SFACIF: A safety function attack and anomaly industrial condition identified framework

Abstract

High-stakes process industries require a harmonious relationship between the Safety Instrumented System (SIS) and the Basic Process Control System (BPCS) to guarantee the safety and stability of operations. As security threats to SIS intensify, the imperative to fortify it against cyber-attacks has never been more critical. SIS activates safety functions to bring the process to a safe state or shut it down under anomaly idustrial conditions. This raises two critical questions for SIS security: (1) how to differentiate between genuine industrial anomalies and data injected by attackers to prevent unnecessary shutdowns and economic losses; and (2) how to distinguish between attackers’ replayed data and normal operational data to avoid casualties resulting from delayed shutdowns. In addressing these challenges, we introduce SFACIF, a framework designed to effectively identify safety function attacks and anomaly industrial conditions. Inspired by advanced two out of three voting mechanisms and process monitoring technologies, our approach encompasses several innovative strategies. Initially, a deep learning-based time series prediction method is employed to generate benchmark data. Next, potential issues are identified by detecting deviations through pairwise comparisons between the predicted benchmark data, SIS observations, and BPCS observations. To account for the higher fault rates in BPCS and the presence of process noise, we apply a modified sliding window residual statistical method for analysis. Lastly, we introduce a novel coding scheme to interpret the results of the three-way comparison, enabling the identification of safety function attacks and anomaly industrial conditions. To validate the efficacy of SFACIF, we devised a physical simulation platform that mirrors real-world industrial environments, facilitating a rigorous assessment of our framework under operational conditions. The performance metrics underscore the superior capability of SFACIF, which achieved 99% accuracy and 1% false alarm rate. These results not only attest to the ability of SFACIF to accurately differentiate between various attack vectors but also highlight its proficiency in discerning between authentic and manipulated data.