A Non-parametric Cumulative Sum Approach for Online Diagnostics of Cyber Attacks to Nuclear Power Plants

Abstract

Both stochastic failures and cyber attacks can compromise the correct functionality of Cyber-Physical Systems (CPSs). Cyber attacks manifest themselves in the physical system and, can be misclassified as component failures, leading to wrong control actions and maintenance strategies. In this chapter, we illustrate the use of a nonparametric cumulative sum (NP-CUSUM) approach for online diagnostics of cyber attacks to CPSs. This allows for (i) promptly recognizing cyber attacks by distinguishing them from component failures, and (ii) guiding decisions for the CPSs recovery from anomalous conditions. We apply the approach to the Advanced Lead-cooled Fast Reactor European Demonstrator (ALFRED) and its digital Instrumentation and Control (I&C) system. For this, an object-oriented model previously developed is embedded within a Monte Carlo (MC) engine that allows injecting into the I&C system both components (stochastic) failures (such as sensor bias, drift, wider noise and freezing) and cyber attacks (such as Denial of Service (DoS) attacks mimicking component failures).

Appendix A: The NP-CUSUM Algorithm

Without loss of generality, let us consider an accidental scenario a simulated over a mission time t _M, during which a cyber attack occurs at random time t _R (t _R < t _M). Considering a time interval dt, we can define the pre-attack signal mean value \( {\mu}_Y\left(Y(t)\right)=\sum \limits_tY(t)/t \), t = dt, 2dt, …, t, (t < t _R), where Y(t) is the measurement Y of a controlled variable y at time t under normal operation conditions (see Fig. A.1a, for example). Assume that DoS attacks lead to arbitrary and abrupt changes in the distributions of observations, such that the (unknown) post-attack mean value results to be \( {\theta}_Y\left(Y(t)\right)=\sum \limits_tY(t)/\left(t-{t}_R\right) \), t = t _R, t _R + dt, t _R + 2dt, … .

Fig. A.1

The NP-CUSUM algorithm: (a) a stream of measurement Y(t) of an accidental scenario in which a cyber attack occurring at time t _R; (b) the corresponding NP-CUSUM statistic S _Y (t) for diagnosing the cyber attack at the time to alarm τ _Y

We define a score function g _Y(Y(t)) as:

$$ {g}_Y\left(Y(t)\right)=\sum \limits_t{\omega}_y\cdot \Lambda \left(Y(t)\right)=\sum \limits_t{\omega}_y\cdot \left(\left|Y(t)-{\mu}_Y\right|-{c}_y(t)\right) $$

(A.1)

where ω _y is a positive weight that is used for normalizing Λ(Y(t)) and chosen equal to 1/σ _Y, where σ _Y is the standard deviation of Y(t), t = dt, 2dt, …, and the parameter c _y(t) depends on the past t-1 measurements as in Eq. (A.2):

$$ {c}_y(t)={\varepsilon}_y\cdot {\widehat{\theta}}_Y(t) $$

(A.2)

where ε _y is a tuning parameter belonging to the interval (0,1) and \( {\widehat{\theta}}_Y(t) \) is an estimate of the unknown mean value θ _Y(Y(t)). In practice, it is difficult to estimate \( {\widehat{\theta}}_Y(t) \) on-line. Hence, Eq. (A.1) is simplified in:

$$ \Delta {g}_Y\left(Y(t)\right)={\omega}_y\cdot \left(\left|Y(t)-{\mu}_Y\right|-{c}_y\right) $$

(A.3)

The score function S _Y(t) adopted in the NP-CUSUM algorithm is, then, defined as:

$$ {S}_Y(t)=\max \left\{0,{S}_Y\left(t-1\right)+\Delta {g}_Y\left(Y(t)\right)\right\} $$

(A.4)

where, S _Y(0) = 0.

In practice, with respect to a stream of measurement Y(t), the NP-CUSUM statistics S _Y(t) remain close to zero or slightly positive under normal operation conditions, whereas, it starts drifting and increasing when a cyber attack occurs at time t _R and, ends up with exceeding a predefined positive threshold h _y (see Fig. A.1b). An alarm can be triggered when S _Y(t) reaches h _y at the time of alarm:

$$ {\tau}_Y=\min \left\{t\ge 1:{S}_Y(t)\ge {h}_y\right\} $$

(A.5)

The detection delay dτ _Y between t _R and τ _Y depends on the choice of h _y. A good diagnostic algorithm is expected to perform with a low False Alarm Rate (FAR) and a small value dτ _Y.