How to Implement Cyber Physical Security in OMNeT++

To implement the Cyber-Physical Security in OMNeT++, we have to simulate a system that has protecting mechanisms in which the physical processes are controlled or observed by computational elements. It is typically used in Industrial Control Systems (ICS), Smart Grids, and Internet of Things (IoT) networks. Below, we offered the steps to implement this in OMNeT++:

Step-by-Step Implementation:

1. Define the Network Topology

First, we have to describe the network topology that contains cyber-physical components like sensors, actuators, controllers, and a central control server. These components will communicate with each other and with security mechanisms like firewalls, IDS, and secure communication channels.

network CyberPhysicalNetwork

{

submodules:

sensor1: StandardHost {

@display(“p=100,100”);

}

sensor2: StandardHost {

@display(“p=100,200”);

}

actuator1: StandardHost {

@display(“p=300,100”);

}

actuator2: StandardHost {

@display(“p=300,200”);

}

controller: StandardHost {

@display(“p=500,150”);

}

firewall: FirewallModule {

@display(“p=200,150”);

}

ids: IDSModule {

@display(“p=400,150”);

}

controlServer: SecureControlServerModule {

@display(“p=700,150”);

}

connections:

sensor1.ethg++ <–> Eth100M <–> firewall.in++;

sensor2.ethg++ <–> Eth100M <–> firewall.in++;

firewall.out++ <–> ids.in++;

ids.out++ <–> controller.ethg++;

controller.ethg++ <–> Eth100M <–> actuator1.ethg++;

controller.ethg++ <–> Eth100M <–> actuator2.ethg++;

controller.ethg++ <–> Eth100M <–> controlServer.ethg++;

}

2. Implement the Firewall Module

The firewall module will filter traffic amongst sensors, actuators, and the controller, ensuring only authorize communications are allowed.

Firewall Module

// FirewallModule.cc

#include <omnetpp.h>

#include “inet/common/INETDefs.h”

#include “inet/common/packet/Packet.h”

#include “inet/networklayer/ipv4/Ipv4Header_m.h”

using namespace omnetpp;

using namespace inet;

class FirewallModule : public cSimpleModule

{

protected:

virtual void initialize() override;

virtual void handleMessage(cMessage *msg) override;

bool isAllowed(Packet *packet);

};

Define_Module(FirewallModule);

void FirewallModule::initialize()

{

EV << “Firewall Module Initialized” << endl;

}

void FirewallModule::handleMessage(cMessage *msg)

{

if (Packet *packet = dynamic_cast<Packet *>(msg)) {

if (isAllowed(packet)) {

send(packet, “out”);

} else {

EV << “Packet dropped by firewall.” << endl;

delete packet;

}

}

}

bool FirewallModule::isAllowed(Packet *packet)

{

const auto& networkHeader = packet->peekAtFront<Ipv4Header>();

std::string source = networkHeader->getSrcAddress().str();

std::string destination = networkHeader->getDestAddress().str();

// Example: Allow only specific sensor-to-controller and controller-to-actuator communications

if ((source == “192.168.1.10” && destination == “192.168.1.30”) ||

(source == “192.168.1.30” && destination == “192.168.1.40”)) {

return true; // Allow traffic

}

return false; // Block all other traffic

}

3. Implement the Intrusion Detection System (IDS) Module

The IDS module will observe for abnormal behavior or unauthorized access, particularly vital in identifying cyber-attacks targeting physical processes.

IDS Module

// IDSModule.cc

#include <omnetpp.h>

#include “inet/common/INETDefs.h”

#include “inet/common/packet/Packet.h”

#include “inet/networklayer/ipv4/Ipv4Header_m.h”

using namespace omnetpp;

using namespace inet;

class IDSModule : public cSimpleModule

{

protected:

virtual void initialize() override;

virtual void handleMessage(cMessage *msg) override;

void detectIntrusion(Packet *packet);

void logSecurityEvent(const std::string &event);

};

Define_Module(IDSModule);

void IDSModule::initialize()

{

EV << “IDS Module Initialized” << endl;

}

void IDSModule::handleMessage(cMessage *msg)

{

if (Packet *packet = dynamic_cast<Packet *>(msg)) {

detectIntrusion(packet);

send(msg, “out”);

}

}

void IDSModule::detectIntrusion(Packet *packet)

{

const auto& networkHeader = packet->peekAtFront<Ipv4Header>();

std::string source = networkHeader->getSrcAddress().str();

std::string destination = networkHeader->getDestAddress().str();

// Example: Detect suspicious or unauthorized communications

if (source == “192.168.1.50” || destination == “192.168.1.50”) {

logSecurityEvent(“Suspicious communication detected from ” + source + ” to ” + destination);

}

}

void IDSModule::logSecurityEvent(const std::string &event)

{

EV << “IDS Event: ” << event << endl;

// Additional logging to files or alerts can be implemented here

}

4. Implement Secure Communication and Control

The control server should use secure communication protocols to communicate with the physical components, making sure the integrity and privacy of commands and data.

Secure Control Server Module

// SecureControlServerModule.cc

#include <omnetpp.h>

#include “inet/common/INETDefs.h”

#include “inet/common/packet/Packet.h”

#include <string>

#include <openssl/evp.h>

#include <openssl/aes.h>

using namespace omnetpp;

using namespace inet;

class SecureControlServerModule : public cSimpleModule

{

protected:

virtual void initialize() override;

virtual void handleMessage(cMessage *msg) override;

std::string encryptData(const std::string &data);

std::string decryptData(const std::string &data);

void processSecureCommand(Packet *packet);

};

Define_Module(SecureControlServerModule);

void SecureControlServerModule::initialize()

{

EV << “Secure Control Server Initialized” << endl;

}

void SecureControlServerModule::handleMessage(cMessage *msg)

{

if (Packet *packet = dynamic_cast<Packet *>(msg)) {

const auto& payload = packet->peekData();

std::string data(payload->str());

std::string decryptedData = decryptData(data);

EV << “Data decrypted: ” << decryptedData << endl;

processSecureCommand(packet);

}

}

std::string SecureControlServerModule::encryptData(const std::string &data)

{

unsigned char key[16] = “controlkey123456”;

unsigned char iv[16] = “initialvector12”;

EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();

EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);

unsigned char encrypted[1024];

int len;

EVP_EncryptUpdate(ctx, encrypted, &len, (unsigned char*)data.c_str(), data.length());

int ciphertext_len = len;

EVP_EncryptFinal_ex(ctx, encrypted + len, &len);

ciphertext_len += len;

EVP_CIPHER_CTX_free(ctx);

return std::string((char*)encrypted, ciphertext_len);

}

std::string SecureControlServerModule::decryptData(const std::string &data)

{

unsigned char key[16] = “controlkey123456”;

unsigned char iv[16] = “initialvector12”;

EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();

EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);

unsigned char decrypted[1024];

int len;

EVP_DecryptUpdate(ctx, decrypted, &len, (unsigned char*)data.c_str(), data.length());

int plaintext_len = len;

EVP_DecryptFinal_ex(ctx, decrypted + len, &len);

plaintext_len += len;

EVP_CIPHER_CTX_free(ctx);

return std::string((char*)decrypted, plaintext_len);

}

void SecureControlServerModule::processSecureCommand(Packet *packet)

{

// Process the command securely (e.g., control a physical process)

EV << “Secure command processed: ” << packet->str() << endl;

}

5. Implement Cyber-Physical Attack Simulation

Simulate potential cyber-physical attacks like spoofing sensor data, sending malicious commands to actuators, or trying to take control of the system.

Attack Simulation Module

// CyberPhysicalAttackModule.cc

#include <omnetpp.h>

#include “inet/applications/tcpapp/TcpAppBase.h”

using namespace omnetpp;

using namespace inet;

class CyberPhysicalAttackModule : public TcpAppBase

{

protected:

virtual void initialize(int stage) override;

virtual void handleMessageWhenUp(cMessage *msg) override;

void simulateSensorSpoofing();

void simulateMaliciousCommand();

};

Define_Module(CyberPhysicalAttackModule);

void CyberPhysicalAttackModule::initialize(int stage)

{

TcpAppBase::initialize(stage);

if (stage == inet::INITSTAGE_APPLICATION_LAYER) {

scheduleAt(simTime() + 2, new cMessage(“simulateSensorSpoofing”));

scheduleAt(simTime() + 4, new cMessage(“simulateMaliciousCommand”));

}

}

void CyberPhysicalAttackModule::handleMessageWhenUp(cMessage *msg)

{

if (strcmp(msg->getName(), “simulateSensorSpoofing”) == 0) {

simulateSensorSpoofing();

delete msg;

} else if (strcmp(msg->getName(), “simulateMaliciousCommand”) == 0) {

simulateMaliciousCommand();

delete msg;

} else {

TcpAppBase::handleMessageWhenUp(msg);

}

}

void CyberPhysicalAttackModule::simulateSensorSpoofing()

{

EV << “Simulating sensor data spoofing…” << endl;

sendRequest(“GET /sensor_data HTTP/1.1\r\nHost: controller\r\n\r\nFake sensor data”);

}

void CyberPhysicalAttackModule::simulateMaliciousCommand()

{

EV << “Simulating malicious command to actuator…” << endl;

sendRequest(“POST /actuate HTTP/1.1\r\nHost: controller\r\n\r\nCommand=shutdown”);

}

6. Integrate the Cyber-Physical Modules

Generate a comprehensive simulation of cyber-physical security by incorporating the firewall, IDS, secure control server, and attack simulation modules into the network.

network CyberPhysicalNetwork

{

submodules:

sensor1: StandardHost {

@display(“p=100,100”);

}

sensor2: StandardHost {

@display(“p=100,200”);

}

actuator1: StandardHost {

@display(“p=300,100”);

}

actuator2: StandardHost {

@display(“p=300,200”);

}

controller: StandardHost {

@display(“p=500,150”);

}

firewall: FirewallModule {

@display(“p=200,150”);

}

ids: IDSModule {

@display(“p=400,150”);

}

controlServer: SecureControlServerModule {

@display(“p=700,150”);

}

attacker: CyberPhysicalAttackModule {

@display(“p=100,300”);

}

connections:

sensor1.ethg++ <–> Eth100M <–> firewall.in++;

sensor2.ethg++ <–> Eth100M <–> firewall.in++;

firewall.out++ <–> ids.in++;

ids.out++ <–> controller.ethg++;

controller.ethg++ <–> Eth100M <–> actuator1.ethg++;

controller.ethg++ <–> Eth100M <–> actuator2.ethg++;

controller.ethg++ <–> Eth100M <–> controlServer.ethg++;

attacker.ethg++ <–> Eth100M <–> firewall.in++;

}

7. Run the Simulation

Compile and run the simulation in OMNeT++. The IDS should identify irregular behaviors, the firewall should block unapproved traffic, and the control server should perform commands securely.

8. Analyze the Results

Monitor how cyber-physical system reacted to different simulated attacks by evaluating the OMNeT++ simulation log. Verify that:

• Unsanctioned commands and spoofed sensor data were detected or blocked by the firewall and IDS.
• Legitimate commands were securely processed by the control server.

9. Extend the Cyber-Physical Security Simulation

You can extend this setup by:

• Implementing real-time attack response: Simulate programmed responses to detected threats like isolating affected components or alerting operators.
• Enhancing secure communication: Use more advanced encryption protocols and key management methods.
• Simulating complex attack scenarios: Join multiple attack vectors like physical tampering with cyber-attacks.
• Integrating with physical simulations: Use co-simulation with physical process simulators to monitor the effects of cyber-attacks on the physical environment.

In this procedure, we thoroughly go through the provided materials about how to implement the cyber-physical security in OMNeT++. If you need any details about their security mechanisms or anything, we will offer them through another script.

Omnet-manual.com team is brimming with Cyber Physical Security project ideas, and we have all of the tools and resources you need to complete your work on time. We also work on industrial control systems (ICS), smart grids, and Internet of Things (IoT) networks that are relevant to your projects. Please let us know about your needs, and we will assist you. Stay in touch with our team to get the best implementation support.