping their processes functioning daily.
Table 1 summarizes studies on cybersecurity in ICSs, categorized according to the features of their security problems.