On The Limits of Detecting Process Anomalies in Critical Infrastructure

Critical infrastructure are Cyber-Physical Systems that provide essential services to the society. Such infrastructure includes plants for power generation and distribution and for water treatment and distribution. Several such plants operate under a high availability constraint. In the presence of ever increasing cyber attacks, as demonstrated by several events in the past, it becomes imperative and challenging for a plant to meet the availability requirement. Such attacks raise the importance of adding to a plant mechanisms for attack prevention, detection, and secure control. Preventive measures aim to control the incoming and outgoing network traffic and prevent unauthorised access to the plant. Detection mechanisms aim at detecting whether the plant is behaving as expected and raise alarms otherwise. Mechanisms for secure control aim at ensuring that the plant remains in a stable state despite an attack. When a preventive mechanism fails, the detection mechanism ought to detect whether the process under control is moving into an undesirable state and, if so, raise an appropriate alarm. While an alarm will likely alert an operator, it may be too late and damage may have occurred. To prevent such damage, a secure control mechanism ensures that despite the plant entering an abnormal state, the plant components, e.g., pumps and generators, do not get damaged and the process continues to function albeit in degraded mode. The ongoing process in the plant is said to be anomalous when its state is not in accordance with the plant design. A number of proposed detection mechanisms rely on the physics of the process to detect anomalous behavior. Several such mechanisms have been implemented in testbeds. In this talk we analyze two methods for the detection of process anomalies, namely the CUSUM method[2], and a relatively newer method based on the notion of state entanglement [1]. Both methods are based on models of the underlying process in the plant. CUSUM is a statistical technique for detecting change points in a time series that corresponds to a process variable. The method uses two parameters, namely bias and threshold. The bias is determined from the mean of the process variable of concern. The bias so obtained is used in conjunction with the predicted and observed state of the plant. The process is said to have changed its behavior when the CUSUM statistic exceeds a pre-specified threshold. The occurrence of a change implies process anomaly. State entanglement uses the joint state space of one or more components of the plant to construct a state space that consists of prohibited states during plant operation. The prohibited state space of the components leads to one or more invariants. The invariants so derived are coded as monitors and placed in the plant network and in the controllers. A monitor raises an alarm when the process enters a prohibited state. While both methods mentioned above have been evaluated experimentally, we wish to identify the conditions under which the methods either fail to detect an anomaly or cause false alarms. Using our analysis we reveal the inherent limitations of these methods that may lead to an unacceptable rate of false alarms, and their inability to detect coordinated cyber attacks. Our analysis is based on an increasingly complex series of attacker profiles, and affect graphs that capture state relationship among plant components, to reveal the strengths and limitations of both methods.