Modern industrial control systems (ICS) attacks infect supervisory control and data acquisition (SCADA) hosts to stealthily alter industrial processes, causing damage. To detect attacks with low false alarms, recent work detects attacks in both SCADA and process data. Unfortunately, this led to the same problem - disjointed (false) alerts, due to the semantic and time gap in SCADA and process behavior, i.e., SCADA execution does not map to process dynamics nor evolve at similar time scales. We propose BRIDGE to analyze and correlate SCADA and industrial process attacks using domain knowledge to bridge their unique semantic and time evolution. This enables operators to tie malicious SCADA operations to their adverse process effects, which reduces false alarms and improves attack understanding. BRIDGE (i) identifies process constraints violations in SCADA by measuring actuation dependencies in SCADA process-control, and (ii) detects malicious SCADA effects in processes via a physics-informed neural network that embeds generic knowledge of inertial process dynamics. BRIDGE then dynamically aligns both analysis (i and ii) in a time-window that adjusts their time evolution based on process inertial delays. We applied BRIDGE to 11 diverse real-world industrial processes, and adaptive attacks inspired by past events. BRIDGE correlated 98.3% of attacks with 0.8% false positives (FP), compared to 78.3% detection accuracy and 13.7% FP of recent work.

翻译：现代工业控制系统（ICS）攻击通过感染监控与数据采集（SCADA）主机，以隐蔽方式篡改工业过程，从而造成破坏。为降低误报率，近期研究尝试同时检测SCADA与过程数据中的攻击。然而，由于SCADA与过程行为存在语义与时间鸿沟（即SCADA执行无法映射至过程动态演化，且两者时间尺度不匹配），这反而导致同一问题——离散化（虚假）警报。本文提出BRIDGE方法，利用领域知识关联分析SCADA与工业过程攻击，弥合两者间独特的语义与时间演化差异。该方法使操作人员能够将恶意SCADA操作与其引发的不良过程效应相绑定，从而降低误报并提升攻击理解能力。BRIDGE通过以下机制实现：（i）通过测量SCADA过程控制中的驱动依赖关系，识别SCADA中的过程约束违反；（ii）采用嵌入惯性过程动力学通用知识的物理信息神经网络，检测过程中恶意SCADA行为的影响。进而，BRIDGE基于过程惯性延迟，通过动态时间窗口自适应调整两类分析（i和ii）的时间演化对齐。我们将BRIDGE应用于11个不同真实工业过程及基于历史事件设计的自适应攻击场景。实验表明，BRIDGE攻击关联准确率达98.3%，误报率仅0.8%，而近期工作的检测准确率仅为78.3%，误报率达13.7%。