Thesis Title: Online Detection Against Cyberattacks in Cyber-Physical Systems

Advisors:

Dr. Nagi Gebraeel, School of Industrial and Systems Engineering, Georgia Tech

Dr. Kamran Paynabar, School of Industrial and Systems Engineering, Georgia Tech

Committee Members:

Dr. Jianjun Shi, School of Industrial and Systems Engineering, Georgia Tech

Dr. Sakis Meliopoulos, School of Electrical and Computer Engineering, Georgia Tech

Dr. Deepakraj Divan, School of Electrical and Computer Engineering, Georgia Tech

Date and Time: Monday, June 21, 2021, @ 10:00 am (EST)

Meeting URL (BlueJeans): https://bluejeans.com/217961482

Meeting ID (BlueJeans): 217961482

Abstract:

Initiatives like Industry 4.0 and technological frameworks such as the Internet-of-Things have prompted a growing wave of digital transformation across numerous industrial sectors ranging from manufacturing and power generation plants to critical infrastructure systems like power networks, waste-water management, and natural gas pipeline networks. The transformation of these systems into cyber-physical systems (CPSs) has also created unique cybersecurity vulnerabilities. This thesis focuses on detecting and identifying cyberattacks that target the physical performance and reliability of these systems.

In Chapter 2, we develop an integrated data-driven framework for detecting replay cyberattacks in industrial plants and distinguishing them from naturally occurring equipment faults. We explore how to differentiate replay attacks from four types of equipment fault scenarios namely, controller fault, plant fault, sensor fault, and plant degradation. We derive unique statistical measures and a unique coding scheme for all fault/attack combinations to identify each type of fault and differentiate it from a replay attack. We evaluate our methodology through extensive numerical studies and demonstrate its applicability on a rotating machinery application.

Chapter 3 focuses on covert attacks, specifically attacks that target the reliability of critical industrial assets by accelerating their physical degradation. We derive the generic covert attack model under a linear time-invariant dynamic system setting represented by a state-space model and parameterize the relationship between the operating conditions of the plant and the degradation rate of the asset. We derive the mean shift of the residuals under degradation and use that as the basis to identify abnormal degradation rates caused by a covert cyberattack. We design two likelihood ratio tests that use residuals to estimate the onsets of degradation and detect a covert attack. We investigate the impact of system dynamics and severity of a covert attack on detection delay using an extensive numerical study. We also apply our detection model to a rotating machinery testbed.

In contrast to Chapters 2 and 3 that focus on individual plants, Chapter 4 develops a cyberattack detection and localization framework for power transmission systems comprised of an Independent System operator (ISO) and multiple Regional Control Centers (RCCs). We demonstrate a generic mechanism of covert attacks on a regional control center under the setting of a networked power generation control operated by the RCCs and managed by the ISO.  We use the Sparse Group Lasso (SGL) coupled with the system state estimation to extract and differentiate the impact of a covert attack on the attacked region and its neighboring regions, which is represented by the SGL coefficients. These coefficients are used as the basis of our attack detection and localization scheme, where the magnitude of the coefficients is used for detection, and the sparsity of the coefficients is used for localization. We demonstrate the effectiveness of our proposed method through a simulation study on the IEEE 14-bus and the IEEE 118-bus system models.

In Chapter 5, we extend the power network model to a generic cyber-physical network setting where multiple assets are connected with a control center. We develop a data-driven framework that can be used to detect, diagnose, and localize a type of cyberattack called covert attacks on industrial CPS networks. The framework has a hybrid design that combines an autoencoder, a recurrent neural network (RNN) with a Long-Short-Term-Memory (LSTM) layer, and a Deep Neural Network (DNN). This data-driven framework considers the temporal behavior of a generic physical system that extracts features from the time series of the sensor measurements that can be used for detecting covert attacks, distinguishing them from equipment faults, as well as localize the attack/fault. We evaluate the performance of the proposed method through a realistic simulation study on the IEEE 14-bus model as a typical example of a CPS network. We compare the performance of the proposed method with the traditional model-based method to show its applicability and efficacy.