Using Physical Models for Anomaly Detection in Control Systems

Nils Svendsen, Stephen D. Wolthusen

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Supervisory control and data acquisition (SCADA) systems are increasingly used to operate critical infrastructure assets. However, the inclusion of advanced information technology and communications components and elaborate control strategies in SCADA systems increase the threat surface for external and subversion-type attacks. The problems are exacerbated by site-specific properties of SCADA environments that make subversion detection impractical; and by sensor noise and feedback characteristics that degrade conventional anomaly detection systems. Moreover, potential attack mechanisms are ill-defined and may include both physical and logical aspects.
This paper employs an explicit model of a SCADA system in order to reduce the uncertainty inherent in anomaly detection. Detection is enhanced by incorporating feedback loops in the model. The effectiveness of the approach is demonstrated using a model of a hydroelectric power plant for which several attack vectors are described.
Original languageEnglish
Title of host publicationCritical Infrastructure Protection III
Subtitle of host publicationProc. Third Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection
ISBN (Print)978-3-642-04798-5
Publication statusPublished - 23 Mar 2009

Cite this