Exploiting the Temporal Behavior of State Transitions for Intrusion Detection in ICS/SCADA

Abstract

Industrial Control Systems (ICS) monitor and control physical processes. The security of ICS has drawn the attention of many researchers since successful cyber-attacks against ICS can cause extensive damage in the physical world. Most of the existing literature describes solutions to protect an ICS against attacks directly targeting its underlying IT infrastructure. However, there are comparatively less works that focus on detecting cyber attacks against the physical process itself. Detection mechanisms that do so are said to be process aware. In this paper, we propose a time-based process aware intrusion detection system (IDS) that detects attacks against a physical process by leveraging its regular nature and temporal properties. The IDS learns the temporal behavior of the process variables and uses it to detect attacks. We evaluate the performance of our IDS on a public SCADA dataset and on a simulated SCADA system developed as part of this study, and we compare it with two other process-aware IDS proposed in the literature. The results show that our solution is able to detect attacks that are not detected by IDS that ignore temporal properties.