Abstract
<italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Stealthy attacks</i> on Industrial Control Systems can cause significant damage while evading detection. In this article, instead of focusing on the detection of stealthy attacks, we aim to provide early warnings to operators, in order to avoid physical damage and preserve in advance data that may serve as an evidence during an investigation. We propose a framework to provide <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">grounds for suspicion</i> , i.e., preliminary indicators reflecting the likelihood of success of a stealthy attack. We propose two grounds for suspicion based on the behaviour of the physical process: (i) <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">feasibility</i> of a stealthy attack, and (ii) <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">proximity</i> to unsafe operating regions. We propose a metric to measure grounds for suspicion in real-time and provide soundness principles to ensure that such a metric is consistent with the grounds for suspicion. We apply our framework to Linear Time-Invariant (LTI) systems and formulate the suspicion metric computation as a real-time reachability problem. We validate our framework on a case study involving the benchmark Tennessee-Eastman process. We show through numerical simulation that we can provide early warnings well before a potential stealthy attack can cause damage, while incurring minimal load on the network. Finally, we apply our framework on a use case to illustrate its usefulness in supporting early evidence collection.
Highlights
C YBER-PHYSICAL SYSTEMS (CPS) augment physical systems with enhanced capabilities, such as real-time monitoring and dynamic control [1]
Using numerical simulations we validate whether our framework can warn well in advance of damage caused by a potential stealthy attack
We considered the problem of stealthy attacks on safety-critical Industrial Control Systems (ICS)
Summary
C YBER-PHYSICAL SYSTEMS (CPS) augment physical systems with enhanced capabilities, such as real-time monitoring and dynamic control [1]. Industrial Control Systems (ICS) are considered a subclass of CPS, where software controls safety-critical industrial processes. Anomaly-based Intrusion Detection Systems (IDS) can usually detect attacks affecting the physical process in an ICS, by monitoring deviations from the normal system behaviour (anomalies) [4]. Skilled attackers can take advantage of the noise in the system and the thresholds used by the anomaly detectors, to cause damage to the ICS before an alarm is raised [5], [6]. Such attacks which evade detection are known as stealthy attacks. EWS may not reveal attacks on their own, but can guide the selection of appro-
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
