A statistical method for detecting cyber/physical attacks on SCADA systems

This paper addresses the problem of detecting cyber/physical attacks on Supervisory Control And Data Acquisition (SCADA) systems. The detection of cyber/physical attacks is formulated as the problem of detecting transient changes in stochastic-dynamical systems in the presence of unknown system states (often regarded as the nuisance parameter). The Variable Threshold Window Limited CUmulative SUM (VTWL CUSUM) test is adapted to the detection of transient changes of known profiles in the presence of nuisance parameter. Taking into account the performance criterion of the transient change detection problem, which minimizes the worst-case probability of missed detection for a given value of the worst-case probability of false alarm, the thresholds are tuned for optimizing the VTWL CUSUM algorithm. The optimal choice of thresholds leads to the simple Finite Moving Average (FMA) algorithm. The proposed algorithms are utilized for detecting the covert attack on a simple water distribution system, targeting at stealing water from the reservoir without being detected.