Anomaly and attack detection in supervisory control networks for cyber-physical systems

As shown by recent episodes such as STUXNET or TRITON, supervisory networks in charge to control Cyber-Physical Systems (CPS) are prone to cyber-attacks that could potentially cause physical consequences in terms of disruption of the operational continuity (e.g., physical disruption of equipment) or in terms of safety of workers and their environment (e.g., waste water leakage or release of toxic gases). Traditional intrusion or anomaly detection systems have proven to be effective in detecting classical attack patterns but may fail to identify cyber-attacks that exploit the physical characteristics of the CPS. In this view, even a situation/configuration that is formally correct (e.g., the tank level below the upper limit) may become an anomaly depending on the physical condition and the dynamics of the process. In order to spot sophisticated attacks, it is mandatory to consider the dynamics of the physical system being controlled. Actually, this is the scope of this paper, where we show that considering a digital twin (i.e., a real-time simulation of the physical process) can be quite beneficial for the identification of some types of cyber-attacks but it is vulnerable to smart stealth threats. The proposed approach is validated with respect to a test bed environment featuring a small-scale hardware simulator of a water distribution network, a control network and a SCADA system.