Infrequent Pattern Identification in SCADA Systems Using Unsupervised Learning

Introduction

Nation’s critical infrastructures including Energy, Gas and Water networks need advanced monitoring and control for reliable and smooth operation of the whole interconnected complex system. Still today, the Industrial Control Systems (ICS) of these critical infrastructures rely on the Supervisory Control and Data Acquisition (SCADA) systems (Figure 1.) for system wide monitoring and control. Typically, SCADA system includes Remote Terminal Units (RTUs) with Intelligent Electronic Devices (IEDs), Programmable Logic Controllers (PLCs), a telemetry system, a Human Machine Interface (HMI) and a supervisory (computer) system. In a SCADA system, the supervisory system is connected with the RTUs through communication infrastructures. In the SCADA conception, data acquisition is the first task done by the monitoring and sensing devices. For example, in an Energy System Phasor Measurement Units (PMU) measure the Global Positioning System (GPS) synchronised system states, e.g., voltage magnitudes and angles. This information is then sent to the control room. Once data acquisition task is completed, the second task involves with the intelligent decision making in the control centre. Finally, the control decisions are sent to the RTU/PLC to adjust or override the current states. The whole process is a feedback system where all devices and modules play a vital role for information monitoring, processing and control. Due to numerous advantages towards a reliable and efficient system operation, SCADA systems are widely used in different sectors of critical infrastructures. In recent years, SCADA system is facing new type of threats that did not appear before. Often these threats or unusual activities are considered as anomalies, outliers, infrequent patterns. In this chapter, we will use the term infrequent pattern to avoid any ambiguity.

Figure 1.

SCADA architecture

As the primary goal of a SCADA system is to control real-life physical equipment and devices, it differs significantly from conventional information based traffic network (Galloway, B. and Hancke, G. P. (2013)). For example, energy system SCADA can be used to monitor and control the generation plants. SCADA network has its own system requirements and setup. For example, Modbus is commonly used as a SCADA protocol. In recent years, the security requirements of SCADA system is getting more emphasised because of several cyber related threats, especially after the stuxnet virus attack (Ahmed, M., Mahmood, A., and Hu, J. (2015b)). Note, unlike the traditional IT network, the security measures cannot be upgraded so frequently. In other words, most of the SCADA devices/assets have a long life-cycle, e.g., 15-30 years. Besides, the current devices are installed couple of years to decades ago. During that time today’s cyber-security threat was not considered. Moreover, it is also not possible to alter all setup to make the network more secured. Hence, new ideas and techniques are required to handle the cyber security issues of a SCADA system. Being a vital part of the nation’s critical infrastructure, failure of the SCADA system will cause significant damage in the country’s economy and growth. It highlights the needs and importance of research in SCADA security. Novel and practical infrequent pattern detection techniques need to be investigated, which has been the focus of this chapter. Specifically, the contributions of this chapter are as follows:

• •

  An infrequent pattern detection technique for SCADA systems using Multi-Stage Co-Clustering is proposed.

• •

  Proposed method is computationally less expensive compared with the existing clustering based techniques.

• •

  The co-clustering framework has been extended for mixed attributes, e.g., combinations of numerical and categorical attributes.

• •

  Wide ranges of experiments are considered to validate the proposed method using both practical and simulated datasets.