Anomaly Detection in SCADA Systems: A State Transition Modeling

Abstract

Smart-Grid networks use Supervisory Control and Data Acquisition (SCADA) systems to bring measurement data from sensory nodes. These measurements drive the control decisions which are safety critical operations. SCADA communications now happen over TCP/IP networks and hence are susceptible to cyber attacks. As smart-grid is a critical infrastructure, it is essential to detect these cyber attacks. In this direction, our contributions in this paper are two-fold. First, we present three broad classes of network anomalies namely single message anomaly, message sequencing anomaly, and time based anomaly. We show that several cyber attacks in smart-grid networks can be detected by identifying these three types of anomalies. Second, we describe a novel state transition machine based model for identifying these three types of anomalies and hence different cyber attacks in smart-grid networks. Our state transition based model Deterministic Counting Timed Automata (DCTA) formalizes constraints on message attributes, timing of events, and counter values associated with states to detect these anomalies. We experiment with a publicly available dataset and show that DCTA is capable of detecting various cyber attacks with 100% detection rate in the best case for most of the attacks considered. We also benchmark its performance with recent methods found in the literature. IEEE