ABSTRACT
In this chapter, we present a detailed case study regarding model-based attack detection procedures for Cyber-Physical Systems (CPSs). In particular data from a real-world water treatment plant is collected and analyzed. Using this dataset and the sub-space system identification technique, an input-output Linear Time Invariant (LTI) model for the water treatment plant is obtained. This model is used to derive a Kalman filter to estimate the evolution of the system dynamics. Then, residual variables are constructed by subtracting data coming from real-world water treatment system and the estimates obtained by using the Kalman filter. We use these residuals to evaluate the performance of statistical detectors namely the Bad-Data and the CUmulative Sum (CUSUM) change detection procedures. First, the limitations of these model-based statistical techniques are shown. Then, an attack detection technique is proposed to improve over the threshold based approaches. It detects data integrity attacks on sensors in Cyber-Physical Systems (CPSs). A combined fingerprint for sensor and process noise is created during the normal operation of the system. Under sensor spoofing attack, noise pattern deviates from the fingerprinted pattern enabling the proposed scheme to detect attacks. To extract the noise (the difference between expected and observed value) a representative model of the system is derived. By subtracting the state estimates from the real system states, a residual vector is obtained. It is shown that in steady state the residual vector is a function of the process and sensor noise. A set of time domain and frequency domain features is extracted from the residual vector. The feature set is provided to a machine learning algorithm to identify the sensor and process. Experiments are performed on a real-world water treatment (SWaT) facility. A class of stealthy attacks, designed for statistical detectors on SWaT are detected by the proposed technique. It is shown that a multitude of sensors can be uniquely identified with an accuracy higher than 94.5% based on the noise fingerprint.
