Intrusion Detection in Critical Infrastructure
Much of our most important infrastructure is a cyberphysical system. The power grid is a prime example: it is a physical network governed by the laws of physics and controlled by the cyber network. An attack on the communication network that controls the power grid could cause not only temporary blackouts, but also permanent damage to generators and transformers. Stuxnet is a well-known example of a cyberphysical attack in which a computer virus was used to destroy Iranian centrifuges. Water systems, gas pipelines, and military bases are other systems that are vulnerable to attacks through the cyber system that have consequences in the physical world. This talk presents work from a project to detect intrusions into such a system. We use data from the climate control system of an office building at Los Alamos National Laboratory. We treat the problem as anomaly detection in streams of data collected from sensors on the infrastructure, ultimately to be combined with cyber traffic. This talk will present a method for characterizing typical behavior from such streams as a key step for the anomaly detection. We adapt a hidden Markov model used for time series alignment to estimate recurring patterns in multivariate time series. The HMM architecture provides a method for filtering the data as it streams to produce standardized residuals that can be used to detect intrusions.