Aerospace and Electronic Systems Magazine May 2017 - 37

Do et al.
between the control center and the MTUs (i.e., attack point
A4 in Figure 2). Sometimes, firewalls and VPNs can be used
to prevent the intrusion into SCADA systems through vendor
networks and local terminals (i.e., attack points A7 and A8 in
Figure 2). However, the Stuxnet incident [47], [81] and the
pumping station incident [45] have given a strong evidence
that these IT-based tools can provide only necessary mechanisms for the security of SCADA systems. The complete
protection of these large-scale ICSs against cyber-physical
attacks requires a defense-in-depth strategy, in which safety-critical infrastructures are protected by layers of security
[41], [58], [63], [82].
Moreover, SCADA systems are different from IT systems
in many aspects. First, the requirement of continuous operation
prevents SCADA systems from applying IT security solutions
like antivirus software updates. Sometimes, unscheduled software updates may cause huge damage to safety-critical infrastructures (see, for example, [46]). Second, it is extremely difficult to implement traditional security solutions to lower layers
of SCADA systems. For example, advanced encryption algorithms, which require a huge amount of computational resources, cannot be implemented in communication channels between
PLCs and sensors or actuators because of their real-time requirements [53]. Third, standardized wireless technologies are
often utilized for transmitting data over long distances because
of their geographic dispersal. These modern technologies are
of public knowledge; hence, it is not difficult for high-skilled
hackers to hack into the wireless communication of SCADA
systems. Finally, the key difference between SCADA systems
and IT systems lies in the interaction of the control systems to
the physical world. However, classical IT-based solutions do
not exploit the compatibility of the cyber layer (e.g., control
algorithms, command signals, control signals, and sensor measurements) with the physical layer (e.g., actuators, sensors, or
physical processes) and thus are ineffective against cyber-physical attacks targeted at disrupting the physical processes [7].
Taking into account the interaction between the cyber layer and
the physical processes, the data-based approach and the modelbased approach can be considered complementary solutions to
information security-based methods.

DATA-BASED APPROACH
The data-based approach does not require system and attack models for the detection and isolation of attacks. This approach, as
its name implies, is based on machine learning and pattern recognition techniques for analyzing hidden patterns in the observed
training dataset (e.g., command signals, control signals, and sensor measurements) without direct use of the (statistical) parametric
model of SCADA.

Machine Learning
Statistical learning theory has provided a theoretical framework for
various machine learning and pattern recognition algorithms [83],
[84]. The principal objectives of machine learning are to study linMAY 2017

ear or nonlinear relations within a given training dataset and to
elaborate decision functions for generalizing the performance to
new, unseen samples, i.e., patterns not extant in the training dataset
[85]-[87].
Machine learning techniques can be broadly classified into
two main categories: supervised and unsupervised. Supervised
machine learning means that learning examples are labeled (e.g.,
normal operation or attack). Unsupervised machine learning exploits examples that are not labeled. Machine learning has been
adapted to various learning problems, ranging from detection,
classification, and regression to data analysis [85] using kernel
methods. In principle, these methods are based on the estimation of unknown statistical properties from observed data. For
the detection problem, we determine whether a new observation
is a realization of the distribution or it is an outlier. For the isolation problem, we need to assign the new observation to one of
the predefined (or estimated) distributions. Kernel methods owe
their name to the use of kernel functions, which enable them to
operate in a high-dimensional space, generally named feature
space  , without ever computing the coordinates of the data in
that space. The kernel function is used to compute directly inner
products in  . Projecting data in  allows one to simplify the
data processing. For example, under appropriate assumptions, a
linear classifier in  is equivalent to a nonlinear classifier in the
original space.

Data-Based Attack Detection and Isolation
Kernel methods have been considered for detecting and isolating
malicious attacks on SCADA systems. The detection and isolation
of attacks could be solved by one-class classification and multiclass classification techniques, respectively.
Detection problem: In safety-critical applications such as power grids, water networks, or gas pipelines, it is difficult to acquire
data related to malfunctioning modes or critical states: there isn't
much (if any) of it, and generally the only available data for learning is acquired during normal operation. Therefore, the one-class
classification approach has been considered an elegant solution
for detecting abnormal behavior in technical processes [88]-[90].
Several one-class classifiers have been introduced for solving the
attack detection problem [87], [91]. The proposed algorithms have
been tested in real datasets from a SCADA gas pipeline testbed and
a SCADA water treatment testbed.
The one-class classifiers learn from normal data and design decision functions for testing new samples that are not in the training
data. The main idea is to enclose the learning data within a boundary of minimum volume. The data inside this boundary are considered normal data, while the data outside this volume are treated as
an outlier (Figure 4). As an illustration, let us consider the support
vector data description (SVDD) [89]. Given a training dataset xi ∈
 , i ∈ {1,...,N}, in a p-dimensional space  , the SVDD estimates
the hypersphere with the minimum radius that encompasses all
data in the feature space  . The hypersphere is characterized by its
center a and its radius R > 0. The SVDD method seeks to minimize
R, which is equivalent to minimizing R2 for R > 0. To avoid a large
description that does not represent the data well, the presence of

IEEE A&E SYSTEMS MAGAZINE

Table of Contents for the Digital Edition of Aerospace and Electronic Systems Magazine May 2017