Industrial control systems (ICSs) are types of cyber-physical systems in which programs, written in languages such as ladder logic or structured text, control industrial processes through sensing and actuating. Given the use of ICSs in critical infrastructure, it is important to test their resilience against manipulations of sensor/actuator inputs. Unfortunately, existing methods fail to test them comprehensively, as they typically focus on finding the simplest-to-craft manipulations for a testing goal, and are also unable to determine when a test is simply a minor permutation of another, i.e. based on the same causal events. In this work, we propose a guided fuzzing approach for finding 'meaningfully different' tests for an ICS via a general formalisation of sensor/actuator-manipulation strategies. Our algorithm identifies the causal events in a test, generalises them to an equivalence class, and then updates the fuzzing strategy so as to find new tests that are causally different from those already identified. An evaluation of our approach on a real-world water treatment system shows that it is able to find 106% more causally different tests than the most comparable fuzzer. While we focus on diversifying the test suite of an ICS, our formalisation may be useful for other fuzzers that intercept communication channels.

翻译：工业控制系统（ICS）是一类信息物理系统，其通过梯形图或结构化文本等语言编写的程序，借助传感与执行功能控制工业过程。鉴于ICS在关键基础设施中的应用，测试其对传感器/执行器输入操控的鲁棒性至关重要。然而现有方法存在测试不全面的缺陷：它们通常以寻找满足测试目标的最简操控方式为重点，且无法区分测试是否仅为基于相同因果事件的简单排列变体。本文提出一种引导式模糊测试方法，通过传感器/执行器操控策略的通用形式化建模，为ICS寻找"具有实质差异"的测试用例。该算法识别测试中的因果事件，将其泛化为等价类，继而更新模糊策略以发现与已识别测试存在因果差异的新测试。在真实水处理系统上的评估表明，该方法能够发现比最具可比性的模糊器多106%的因果差异测试。虽然本研究聚焦于扩展ICS测试套件的多样性，但所提出的形式化方法对其他拦截通信通道的模糊器同样具有参考价值。