Abstract

The inclusion of Information and Communication Technologies (ICTs) in industrial control systems (ICSs) has opened ICSs to several attack vectors, which are increasingly targeting critical infrastructure. Accurate detection and distinction between benign physical disturbances, malicious cyber-attacks, and malicious physical-attacks are necessary to protect critical infrastructure. While cyber sensors provide a useful tool to identify and mitigate cyber attacks, they often ignore the physical behavior of the system at hand. In this paper, we present a cyber-physical sensor called IREST (ICS Resilient Security Technology). The sensor takes a holistic approach in detecting anomalies by considering both cyber and physical disturbances in a complex system. The sensor was tested under different cyber-physical scenarios using the Idaho CPS SCADA Cybersecurity (ISAAC) testbed. The test scenarios capture different operational states of the CPS testbed, including various cyber and physical anomalies. The experiments show that the IREST sensor is able to detect both cyber and physical anomalies. The sensor has the benefit that training requires only normal data and is able to detect disturbances that have not been seen before. The presented approach provides a scalable framework for cyber-physical security research that can be expanded in the future.