Initial Application of Fault Detection Techniques to Cybersecurity Intrusion Detection

Industrial control systems recently have become the targets of cyber-attacks that manipulate the parameters of their normal operating procedures to produce unstable behavior. Previous research has shown that security solutions embedded within the system being protected can provide a method for cyber-attack detection. Fault detection, specifically system identification, can offer multiple methods of detection of deviations from set system parameters in a dynamic model representation of the industrial control system using the measurements obtained and the inputs specified during operation. In particular, this research effort uses different system identification techniques to determine if a system is operating as designed and configured. During the investigation for this Thesis a detection algorithm was created that monitors a system by comparing real time estimates of the dynamic model of the system with the known designed system dynamic model. When sufficient deviations between the estimated dynamic model and the known dynamic model are judged by the similarity algorithms, the detection algorithm informs system operators of the possible existence of an attack. The operators of the systems then use a series of guidelines created in this Thesis that examines the conditions and the situational disutility surrounding the event to help determine the likelihood of a cyber-attack versus a hardware or software failure. This Thesis will compare multiple existing systems identification techniques to determine how effective the selected techniques are at detecting cyber-attacks, with the criteria of success being the true positive rates, the false alarm rates, and the detection time.