Survey and New Directions for Physics-Based Attack Detection in Control Systems

Published: November 21, 2016


David Urbina, Jairo Giraldo, Alvaro Cardenas, Junia Valente, Mustafa Faisal, Niles O. Tippenhauer, Justin Ruths, Richard Candell, Heinrik Sandberg


Monitoring the "physics" of control systems to detect attacks is a growing area of research. In its basic form a security monitor creates time-series models of sensor readings for an industrial control system and identifies anomalies in these measurements in order to identify potentially false control commands or false sensor readings. In this paper, we review previous work based on a unified taxonomy that allows us to identify limitations, unexplored challenges, and new solutions. In particular, we propose a new adversary model and a way to compare previous work with a new valuation metric based on the trade-off between false alarms and the negative impact of undetected attacks. We also show the advantages and disadvantages of three experimental scenarios to test the performance of attacks and defenses: a) real-world network data captured from a largescale operational facility, b) a fully-functional testbed that can be used operationally for water treatment, and c) a simulation of frequency control in the power grid.
Citation: Grant/Contract Reports (NISTGCR) - 16-010
Report Number:
Pub Type: NIST Pubs


cybersecurity, smart grid, manufacturing, industrial control systems
Created November 21, 2016, Updated November 10, 2018