Trouble Brewing: Using Observations of Invariant Behavior to Detect Malicious Agency in Distributed Control Systems

Recent research on intrusion detection in supervisory data acquisition and control (SCADA) and DCS systems has focused on anomaly detection at protocol level based on the well-defined nature of traffic on such networks. Here, we consider attacks which compromise sensors or actuators (including physical manipulation), where intrusion may not be readily apparent as data and computational states can be controlled to give an appearance of normality, and sensor and control systems have limited accuracy. To counter these, we propose to consider indirect relations between sensor readings to detect such attacks through concurrent observations as determined by control laws and constraints.

We use a brewery bulk and fill pasteurizer as a specimen for biochemical processes. We motivate our approach by considering possible attacks and means of detection. Here we rely on the existence of non-linear relationships which allow us to attach a greater significance to small differences in sensor readings than would otherwise be the case and demonstrate the insufficiency of existing sensor placement and measurement frequency to detect such attacks.