Security Analysis of Control System Anomaly Detectors

Abstract: Anomaly detectors in control systems are used to detect system faults and they are typically based on an analytical system model, which gener-ates residual signals to find a fault. The detectors are designed to detect randomly occurring faults but not coordinated malicious attacks on the system.Therefore three different anomaly detectors, namely a detector solely based on the last residual, a multivariate exponentially weighted moving average filter and a cumulative sum, are investigated to determine which detector yields the smallest worst-case impact of a time-limited data in-jection attack.For this reason optimal control problems are formulated to characterize the worst-case attack under different anomaly detectors, which lead to non-convex optimization problems. Relaxations to convex problems are proposed and solved numerically and in special cases also analytically. The detectors are compared by solving the optimal control problems for a simple simulation example as well as a quadruple-tank process. Simu-lations and experiments show that the cumulative sum seems to be the detector to choose, if one wants to limit the worst-case attack impact.