Industrial control systems (ICSs) are types of cyber-physical systems in which programs, written in languages such as ladder logic or structured text, control industrial processes through sensing and actuating. Given the use of ICSs in critical infrastructure, it is important to test their resilience against manipulations of sensor/actuator inputs. Unfortunately, existing methods fail to test them comprehensively, as they typically focus on finding the simplest-to-craft manipulations for a testing goal, and are also unable to determine when a test is simply a minor permutation of another, i.e. based on the same causal events. In this work, we propose a guided fuzzing approach for finding 'meaningfully different' tests for an ICS via a general formalisation of sensor/actuator-manipulation strategies. Our algorithm identifies the causal events in a test, generalises them to an equivalence class, and then updates the fuzzing strategy so as to find new tests that are causally different from those already identified. An evaluation of our approach on a real-world water treatment system shows that it is able to find 106% more causally different tests than the most comparable fuzzer. While we focus on diversifying the test suite of an ICS, our formalisation may be useful for other fuzzers that intercept communication channels.

翻译：工业控制系统（ICS）是一种信息物理系统，其通过梯形图或结构化文本等语言编写的程序，借助传感与执行机制控制工业过程。鉴于ICS在关键基础设施中的应用，测试其抵御传感器/执行器输入操纵的能力至关重要。然而，现有方法无法实现全面测试——它们通常聚焦于为测试目标寻找最易构造的操纵方式，且无法判定某个测试是否仅为另一测试的微小变体（即基于相同因果事件）。本研究提出一种引导式模糊测试方法，通过传感器/执行器操纵策略的通用形式化框架，为ICS寻找"具有实质性差异"的测试用例。该算法识别测试中的因果事件，将其泛化为等价类，进而更新模糊策略，以发现与已有测试存在因果差异的新测试。在真实水处理系统上的评估表明，该方法可比最相近的模糊测试器多发现106%的因果差异性测试。尽管本研究聚焦于ICS测试套件的多样化，但我们提出的形式化框架对于其他拦截通信通道的模糊测试器同样具有参考价值。