Dynamic bayesian networks based abnormal event classifier for nuclear power plants in case of cyber security threats

Abstract

With increased adoption of digital systems for instrumentation and control, nuclear power plants have become more vulnerable to cyber-attacks. Such attacks can have very serious implications on a plant's operation, especially if they masquerade as safety events. Thus, it is important that research be focused towards distinguishing cyber-attacks from fault induced safety events for a correct response in a timely manner. In this paper, an event classifier is presented to classify abnormal events in nuclear power plants as either fault induced safety events or cyber-attacks. The process of inferring the hidden (unobservable) state of a system (normal or faulty) through observable physical sensor measurements has been a long-standing industry practice. There has been a recent surge of literature discussing the use of network traffic data for the detection of cyber-attacks on industrial control systems. In the classifier we present, both physical and network behaviors of a nuclear power plant during abnormal events (safety events or cyber-attacks) are used to infer the probabilities of the states of the plant. The nature of the abnormal event in question is then determined based on these probabilities. The Dynamic Bayesian Networks (DBNs) methodology is used for this purpose since it is an appropriate framework for inferring hidden states of a system from observed variables through probabilistic reasoning. In this paper we introduce a DBN based abnormal event classifier and an architecture to implement this classifier as part of a monitoring system. An experimental environment is setup with a two-tank system in conjunction with a nuclear power plant simulator and a programmable logic controller. A set of 27 cyber-attacks and 14 safety events were systematically designed for the experiment. A set of 6 cyber-attacks and 2 safety events were used to manually finetune the Conditional Probability Tables (CPTs) of the 2-timeslice dynamic Bayesian network (2T-DBN). Out of the remaining 33 events, the nature of the abnormal event was successfully identified in all the 33 cases and the location of the cyber-attack or fault was successfully determined in 32 cases. The case-study demonstrates the applicability of the methodology developed. Further research should examine the practicality of implementing the proposed monitoring system on a real-world system and issues associated with cost optimization.