An unsupervised anomaly-based detection approach for integrity attacks on SCADA systems

To cite this version:H Abdo, M. Kaouk, J-M. Flaus, F. Masse. A safety/security risk analysis approach of industrial control systems: a cyber bowtie -combining new version of attack tree with bowtie analysis. Computers Security, 2017, 72, pp.175-195 AbstractThe introduction of connected systems and digital technology in process industries creates new cyber-security vulnerabilities that can be exploited by sophisticated threats and lead to undesirable safety accidents. Thus, identifying these vulnerabilities during risk analysis becomes an important part for effective industrial risk evaluation. However, nowadays, safety and securityare analyzed separately when they should not be. This is because a security threat can lead to the same dangerous phenomenon as a safety incident. In this paper, a new method that considers safety and security together during industrial risk analysis is proposed. This approach combines bowtie analysis, commonly used for safety analysis, with a new extended version of attack tree analysis, introduced for security analysis of industrial control systems. The combined use of bowtie and attack tree provides an exhaustive representation of risk scenarios in terms of safety and security. We then propose an approach for evaluating the risk level based on two-term likelihood parts, one for safety and one for security. The application of this approach is demonstrated using the case study of a risk scenario in a chemical facility.Keywords: Risk analysis, safety, cyber-security, bowtie analysis, Attack-Tree analysis, SCADA. INTRODUCTIONAnalyzing risks of industrial and complex systems such as those found in nuclear plants, chemical factories, etc., is of crucial importance given the hazards linked to these systems (explosion, dispersion, etc.) (Abdo and Flaus, 2016b). Quantifying and analyzing these major risks contributes to better decision making and ensures that risks are managed according to defined acceptance criteria (Arunraj and Maiti, 2007).Industrial safety risk analysis aims to evaluate undesirable risk scenarios that can lead to major accidents that affect human and the environment. Traditionally, a systematic risk analysis process is made up of three steps: (i) identification of risk scenarios, (ii) likelihood analysis, (iii) effect analysis (Purdy, 2010). Based on these steps, a level of risk will be given to each scenario to see if it is acceptable or not. If not, safety measures should be added to reduce the level of risk to an acceptable level by diminishing the likelihood or the effects. This work considers the first two steps. Identifying a risk scenario aims to explore how an undesirable hazard can be developed starting from causes and ending with the consequences. Likelihood analysis aims to estimate the likelihood of occurrence of risk scenarios. This estimate can be qualitative or quantitative depending on the available data.Traditional industries were based on mechanical devices and closed systems (Kriaa et al., 2015). Only safety related risks generated from accidental com...

show abstract

“…The use of ICS helps in increasing productivity, quality and flexibility in the manufacturing process (Almalawi et al, 2014).…”

Section: Industrial Automation and Controld System -Iacsmentioning

confidence: 99%

A safety/security risk analysis approach of Industrial Control Systems: A cyber bowtie – combining new version of attack tree with bowtie analysis

Abdo

Kaouk

Flaus

et al. 2018

Computers & Security

139

View full text Add to dashboard Cite

show abstract

“…The "home-area view" we suggest aims to detect arbitrary data injection attempts at their origin, i.e., compromised residential smart meters. Our framework complements the above-mentioned work since the alert output signal generated by our methods could serve as an additional input 3 to [18], [26]- [28].…”

Section: Related Workmentioning

confidence: 87%

“…Such countermeasures for detecting false data injection appear in [18], [26]- [28]. [26] proposes an adaptive cumulative sum test combined with a multivariate hypothesis testing problem to prevent an erroneous grid-state estimate.…”

Section: Related Workmentioning

confidence: 99%

“…[27] studies a graph theoretic method for securing an optimal set of meter measurements so that state estimation is not compromised. [18] couples anomalybased methods with a data integrity check to combat stealth attacks, while [28] looks for inconsistent grid behavior using clustering techniques. Instead, we tackle the problem from a different vantage point.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Correlative monitoring for detection of false data injection attacks in smart grids

Kallitsis

Michailidis

Tout

2015

2015 IEEE International Conference on Smart Grid Communications (SmartGridComm)

View full text Add to dashboard Cite

The overarching objective of the modernized electric grid, the smart grid, is to integrate two-way communication technologies across power generation, transmission and distribution to deliver electricity efficiently, securely and costeffectively. However, real-time messaging exposes the entire grid to security threats ranging from attacks that disable information exchange between smart meters and data fusion centers to spurious payload content that would lead to incorrect assessment of actual demand. Such nefarious activities can compromise grid stability and efficiency. Hence, it is important to ensure secure communications and quickly detect malicious activity; this article proposes a framework for detection of false data injection attacks in smart grids. We present a measurement-based situation awareness framework that combines evidence from sensors at home-area networks, and aims to infer anomalies that signify a coordinated, well-orchestrated attack on residential smart meters at increasing spatial scales. By leveraging multi-view sensor readings, we present a Bayesian-based correlative monitoring approach that quickly detects power shifts to anomalous regimes. We evaluate our algorithms using real-world power traces.

show abstract

“…The proposed test bed includes a comparison module that helps to identify potential attacks in the system. Almalawi et al [6] have suggested an unsupervised learning algorithm that will optimize the SCADA network traffic. They have used numerous pre-processing methods to control the integrity of the outlier data, in the data set of water plants.…”

Section: Introductionmentioning

confidence: 99%

Anomaly detection in industrial control systems using evolutionary-based optimization of neural networks

Mansouri¹,

Majidi²,

Shamisa³

2017

Communications on Advanced Computational Science with Applicati

View full text Add to dashboard Cite

Industrial control systems are increasingly used for control and monitoring of important infrastructure. Machine learning algorithms have the ability to discover patterns in large amounts of data and to create diagnosis models based on these patterns. Since modelling a large amount of unlabeled data is costly and time-consuming, the automated machine learning methods have the ability to detect anomalies in industrial control systems effectively. In this paper, first, twenty-four machine learning algorithms are evaluated for anomaly detection in gas distribution control network. Then dimensionality reduction algorithms are used to improve the accuracy of anomaly detection. Finally, by using an evolutionary based optimization for training a neural network, a new algorithm for prediction of anomalies in the SCADA system with high accuracy is proposed. The experimental results show that the proposed algorithm has the ability to detect the anomalies in the gas distribution control network with 97.5% accuracy.

show abstract

An unsupervised anomaly-based detection approach for integrity attacks on SCADA systems

Cited by 103 publications

References 16 publications

A safety/security risk analysis approach of Industrial Control Systems: A cyber bowtie – combining new version of attack tree with bowtie analysis

A safety/security risk analysis approach of Industrial Control Systems: A cyber bowtie – combining new version of attack tree with bowtie analysis

Correlative monitoring for detection of false data injection attacks in smart grids

Anomaly detection in industrial control systems using evolutionary-based optimization of neural networks

Contact Info

Product

Resources

About