Distributed Attack Detection in a Water Treatment Plant: Method and Case Study

AbstractThe rise in attempted and successful attacks on critical infrastructure, such as power grid and water treatment plants, has led to an urgent need for the creation and adoption of methods for detecting such attacks often launched either by insiders or state actors. This paper focuses on one such method that aims at the detection of attacks that compromise one or more actuators and sensors in a plant either through successful intrusion in the plant's communication network or directly through the plant computers. The method, labelled as Distributed Attack Detection (DAD), detects attacks in real-time by identifying anomalies in the behavior of the physical process in the plant. Anomalies are identified by using monitors that are implementations of invariants derived from the plant design. Each invariant must hold either throughout the plant operation, or when the plant is in a given state. The effectiveness of DAD was assessed experimentally on an operational water treatment plant named SWaT that is a near-replica of commercially available large treatment plants. The method used in DAD was found to be effective in detecting stealthy and coordinated attacks.