An Efficient Data-Driven Clustering Technique to Detect Attacks in SCADA Systems

Supervisory control and data acquisition (SCADA) systems have become a salient part in controlling critical infrastructures, such as power plants, energy grids, and water distribution systems. In the past decades, these systems were isolated and use proprietary software, operating systems, and protocols. In recent years, SCADA systems have been interfaced with enterprise systems, which therefore exposed them to the vulnerabilities of the Internet and the security threats. Traditional security solutions (e.g., firewalls, antivirus software, and intrusion detection systems) cannot fully protect SCADA systems, because they have different requirements. This paper presents an innovative intrusion detection approach to detect SCADA tailored attacks. This is based on a data-driven clustering technique of process parameters, which automatically identifies the normal and critical states of a given system. Later, it extracts proximity-based detection rules from the identified states for monitoring purposes. The effectiveness of the proposed approach is tested by conducting experiments on eight data sets that consist of process parameters' values. The empirical results demonstrated an average accuracy of 98% in automatically identifying the critical states, while facilitating the monitoring of the SCADA system.