A Data-Driven Framework for Verified Detection of Replay Attacks on Industrial Control Systems

This paper addresses data-driven replay attack detection on industrial control systems. The primary challenge in detection lies in distinguishing replayed sensor measurements from normal measurements using only time series data. This is tackled through a novel two-stage detection and verification framework. The first stage consists of continuous real-time monitoring of sensor measurement patterns using matrix profile based change-point detection, used to indicate a possibility of a replay attack. The second stage verifies the presence of a replay attack by introducing spatial features to newly defined time series data. This is implemented by generating spectrograms of the time series measurements using short-time Fourier transform. Then, the spectrograms are split into image frames to form temporal sequences, creating spatio-temporal features that distinguish replay attacks. To capture both the spatial and temporal features, we utilise a Convolutional Long Short-Term Memory (ConvLSTM) neural network and implement it in an autoencoder architecture, in order to analyse data patterns in an unsupervised manner, where the replay attack is detected based on the reconstruction error. We demonstrate the effectiveness of our framework in the detection of different replay attack scenarios using the Tennessee Eastman process benchmark simulation system/process. Note to Practitioners —This paper is motivated by the importance of cyberattack detection in industrial control systems that are essential for the stable operation of many practical applications, such as in chemical processing and manufacturing plants, and power and water distribution networks. Specifically, replay attack detection using data-driven methods is explored, eliminating the need for an accurate process model which may be tedious to obtain. However, the attack's implementation using actual/valid operational data to replicate normal behaviour, makes it difficult to detect using basic data-driven methods, resulting in an increased likelihood of false alarms or missed detection. To address this challenge, a two-stage detection and verification framework is proposed. The first stage performs real-time monitoring of sensor measurements using change-point detection on time series data patterns. The second stage verifies the occurrence of a replay attack by introducing spatial features to newly defined time series data. This framework therefore eliminates false/missed detection, and offers practitioners a robust method to enhance security measures in industrial control systems, minimising the risks posed by malicious replay attacks.