Two sub-optimal algorithms for detecting cyber/physical attacks on SCADA systems

Abstract : The problem of detecting cyber/physical attacks on Supervisory Control And Data Acquisition (SCADA) systems is addressed in this paper. The detection of attacks is formulated as the problem of detecting transient changes in stochastic-dynamical systems in the presence of unknown system states (often regarded as the nuisance parameter) and random noises. The negative impact of the nuisance parameter is eliminated by exploiting some well-known techniques in fault diagnosis community. The Variable Threshold Window Limited CUmulative SUM (VTWL CUSUM) algorithm is utilized to detect the changes in the sequence of residuals generated from either the Kalman filter or the parity space method. Taking into account the transient change detection criterion, minimizing the worst-case probability of missed detection given an acceptable level of the worst-case probability of false alarm, the thresholds are tuned for optimizing the VTWL CUSUM algorithm. It will be shown that the optimal VTWL CUSUM test is equivalent to the simple Finite Moving Average (FMA) detection rule. The theoretical results are applied to the problem of cyber/physical attack detection in a simple SCADA water distribution network. Moreover, the statistical performance comparison between the Kalman filter-based algorithm and the parity space-based counterpart is realized by using the Monte Carlo simulation.