Using physical models for anomaly detection in control systems

Abstract

Supervisory control and data acquisition (SCADA) systems are increasingly used to operate critical infrastructure assets. However, the inclusion of advanced information technology and communications components and elaborate control strategies in SCADA systems increase the threat surface for external and subversion-type attacks. The problems are exacerbated by site-specific properties of SCADA environments that make subversion detection impractical; and by sensor noise and feedback characteristics that degrade conventional anomaly detection systems. Moreover, potential attack mechanisms are ill-defined and may include both physical and logical aspects. This paper employs an explicit model of a SCADA system in order to reduce the uncertainty inherent in anomaly detection. Detection is enhanced by incorporating feedback loops in the model. The effectiveness of the approach is demonstrated using a model of a hydroelectric power plant for which several attack vectors are described. © IFIP International Federation for Information Processing 2009.