Practical Detectors to Identify Worst-Case Attacks

Recent work into quantifying the impact of attacks on control systems has motivated the design of worst-case attacks that define the envelope of the attack impact possible while remaining stealthy to model-based anomaly detectors. Such attacks - although stealthy for the considered detector test - tend to produce detector statistics that are easily identifiable by the naked eye. Although seemingly obvious, human operators cannot simultaneously monitor all process control variables of a large-scale cyber-physical system. What is lacking in the literature is a set of practical detectors that can identify such unusual attacked behavior. In defining these, we enable automated detection of to-date stealthy attacks and also further constrain the impact of attacks stealthy to a set of combined detectors, both existing and new.