Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems

Recent incidents have shown that Industrial Control Systems (ICS) are becoming increasingly susceptible to sophisticated and targeted attacks initiated by adversaries with high motivation, domain knowledge, and resources. Although traditional security mechanisms can be implemented at the IT-infrastructure level of such cyber-physical systems, the community has acknowledged that it is imperative to also monitor the process-level activity, as attacks on ICS may very well in uence the physical process. In this paper, we present pasad, a novel stealthy-attack detection mechanism that monitors time series of sensor measurements in real time for structural changes in the process behavior. We demonstrate the e ectiveness of our approach through simulations and experiments on data from real systems. Experimental results show that pasad is capable of detecting not only signi cant deviations in the process behavior, but also subtle attack-indicating changes, signi cantly raising the bar for strategic adversaries who may attempt to maintain their malicious manipulation within the noise level.