Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Design and Detection of Covert Man-in-the-Middle Cyberattacks on Water Treatment Plants

Victor Mattos, João Henrique Schmidt, Amit Bhaya, Alan Oliveira de Sá, Daniel Sadoc Menasché, Gaurav Srivastava

TL;DR

The paper investigates covert MitM attacks on water treatment plants guided by system identification, using a SOPTD plant with Smith Predictor for realistic attack dynamics. It formulates a covert attack architecture, derives how model error and noise influence detectability, and compares PASAD against CUSUM detectors under extensive simulations. The results show PASAD more robust to gradual, high-precision attacks and noise, highlighting the need for stronger anomaly detection in industrial control systems. By combining incident analysis, a principled attack design, and a detector comparison, the work clarifies security risks for water infrastructure and suggests practical directions for defense and future research.

Abstract

Cyberattacks targeting critical infrastructures, such as water treatment facilities, represent significant threats to public health, safety, and the environment. This paper introduces a systematic approach for modeling and assessing covert man-in-the-middle (MitM) attacks that leverage system identification techniques to inform the attack design. We focus on the attacker's ability to deploy a covert controller, and we evaluate countermeasures based on the Process-Aware Stealthy Attack Detection (PASAD) anomaly detection method. Using a second-order linear time-invariant with time delay model, representative of water treatment dynamics, we design and simulate stealthy attacks. Our results highlight how factors such as system noise and inaccuracies in the attacker's plant model influence the attack's stealthiness, underscoring the need for more robust detection strategies in industrial control environments.

Design and Detection of Covert Man-in-the-Middle Cyberattacks on Water Treatment Plants

TL;DR

The paper investigates covert MitM attacks on water treatment plants guided by system identification, using a SOPTD plant with Smith Predictor for realistic attack dynamics. It formulates a covert attack architecture, derives how model error and noise influence detectability, and compares PASAD against CUSUM detectors under extensive simulations. The results show PASAD more robust to gradual, high-precision attacks and noise, highlighting the need for stronger anomaly detection in industrial control systems. By combining incident analysis, a principled attack design, and a detector comparison, the work clarifies security risks for water infrastructure and suggests practical directions for defense and future research.

Abstract

Cyberattacks targeting critical infrastructures, such as water treatment facilities, represent significant threats to public health, safety, and the environment. This paper introduces a systematic approach for modeling and assessing covert man-in-the-middle (MitM) attacks that leverage system identification techniques to inform the attack design. We focus on the attacker's ability to deploy a covert controller, and we evaluate countermeasures based on the Process-Aware Stealthy Attack Detection (PASAD) anomaly detection method. Using a second-order linear time-invariant with time delay model, representative of water treatment dynamics, we design and simulate stealthy attacks. Our results highlight how factors such as system noise and inaccuracies in the attacker's plant model influence the attack's stealthiness, underscoring the need for more robust detection strategies in industrial control environments.

Paper Structure

This paper contains 17 sections, 2 theorems, 8 equations, 8 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Incidents in the Wild
  3. Data Collection and Curation
  4. Change-of-Reference (CR)
  5. System Identification (SI)
  6. The Plant Model
  7. Architecture of Man-in-the-Middle Attack
  8. Attack Design: Criteria for Determining Attack Parameters
  9. Detection Design
  10. Model Error, Noise and Detectability
  11. Attack and Detection Evaluation
  12. Detection Performance under Model Mismatch
  13. Detection Performance under Noise
  14. Relation to Analytical Results
  15. PASAD vs CUSUM
  16. ...and 2 more sections

Key Result

Lemma 1

Let the true plant be $P$, and let the attacker use $\Pi_u = \alpha \cdot P$, with $\alpha > 0$. If a covert input $\mu$ is injected and the attacker sets $y_{\mathrm{ma}} = y - \gamma$, where $\gamma = \Pi_u \cdot \mu$, then under zero noise/disturbance, $r = y_{\mathrm{ma}} - y_{\mathrm{nominal}}

Figures (8)

  • Figure 1: Architecture of the MitM attack, based on smith. The detector block $D$ is described in Section \ref{['sec:detection-design']}.
  • Figure 2: From left to right: sensor measurements before ($y_m$) and after ($y_{ma}$) manipulation; PASAD detector; CUSUM detector, with their respective thresholds given by the red dashed line. In this example, the maximum PASAD and CUSUM detection statistics are $1.29 \cdot 10^{-4}$ and $2.87 \cdot 10^{-2}$, respectively.
  • Figure 3: Maximum CUSUM detection statistic as a function of change-of-reference and multiplicative model error.
  • Figure 4: Maximum PASAD detection statistic as a function of change-of-reference and multiplicative model error.
  • Figure 5: CUSUM classification results. Dual-threshold detection using both positive and negative excursions.
  • ...and 3 more figures

Theorems & Definitions (4)

  • Lemma 1: Residual Leakage Due to Model Error
  • proof
  • Theorem 1: Probabilistic Stealth Success Under Noise
  • proof