Modern industrial control systems (ICS) attacks infect supervisory control and data acquisition (SCADA) hosts to stealthily alter industrial processes, causing damage. To detect attacks with low false alarms, recent work detects attacks in both SCADA and process data. Unfortunately, this led to the same problem - disjointed (false) alerts, due to the semantic and time gap in SCADA and process behavior, i.e., SCADA execution does not map to process dynamics nor evolve at similar time scales. We propose BRIDGE to analyze and correlate SCADA and industrial process attacks using domain knowledge to bridge their unique semantic and time evolution. This enables operators to tie malicious SCADA operations to their adverse process effects, which reduces false alarms and improves attack understanding. BRIDGE (i) identifies process constraints violations in SCADA by measuring actuation dependencies in SCADA process-control, and (ii) detects malicious SCADA effects in processes via a physics-informed neural network that embeds generic knowledge of inertial process dynamics. BRIDGE then dynamically aligns both analysis (i and ii) in a time-window that adjusts their time evolution based on process inertial delays. We applied BRIDGE to 11 diverse real-world industrial processes, and adaptive attacks inspired by past events. BRIDGE correlated 98.3% of attacks with 0.8% false positives (FP), compared to 78.3% detection accuracy and 13.7% FP of recent work.

翻译：现代工业控制系统（ICS）攻击通过感染监控与数据采集（SCADA）主机，以隐蔽方式篡改工业过程并造成损害。为实现低误报率的攻击检测，近期研究尝试同时检测SCADA数据和过程数据中的攻击。然而，由于SCADA与过程行为在语义和时间上存在鸿沟（即SCADA执行过程无法映射至过程动态特性，且二者时间演化尺度不匹配），这反而引发了同样的问题——碎片化的（虚假）警报。本文提出BRIDGE系统，利用领域知识分析并关联SCADA与工业过程攻击，弥合两者独特的语义与时间演化差异。该系统使操作人员能够将恶意SCADA操作与其对过程产生的不良影响相关联，从而降低误报率并提升攻击理解能力。BRIDGE通过以下方式实现：(i)通过测量SCADA过程控制中的执行器依赖关系，识别SCADA层面的过程约束违反；(ii)利用嵌入惯性过程动力学通用知识的物理信息神经网络，检测过程中SCADA的恶意影响。随后，BRIDGE基于过程惯性延迟动态调整两者分析（i与ii）的时间窗口，实现时间演化对齐。我们将BRIDGE应用于11个多样化的真实工业过程，以及基于历史事件改编的自适应攻击场景。实验表明，BRIDGE实现了98.3%的攻击关联率与0.8%的假阳性率（FP），而近期工作的检测准确率仅为78.3%，假阳性率高达13.7%。