Thesis Defence: Data-Driven Detection and Verification of Replay Attacks on Industrial Control Systems

Sara Gargoum, supervised by Dr. Ahmad Al-Dabbagh, will defend their thesis titled “Data-Driven Detection and Verification of Replay Attacks on Industrial Control Systems” in partial fulfillment of the requirements for the degree of Master of Applied Science in Electrical Engineering.

An abstract for Sara Gargoum’s thesis is included below.

Defences are open to all members of the campus community as well as the general public. Please email ahmad.aldabbagh@ubc.ca to receive the Zoom link for this defence.

---

ABSTRACT

With the advent of Industrial Internet of Things and the push towards digitization, industrial control systems have undergone an increase in connectivity, which enables remote monitoring and control. This in turn has led to their increased vulnerability to several cyberattacks. These attacks can have severe consequences, including equipment damage, service disruption, and even compromising public safety. This thesis focuses on a certain type of cyberattacks, called replay attack. A replay attack involves capturing legitimate communication signals between components in an industrial control system and replaying it later to disrupt system operations or perform other physical attacks.

This thesis presents a comprehensive study on the detection of replay attacks on sensor measurements in industrial control systems. Utilising the vast amount of operational data (i.e. sensor measurements) generated by industrial control systems, a novel data-driven two-stage detection and verification framework is proposed. The proposed framework combines statistical techniques, signal processing and deep learning to detect replay attacks on industrial control systems. The first stage of the detection method consists of continuous monitoring of sensor measurements by performing change-point detection based on the corresponding matrix profile. This stage provides an early indicator of a potential replay attack. The second stage provides a validation of whether the detected change-point is due to a replay attack or not. This stage consists of performing time-frequency analysis using short-time Fourier transform to generate a spectrogram, introducing spatial features to the time-series sensor measurements. Then, the spectrogram is split into image frames, creating spatio-temporal features. A Convolutional Long-Short Term Memory based autoencoder (ConvLSTM-AE) is designed to capture these spatio-temporal features in an unsupervised manner, where a replay attack is detected based on the reconstruction error. To evaluate the effectiveness of the proposed detection and verification framework, it is tested on different replay attack scenarios defined, in data generated using the Tennessee Eastman process benchmark simulation system/process.