Detection of Cyber Attacks in Industrial Control Systems by Intrinsic Sensor Data Analysis

Amir Globerson; Matan Gavish (HUJI); Ronen Talmon (Technion)

Recent years have seen an explosive increase in cyber attacks against industrial control systems (ICS). An additional threat that has received much attention as a result of the recent Stuxnet attack on Iranian nuclear facilities is sensor hijacking. Not only can cyber attackers attempt to gain control over the industrial system, they can also feed false information into the system’s sensors, creating a false impression of nominal system behavior at the control room, and keeping the ongoing attack covert while doing harm.

In the proposed research, we assume the worst-case-scenario in which an attack has already gained control and even hijacked the sensors of a monitored ICS. We propose to develop a last line of cyber defense: an ICS Takeover Detection System (ICS-TDS), aimed to detect a cyber takeover of the monitored ICS, even in the presence of successful sensor hijacking. The detection systems we propose to develop are stand-alone systems that continuously monitor the ICS without interrupting its function. This proposal describes a significant effort in cyber security of ICS, bringing together theory, algorithms and engineering. Specifically, the proposed project brings together fundamental mathematical research in manifold learning and in control theory, fundamental statistical research in high dimensional sensor data analysis, fundamental research in machine learning under adversarial setting, development of practical and efficient algorithms that implement our fundamental results, and software engineering for implementing these algorithms efficiently.

Objective 1 – Fundamentals

  • High-dimensional covariance estimation
  • Intrinsic state estimation with auto-encoders
  • Adversarial Detection
  • Optimal control

 

Objective 2 – Takeover Detection by Intrinsic State Monitoring

Objective 3 – Sensor Hijacking Detection

Objective 4 – ICS-TDS Proof-of-concept and Data Collection

A key component of our proposal is construction of a “toy ICS”, such as a software-controlled power generator, fitted with numerous sensors. This system will allow actual proof-of-concept in the controlled environment of a university lab.

We expect to have visible impact on a number of fields in and around cyber security of ICS; to attract academic interest to a variety of fascinating theoretical questions implied by monitoring of dynamical systems in the presence of adversarial inputs and machine learning in adversarial conditions; and to prove that a low-budget experimental system can drive academic research with a revolutionary short turnover time from theoretical ideas to proof-of-concept implementations.

Tel Aviv University, P.O. Box 39040, Tel Aviv 6997801, Israel
UI/UX Basch_Interactive