Detection and Differentiation of Replay Attack and Equipment Faults in SCADA Systems

Supervisory control and data acquisition (SCADA) systems are widely used for industrial control of critical infrastructures, such as power plants and manufacturing systems. There is abundant evidence of SCADA systems being subject to cyberattacks. With increasing interest in industrial digitization, the cybersecurity of SCADA systems is poised to be even more important. Equipment faults and cyberattacks can manifest themselves in a similar fashion, i.e., they can exhibit similar signatures. This article focuses on methods that are capable of distinguishing equipment faults from bona fide cyberattacks. Especially, we consider a relatively sophisticated form of cyberattack known as the "replay attack" (RA). We derive mathematical formalisms that distinguish the RA from several classes of equipment faults and verify our methodology through an extensive numerical study. Note to Practitioners-This article is motivated by the problem of detecting replay cyberattacks in industrial control systems and differentiating it from equipment faults. Existing approaches mainly focus on the detection aspect but usually ignore the importance of differentiation. We an ensembled statistical process monitoring approach based on five statistical metrics. The statistical metrics are derived based on a theoretical analysis that shows the data characteristics under each system anomaly, including replay attack (RA), controller fault, and plant fault. We mathematically prove that the signatures generated by the derived metrics can be used to differentiate an RA from the equipment faults. We conduct a sensitivity analysis of the detection delay of our method regarding the magnitude of the cyberattack. Physical experiments on a rotating machinery setup show that the proposed approach applies to some simple real-world settings. In future research, we will address the scalability issue of our method as well as more generalized nonlinear system settings.