A transfer function based intrusion detection system for SCADA systems

Most SCADA and industrial control systems have a limited and deterministic set of behaviors that results with a relatively small amount of variability during normal system operation. Automatic controller commands, operator commands and sensor measurement data within the system may be modified by an attacker to cause system failures. To detect these intrusions a Transfer Function based Intrusion Detection System (TFIDS) is proposed in this paper. Normal operational behaviors can be modeled and integrated into the TFIDS with alarm filtering and reporting rules. Trust anchors within the system are required to collect some of the signals, ensure the signal integrity when delivered to the TFIDS, and to host the TFIDS if physical attacks are a concern. This paper provides an overview of the TFIDS and simulation results for attacks on a waste water treatment system with and without the TFIDS.