Statistical detection and isolation of cyber-physical attacks on SCADA systems

Abstract

This paper addresses the problem of jointly detecting and isolating cyber-physical attacks on Supervisory Control And Data Acquisition (SCADA) systems. The SCADA systems are described as a discrete-time state space model in the presence of unknown system states and Gaussian noises. The cyber-physical attacks are modeled as additive signals on both system equations, where different attack scenarios will produce particular changes (referred as attack profiles) in system dynamics. To solve the problem, we employ the classical approach in fault detection and isolation (FDI) community which includes two steps: residual generation and residual evaluation. The so-called residuals are first generated by the parity space method. They are then evaluated by using statistical change-point detection and isolation algorithms. The proposed algorithm is applied to the detection and isolation of several attack scenarios on a simple SCADA water distribution network. Its statistical performance is also compared with several conventional quickest change detection and isolation algorithms by using the transient change detection and isolation criterion. This novel-proposed criterion involves the minimization of the probability of missed detection subject to given values on the probability of false alarm and false isolation.