Departure-Based Intrusion Detection

Licentiate thesis, 2019

Industrial Control Systems (ICS) combine information technology with operation technology to monitor or control physical industrial processes via computer-based programs and often operate on critical infrastructures. As such, compromised or maliciously operated ICS can cause devastating consequences on society at large. To meet efficiency requirements, ICS are becoming increasingly connected to corporate networks and to the Internet, thereby elevating the risk of cyberattacks. Resilient and sustainable highly connected ICS therefore require a serious consideration of proper security measures. Securing ICS solely from an IT perspective, while necessary, proves insufficient because, at the physical layer, the critical process would remain unmonitored and therefore vulnerable to sabotage by the attackers. The recent years have witnessed an increased interest in process-level intrusion detection where the process network connecting field devices is monitored for malicious behavior. One prominent approach in the literature proposes to build a model of the physical process, which is then used to compare a predicted state with the actual state in the hope of identifying attacks. Building and using a predictive model of the physical process, however, is non trivial, domain specific, and prone to detection inaccuracies due to noise in the process data. This thesis introduces a novel model-free approach to detecting cyberattacks on ICS by monitoring the process network in real time and deciding when the system operation is departing from normal dynamics. The proposed process-aware stealthy-attack detection mechanism processes raw sensor measurements to capture the dynamics of the underlying control system during a training phase, and then during a detection phase, it measures the extent to which current sensor observations conform with the estimated dynamics. The thesis provides a comprehensive treatment of the introduced method by thoroughly discussing its theoretical basis, proving its efficacy through extensive experiments on various systems, and, finally, demonstrating its applicability to real environments.