Trouble Brewing: Using Observations of Invariant Behavior to Detect Malicious Agency in Distributed Control Systems

  • Thomas Richard McEvoy
  • Stephen D. Wolthusen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6027)


Recent research on intrusion detection in supervisory data acquisition and control (SCADA) and DCS systems has focused on anomaly detection at protocol level based on the well-defined nature of traffic on such networks. Here, we consider attacks which compromise sensors or actuators (including physical manipulation), where intrusion may not be readily apparent as data and computational states can be controlled to give an appearance of normality, and sensor and control systems have limited accuracy. To counter these, we propose to consider indirect relations between sensor readings to detect such attacks through concurrent observations as determined by control laws and constraints.

We use a brewery bulk and fill pasteurizer as a specimen for biochemical processes. We motivate our approach by considering possible attacks and means of detection. Here we rely on the existence of non-linear relationships which allow us to attach a greater significance to small differences in sensor readings than would otherwise be the case and demonstrate the insufficiency of existing sensor placement and measurement frequency to detect such attacks.


SCADA DCS anomaly detection pasteurizer non-linear relationships 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Creery, A., Byrnes, E.J.: Industrial Cybersecurity for Power System and SCADA Networks. In: Proceedings of the 52nd Annual Petroleum and Chemical Industry Conference, Denver, CO, USA, pp. 303–309. IEEE Press, Los Alamitos (2005)CrossRefGoogle Scholar
  2. 2.
    Coutinho, M.P., Lambert-Torres, G., da Silva, L.E.B., da Silva, J.G.B., Neto, J.C., Bortoni, E., Lazarek, H.: Attack and Fault Identification in Electric Power Control Systems: An Approach to Improve the Security. In: Proceedings of Power Tech 2007, Lausanne, Switzerland, pp. 103–107. IEEE Press, Los Alamitos (2007)CrossRefGoogle Scholar
  3. 3.
    Verba, J., Milvich, M.: Idaho National Laboratory Supervisory Control and Data Acquisition Intrusion Detection System (SCADA IDS). In: Proceedings of the 2008 IEEE Conference on Technologies for Homeland Security, Waltham, MA, USA, pp. 469–473. IEEE Press, Los Alamitos (2008)CrossRefGoogle Scholar
  4. 4.
    Svendsen, N.K., Wolthusen, S.D.: Modeling and Detection of Anomalies in Critical Infrastructure Networks. In: Papa, M., Shenoi, S. (eds.) Proceedings of the Second Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection. Critical Infrastructure Protection II, Arlington, VA, USA, pp. 101–107. Springer, Heidelberg (2008)Google Scholar
  5. 5.
    Watts, D.: Security & Vulnerability in Electric Power Systems. In: Proceedings of the 35 North American Power Symposium (NAPS 2003), Rolla, MO, USA, October 2003, pp. 559–566 (2003)Google Scholar
  6. 6.
    Motta Pires, P.S., Oliveira, L.A.H.G.: Security Aspects of SCADA and Corporate Network Interconnection: An Overview. In: Proceedings of the 2006 International Conference on Dependability of Computer Systems (DepCos – RELCOMEX 2006), Szklarska Proeba, Poland, pp. 127–134. IEEE Press, Los Alamitos (2006)Google Scholar
  7. 7.
    Krutz, R.L.: Securing SCADA Systems. John Wiley & Sons, New York (2006)Google Scholar
  8. 8.
    Byres, E., Hoffman, D.: The Myths and Facts behind Cyber Security Risks for Industrial Control Systems. Technical report, Department of Computer Science, University of Victoria, Victoria, BC, Canada (April 2004)Google Scholar
  9. 9.
    Gamez, D., Nadjm-Tehrani, S., Bigham, J., Balducelli, C., Burbeck, K., Chyssler, T.: Safeguarding Critical Infrastructures. In: Dependable Computing Systems: Paradigms, Performance Issues, and Applications, New York, NY, USA. John Wiley & Sons, Chichester (2005)Google Scholar
  10. 10.
    Yang, D., Usynin, A., Hines, J.W.: Anomaly-Based Intrusion Detection for SCADA Systmes. Technical report, Department of Nuclear Engineering, University of Tennessee, Knoxville, TN, USA (September 2006)Google Scholar
  11. 11.
    Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using Model-based Intrusion Detection for SCADA Networks. In: Proceedings of the SCADA Security Scientific Symposium, Miami Beach, FL, USA, January 2007, pp. 127–134 (2007)Google Scholar
  12. 12.
    Bigham, J., Gamez, D., Lu, N.: Safeguarding SCADA Systems with Anomaly Detection. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 171–182. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Schlesser, J.E., Armstrong, D.J., Cinar, A., Ramanauskas, P., Negiz, A.: Automated Control and Monitoring of Thermal Processing Using High Temperature, Short Time Pasteurization. Journal of Dairy Science 80(10), 2291–2296 (1997)CrossRefGoogle Scholar
  14. 14.
    Wang, X.R., Lizier, J.T., Obst, O., Prokopenko, M., Wang, P.: Spatiotemporal Anomaly Detection in Gas Monitoring Sensor Networks. In: Verdone, R. (ed.) EWSN 2008. LNCS, vol. 4913, pp. 90–105. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Pearl, J.: Causality: Models, Reasoning, and Inference. Cambridge University Press, Cambridge (2000)zbMATHGoogle Scholar
  16. 16.
    McEvoy, T.R., Wolthusen, S.D.: Using Observations of Invariant Behavior to Detect Malicious Agency in Distributed Environments. In: Proceedings of IT Incident Management and IT Forensics (IMF 2008), Mannheim, Germany. Lecture Notes in Informatics, vol. 140, pp. 55–72. GI (2008)Google Scholar
  17. 17.
    Mouss, H., Mouss, D., Mouss, N., Sefouhi, L.: Test of Page-Hinckley: An Approach for Fault Detection in an Agro-Alimentary Production System. In: Proceedings of the 5th Asian Control Conference, Melbourne, Australia, vol. 2, pp. 815–818. IEEE Press, Los Alamitos (2004)Google Scholar
  18. 18.
    Qin, S.J., Badgwell, T.A.: An Overview of Nonlinear Model Predictive Control. In: Nnolinear Model Predictive Control, Boston, MA, USA. Birkhäuser, Basel (2000)Google Scholar
  19. 19.
    Zhao, Y., Zhou, S., Li, L.: Dynamic Characteristics Modeling of a Heat Exchanger Using Neural Network. In: Proceedings of the First International Conference on Intelligent Networks and Intelligent Systems (ICINIS 2008), Wuhan, China, pp. 13–18. IEEE Press, Los Alamitos (2008)CrossRefGoogle Scholar
  20. 20.
    Jalili-Kharaajoo, M., Araabi, B.N.: Neural Network Based Predictive Control of a Heat Exchanger Nonlinear Process. Istanbul University Journal of Electrical & Electronics Engineering 4(2), 1219–1226 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Thomas Richard McEvoy
    • 1
  • Stephen D. Wolthusen
    • 1
    • 2
  1. 1.Information Security Group, Department of Mathematics, Royal HollowayUniversity of London, Egham HillEghamUK
  2. 2.Norwegian Information Security LaboratoryGjøvik University CollegeGjøvikNorway

Personalised recommendations