On the Feasibility of Distinguishing Between Process Disturbances and Intrusions in Process Control Systems Using Multivariate Statistical Process Control

Process Control Systems (PCSs) are the operating core of Critical Infrastructures (CIs). As such, anomaly detection has been an active research field to ensure CI normal operation. Previous approaches have leveraged network level data for anomaly detection, or have disregarded the existence of process disturbances, thus opening the possibility of mislabelling disturbances as attacks and vice versa. In this paper we present an anomaly detection and diagnostic system based on Multivariate Statistical Process Control (MSPC), that aims to distinguish between attacks and disturbances. For this end, we expand traditional MSPC to monitor process level and controller level data. We evaluate our approach using the Tennessee-Eastman process. Results show that our approach can be used to distinguish disturbances from intrusions to a certain extent and we conclude that the proposed approach can be extended with other sources of data for improving results.

[1]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[2]  Nils Kalstad Svendsen,et al.  Using Physical Models for Anomaly Detection in Control Systems , 2009, Critical Infrastructure Protection.

[3]  Gabriel Maciá-Fernández,et al.  Hierarchical PCA-based multivariate statistical network monitoring for anomaly detection , 2016, 2016 IEEE International Workshop on Information Forensics and Security (WIFS).

[4]  Béla Genge,et al.  A clustering-based approach to detect cyber attacks in process control systems , 2015, 2015 IEEE 13th International Conference on Industrial Informatics (INDIN).

[5]  Theodora Kourti,et al.  Statistical Process Control of Multivariate Processes , 1994 .

[6]  Dieter Gollmann,et al.  The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems , 2015, AsiaCCS.

[7]  H. Hotelling,et al.  Multivariate Quality Control , 1947 .

[8]  E. F. Vogel,et al.  A plant-wide industrial process control problem , 1993 .

[9]  José Camacho,et al.  Multivariate Exploratory Data Analysis (MEDA) Toolbox for Matlab , 2015 .

[10]  M. Krotofil,et al.  Rocking the pocket book: Hacking chemical plants for competition and extortion , 2015 .

[11]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[12]  José Camacho,et al.  Observation‐based missing data methods for exploratory data analysis to unveil the connection between observations and variables in latent subspace models , 2011 .

[13]  J. E. Jackson,et al.  Control Procedures for Residuals Associated With Principal Component Analysis , 1979 .

[14]  Gabriel Maciá Fernández,et al.  PCA-based Multivariate Statistical Network Monitoring for Anomaly Detection , 2016 .

[15]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[16]  N. Lawrence Ricker,et al.  Decentralized control of the Tennessee Eastman Challenge Process , 1996 .

[17]  Stephen D. Wolthusen,et al.  A Plant-Wide Industrial Process Control Security Problem , 2011, Critical Infrastructure Protection.