Sequential monitoring of SCADA systems against cyber/physical attacks

Abstract

The sequential monitoring of SCADA systems against cyber/physical attacks is considered in this paper. The SCADA systems are described by the discrete-time state space models in the presence of random noises. The cyber/physical attacks are modeled as additive signals of short duration impacted both the state evolution and the sensor measurement equations. The detection of attacks is formulated as the problem of sequential transient change detection in stochastic-dynamical systems. The steady-state Kalman filter and the fixed-size parity space are utilized for generating the sequence of residuals. The unified statistical model is developed to describe the residual generation by both methods. Based on this statistical model, the Variable Threshold Window Limited CUmulative SUM (VTWL CUSUM) algorithm is designed to detect the transient changes. Taking into consideration the detection criterion, which aims at minimizing the worst-case probability of missed detection subject to a given value on the worst-case probability of false alarm, the thresholds are tuned for optimizing the VTWL CUSUM algorithm. It is shown that the optimal choice of thresholds leads to the simple Finite Moving Average (FMA) detection rule. The proposed algorithms are applied to detect the covert attack on a simple SCADA water distribution network.