Physical Intrusion Attack Detection in Fieldbus Network With Passive Fail-Safe Biasing

Fieldbus is widely used for real-time distributed control in Industrial Control Systems (ICSs) due to its simplicity and stability. The real-world fieldbus network contains hundreds of interconnected devices, presenting a widespread network layout. Attackers can attach external intrusion devices to these communication lines to launch various attacks. In this paper, we model the fieldbus network’s channel fingerprint based on the signal’s amplitude and propose a detection method to identify potential attackers (silent intrusion devices that are eavesdropping) via channel fingerprint differences. Leveraging the passive fail-safe biasing voltage in the fieldbus network such as RS485, we can still detect the intrusion device when the fieldbus is idle (i.e., no devices are transmitting commands), which can significantly reduce the detection delay with lower sampling costs. Moreover, our method can adapt to environmental changes with little computational overhead by generating dynamic thresholds. Using a monitoring unit with stored channel fingerprints, our method can be easily deployed in fieldbus networks without occupying communication resources. The effectiveness and robustness of the proposed method have been demonstrated via extensive experiments on two real-world scenarios and one simulation scenario, where we can achieve 100% accuracy and 0% false alarm rates against various intrusion devices. Note to Practitioners—This paper is motivated by a practical need for detecting unauthorized intrusion devices in fieldbus networks. Existing detection methods face several challenges: active detection methods based on traffic analysis may disrupt normal bus communication, and it is hard to identify silent intrusion devices that are eavesdropping. Moreover, adapting these methods to changing environments is still challenging and costly. To address these issues, we leverage the inevitable amplitude differences in fail-safe biasing voltage signals and benign devices’ communication voltage signals to detect intrusion devices passively. Furthermore, to adapt to rapidly changing environments, we generate the detection thresholds dynamically based on the hypothesis testing theory. Extensive physical and simulation experiments demonstrate that the detection method against physical intrusion attacks is accurate and robust.