Anomaly Diagnosis in Cyber-Physical Systems

Abstract

Cyber-Physical Systems (CPS) constitute the operational basis for a number of critical national infrastructure (CNI) sectors including but not limited to manufacturing, smart electrical grids and water utilities, where programmable networked systems enable physical processes. Programmable Logic Controllers (PLCs) play a vital role in this by controlling CPS processes and consequently have become a primary target for cyber attacks that aim to disrupt CPS. By contrast with conventional networked setups, the operational and safety-critical importance of PLCs introduce challenges for CNI operators on empirically determining if an incident is a cyber-attack or a system fault as both occurrences can display similar outputs on the physical process. Moreover, existing anomaly detection techniques explicit to PLCs primarily give indication of an incident rather than attempting to categorise what the incident is. In this paper, we introduce a novel PLC anomaly diagnosis framework defined by a two-stage identification and classification approach based on novelty detection. Through the use of PLC run-time and network communication data generated by physical processes on a representational CPS testbed, we achieve an average of 99.35% on anomaly profiling accuracy and highlight the distinctions between system faults and cyber-attacks. In general, we demonstrate a practical approach that can be adopted by next generation CPS cyber defence tools.