Detection of Cyber-Physical Attacks using Physical Model with Nonparametric EWMA Detector

Abstract

Industrial Control System (ICS) can suffer of cyber-physical attacks resulting in accident, damage, or financial loss. The attacks can be detected in both in physical space or cyberspace of the ICS. The detection in physical space can be based on physical models of the system. To model the physical system this study uses a data-driven modeling approach as an alternative of the analytic one. This study models the system using the dynamic mode decomposition method with control (DMDc) assuming a full state measurement. The attack detector used in some researches with predictive physical models is the cumulative sum (CUSUM), which only applies to normally distribute residual data. To detect any cyber-physical attack, this research uses a nonparametric exponentially weighted moving average (EWMA) detector. This study uses a data set from a testbed of Secure Water Treatment (SWaT). The approach used in this study was successful in detecting 8 out of 10 attacks on the first SWaT subsystem. This study demonstrates that DMDc used in this study results a better goodness of fit and the nonparametric EWMA can be used as an alternative as detector when residual data do not follow a normal distribution.