Cyber-attack detection in SCADA systems using temporal pattern recognition techniques

Abstract

Critical infrastructures crucial to our modern life, such as electricity grids and water pumps, are controlled by Supervisory Control and Data Acquisition (SCADA) systems. Over the last two decades, connecting critical infrastructures to the Internet has become essential due to performance and commercial needs. The combination of Internet connections to systems with little if any security features and the fact that security by obscurity is not working anymore, has moved the topic of SCADA security into the forefront in the last few years. To address these challenges, in this paper we propose cyber-attack detection techniques based on temporal pattern recognition. Temporal pattern recognition methods do not only look for anomalies in the data transferred by the SCADA components over the network but also look for anomalies that can occur by misusing legitimate commands such that unauthorized and incorrect time intervals between them may cripple the system. Specifically, we propose two algorithms based on Hidden Markov Models (HMM) and Artificial Neural Networks (ANN). We evaluate the algorithms on real and simulated SCADA data with five different feature extraction methods; in each method, the algorithms consider different aspects of the raw data. The results show that temporal pattern recognition methods, especially those based on time feature extraction, can detect cyber-attacks, including those that involve legitimate functions, which are known in the literature as hard to detect.