PASSIVE METHODS FOR DETECTION OF SUBTLE PROCESS VARIATIONS
With the increased reliance on digitization in industrial control systems, the need for effective monitoring techniques has risen dramatically. Specifically, there is now a growing concern about the so-called false data injection (FDI) attacks. These attacks aim to alter the raw sensors’ data to cause malicious outcomes. Model-based defenses have been promoted as essential defenses against FDI attacks into the control network used to digitally regulate the operation of critical industrial systems such as nuclear reactors. The idea is that physics-based models could differentiate between genuine, i.e., unaltered by adversaries, and malicious network engineering data, e.g., flowrates, temperatures, etc. Machine learning techniques have also been proposed to further improve the differentiating power of model-based defenses, by constantly monitoring the engineering data for any possible deviations that are not consistent with the physics. While this is a sound premise, critical systems, such as nuclear reactors, chemical plants, gas plants, etc., share a common disadvantage – almost any information about them can be obtained by determined adversaries, such as state-sponsored attackers. Thus, one must question whether model-based defenses would be resilient under these extreme adversarial conditions. This work first investigates the learning capability of the data-driven techniques, which indicates that if the attacker is equipped with a reasonable approximated model, (s)he can learn very accurate models for reactor behavior. To address this challenge, a new model-based randomized window algorithm is proposed, which monitors time-series data for signatures that can serve as the fingerprints for the normal and FDI scenarios. The state-of-the-art monitoring techniques have proven effective in detecting sudden variations from established recurring patterns, derived by model-based or data-driven techniques, considered to represent normal behavior. This work further develops a new method designed to detect subtle variations expected with stealthy attacks that rely on intimate knowledge of the system, i.e., the reasonable approximation of the system. The method employs physics modeling and feature engineering to design mathematical features that can detect subtle deviations from normal process variation. Then this work extends the method to real-time analysis and employs a new denoising filter to ensure resiliency to noise, i.e., ability to distinguish subtle variations from normal process noise. The method applicability is exemplified using a hypothesized triangle attack, recently demonstrated to be extremely effective in bypassing detection by conventional monitoring techniques, applied to a representative nuclear reactor system model using the RELAP5 computer code.