Detection of Cyber Physical Attacks on Water Distribution Systems via Principal Component Analysis and Artificial Neural Networks

Automated monitoring and operation of modern water distribution systems (WDSs) are largely dependent on an interconnected network of computers, sensors, and actuators that are jointly coordinated by a supervisory control and data acquisition (SCADA) system. Although the implementation of such embedded systems enhances the reliability of the WDS, it also exposes it to cyber-physical attacks that can disrupt the system’s operation or compromise critical information. Hence, the development of attack detection algorithms that can efficiently diagnose and identify such assaults is crucial for the successful application of these automated systems. In this study, we developed an algorithm to identify anomalous behaviors of the different components of a WDS in the context of the Battle of the Attack Detection Algorithms (BATADAL). The algorithm relies on using multiple layers of anomaly detection techniques to identify both local anomalies that affect each sensor individually, as well as global anomalies that simultaneously affect more than one sensor at the same time. The first layer targets finding statistical outliers in the data using simple outlier detection techniques. The second layer employs a trained artificial neural networks (ANNs) model to detect contextual anomalies that does not conform to the normal operational behavior of the system. The third layer uses principal component analysis (PCA) to decompose the high-dimensional space occupied by the given set of sensor measurements into two sub-spaces representing normal and anomalous network operating conditions. By continuously tracking the projections of the data instances on the anomalous conditions subspace, the algorithm identifies the outliers based on their influence on the directions of the principal components. The proposed approach successfully predicted all of the pre-labeled attacks in the validation data set with high sensitivity and specificity. However, for all the detected attacks, the algorithm maintained a false “under attack” status for a few hours after the threat no longer existed.