Skip to main content
SpringerLink
Log in

Trouble Brewing: Using Observations of Invariant Behavior to Detect Malicious Agency in Distributed Control Systems

  • Conference paper
Critical Information Infrastructures Security (CRITIS 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6027))

Abstract

Recent research on intrusion detection in supervisory data acquisition and control (SCADA) and DCS systems has focused on anomaly detection at protocol level based on the well-defined nature of traffic on such networks. Here, we consider attacks which compromise sensors or actuators (including physical manipulation), where intrusion may not be readily apparent as data and computational states can be controlled to give an appearance of normality, and sensor and control systems have limited accuracy. To counter these, we propose to consider indirect relations between sensor readings to detect such attacks through concurrent observations as determined by control laws and constraints.

We use a brewery bulk and fill pasteurizer as a specimen for biochemical processes. We motivate our approach by considering possible attacks and means of detection. Here we rely on the existence of non-linear relationships which allow us to attach a greater significance to small differences in sensor readings than would otherwise be the case and demonstrate the insufficiency of existing sensor placement and measurement frequency to detect such attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Creery, A., Byrnes, E.J.: Industrial Cybersecurity for Power System and SCADA Networks. In: Proceedings of the 52nd Annual Petroleum and Chemical Industry Conference, Denver, CO, USA, pp. 303–309. IEEE Press, Los Alamitos (2005)

    Chapter  Google Scholar 

  2. Coutinho, M.P., Lambert-Torres, G., da Silva, L.E.B., da Silva, J.G.B., Neto, J.C., Bortoni, E., Lazarek, H.: Attack and Fault Identification in Electric Power Control Systems: An Approach to Improve the Security. In: Proceedings of Power Tech 2007, Lausanne, Switzerland, pp. 103–107. IEEE Press, Los Alamitos (2007)

    Chapter  Google Scholar 

  3. Verba, J., Milvich, M.: Idaho National Laboratory Supervisory Control and Data Acquisition Intrusion Detection System (SCADA IDS). In: Proceedings of the 2008 IEEE Conference on Technologies for Homeland Security, Waltham, MA, USA, pp. 469–473. IEEE Press, Los Alamitos (2008)

    Chapter  Google Scholar 

  4. Svendsen, N.K., Wolthusen, S.D.: Modeling and Detection of Anomalies in Critical Infrastructure Networks. In: Papa, M., Shenoi, S. (eds.) Proceedings of the Second Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection. Critical Infrastructure Protection II, Arlington, VA, USA, pp. 101–107. Springer, Heidelberg (2008)

    Google Scholar 

  5. Watts, D.: Security & Vulnerability in Electric Power Systems. In: Proceedings of the 35 North American Power Symposium (NAPS 2003), Rolla, MO, USA, October 2003, pp. 559–566 (2003)

    Google Scholar 

  6. Motta Pires, P.S., Oliveira, L.A.H.G.: Security Aspects of SCADA and Corporate Network Interconnection: An Overview. In: Proceedings of the 2006 International Conference on Dependability of Computer Systems (DepCos – RELCOMEX 2006), Szklarska Proeba, Poland, pp. 127–134. IEEE Press, Los Alamitos (2006)

    Google Scholar 

  7. Krutz, R.L.: Securing SCADA Systems. John Wiley & Sons, New York (2006)

    Google Scholar 

  8. Byres, E., Hoffman, D.: The Myths and Facts behind Cyber Security Risks for Industrial Control Systems. Technical report, Department of Computer Science, University of Victoria, Victoria, BC, Canada (April 2004)

    Google Scholar 

  9. Gamez, D., Nadjm-Tehrani, S., Bigham, J., Balducelli, C., Burbeck, K., Chyssler, T.: Safeguarding Critical Infrastructures. In: Dependable Computing Systems: Paradigms, Performance Issues, and Applications, New York, NY, USA. John Wiley & Sons, Chichester (2005)

    Google Scholar 

  10. Yang, D., Usynin, A., Hines, J.W.: Anomaly-Based Intrusion Detection for SCADA Systmes. Technical report, Department of Nuclear Engineering, University of Tennessee, Knoxville, TN, USA (September 2006)

    Google Scholar 

  11. Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using Model-based Intrusion Detection for SCADA Networks. In: Proceedings of the SCADA Security Scientific Symposium, Miami Beach, FL, USA, January 2007, pp. 127–134 (2007)

    Google Scholar 

  12. Bigham, J., Gamez, D., Lu, N.: Safeguarding SCADA Systems with Anomaly Detection. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 171–182. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  13. Schlesser, J.E., Armstrong, D.J., Cinar, A., Ramanauskas, P., Negiz, A.: Automated Control and Monitoring of Thermal Processing Using High Temperature, Short Time Pasteurization. Journal of Dairy Science 80(10), 2291–2296 (1997)

    Article  Google Scholar 

  14. Wang, X.R., Lizier, J.T., Obst, O., Prokopenko, M., Wang, P.: Spatiotemporal Anomaly Detection in Gas Monitoring Sensor Networks. In: Verdone, R. (ed.) EWSN 2008. LNCS, vol. 4913, pp. 90–105. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  15. Pearl, J.: Causality: Models, Reasoning, and Inference. Cambridge University Press, Cambridge (2000)

    MATH  Google Scholar 

  16. McEvoy, T.R., Wolthusen, S.D.: Using Observations of Invariant Behavior to Detect Malicious Agency in Distributed Environments. In: Proceedings of IT Incident Management and IT Forensics (IMF 2008), Mannheim, Germany. Lecture Notes in Informatics, vol. 140, pp. 55–72. GI (2008)

    Google Scholar 

  17. Mouss, H., Mouss, D., Mouss, N., Sefouhi, L.: Test of Page-Hinckley: An Approach for Fault Detection in an Agro-Alimentary Production System. In: Proceedings of the 5th Asian Control Conference, Melbourne, Australia, vol. 2, pp. 815–818. IEEE Press, Los Alamitos (2004)

    Google Scholar 

  18. Qin, S.J., Badgwell, T.A.: An Overview of Nonlinear Model Predictive Control. In: Nnolinear Model Predictive Control, Boston, MA, USA. Birkhäuser, Basel (2000)

    Google Scholar 

  19. Zhao, Y., Zhou, S., Li, L.: Dynamic Characteristics Modeling of a Heat Exchanger Using Neural Network. In: Proceedings of the First International Conference on Intelligent Networks and Intelligent Systems (ICINIS 2008), Wuhan, China, pp. 13–18. IEEE Press, Los Alamitos (2008)

    Chapter  Google Scholar 

  20. Jalili-Kharaajoo, M., Araabi, B.N.: Neural Network Based Predictive Control of a Heat Exchanger Nonlinear Process. Istanbul University Journal of Electrical & Electronics Engineering 4(2), 1219–1226 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Security Group, Department of Mathematics, Royal Holloway, University of London, Egham Hill, Egham, TW20 0EX, UK

    Thomas Richard McEvoy & Stephen D. Wolthusen

  2. Norwegian Information Security Laboratory, Gjøvik University College, P.O. Box 191, N-2802, Gjøvik, Norway

    Stephen D. Wolthusen

Authors
  1. Thomas Richard McEvoy
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stephen D. Wolthusen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Fraunhofer IAIS, Sankt Augustin, Germany

    Erich Rome

  2. Centre for Software Reliability, Northampton Square, City University, London, EC1V 0HB, London, UK

    Robin Bloomfield

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

McEvoy, T.R., Wolthusen, S.D. (2010). Trouble Brewing: Using Observations of Invariant Behavior to Detect Malicious Agency in Distributed Control Systems. In: Rome, E., Bloomfield, R. (eds) Critical Information Infrastructures Security. CRITIS 2009. Lecture Notes in Computer Science, vol 6027. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14379-3_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14379-3_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14378-6

  • Online ISBN: 978-3-642-14379-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation