Cyber-physical systems (CPSs) in critical infrastructure face serious threats of attack, motivating research into a wide variety of defence mechanisms such as those that monitor for violations of invariants, i.e. logical properties over sensor and actuator states that should always be true. Many approaches for identifying invariants attempt to do so automatically, typically using data logs, but these can miss valid system properties if relevant behaviours are not well-represented in the data. Furthermore, as the CPS is already built, resolving any design flaws or weak points identified through this process is costly. In this paper, we propose a systematic method for deriving invariants from an analysis of a CPS design, based on principles of the axiomatic design methodology from design science. Our method iteratively decomposes a high-level CPS design to identify sets of dependent design parameters (i.e. sensors and actuators), allowing for invariants and invariant checkers to be derived in parallel to the implementation of the system. We apply our method to the designs of two CPS testbeds, SWaT and WADI, deriving a suite of invariant checkers that are able to detect a variety of single- and multi-stage attacks without any false positives. Finally, we reflect on the strengths and weaknesses of our approach, how it can be complemented by other defence mechanisms, and how it could help engineers to identify and resolve weak points in a design before the controllers of a CPS are implemented.

关键基础架构中的网络物理系统（CPS）面临严重的攻击威胁，促使人们对各种防御机制进行研究，例如那些监视不变性（即传感器和执行器状态的逻辑属性应始终为真）的防御机制。许多用于识别不变量的方法会尝试自动执行此操作，通常使用数据日志，但是如果相关行为未在数据中很好地表示，则这些方法可能会丢失有效的系统属性。此外，由于已经构建了CPS，因此解决该过程中发现的任何设计缺陷或薄弱环节的成本很高。在本文中，我们提出了一种从CPS设计分析中推导不变量的系统方法，基于设计科学的公理化设计方法论的原理。我们的方法迭代地分解高级CPS设计，以识别相关的设计参数集（即传感器和执行器），从而允许与系统的实现并行地导出不变式和不变式检查器。我们将我们的方法应用于两个CPS测试平台SWaT和WADI的设计，得出了一套不变检测器，它们能够检测各种单阶段和多阶段攻击而不会产生任何误报。最后，我们反思了这种方法的优缺点，如何通过其他防御机制加以补充以及如何在实施CPS控制器之前帮助工程师识别和解决设计中的薄弱环节。