For industrial control systems (ICS), many existing defense solutions focus on detecting attacks only when they make the system behave anomalously. Instead, in this work, we study how to detect attackers who are still in their hiding phase. Specifically, we consider an off-path false-data-injection attacker who makes the original sensor's readings unavailable and then impersonates that sensor by sending out legitimate-looking fake readings, so that she can stay hidden in the system for a prolonged period of time (e.g., to gain more information or to launch the actual devastating attack on a specific time). To expose such hidden attackers, our approach relies on continuous injection of ``micro distortion'' to the original sensor's readings, either through digital or physical means. We keep the distortions strictly within a small magnitude (e.g., $0.5\%$ of the possible operating value range) to ensure that it does not affect the normal functioning of the ICS. Micro-distortions are generated based on secret key(s) shared only between the targeted sensor and the defender. For digitally-inserted micro-distortions, we propose and discuss the pros and cons of a two-layer least-significant-bit-based detection algorithm. Alternatively, when the micro-distortions are added physically, a main design challenge is to ensure the introduced micro-distortions do not get overwhelmed by the fluctuation of actual readings and can still provide accurate detection capability. Towards that, we propose a simple yet effective Filtered-$\Delta$-Mean-Difference algorithm that can expose the hidden attackers in a highly accurate and fast manner. We demonstrate the effectiveness and versatility of our defense by using real-world sensor reading traces from different industrial control (including smart grid) systems.

翻译：针对工业控制系统（ICS），现有防御解决方案大多侧重于检测导致系统行为异常的攻击。然而，本研究关注如何检测仍处于隐藏阶段的攻击者。具体而言，我们考虑一种离路径虚假数据注入攻击者，该攻击者使原始传感器读数不可用，然后通过发送看似合法的虚假读数来模拟该传感器，从而在系统中长期隐藏（例如，以获取更多信息或在特定时间发动实际破坏性攻击）。为了揭露此类隐藏攻击者，我们的方法依赖于通过数字或物理手段持续向原始传感器读数注入"微扰动"。我们将扰动严格限制在小幅值范围内（例如，不超过可能工作范围的0.5%），以确保不影响ICS的正常运行。微扰动基于仅由目标传感器与防御方共享的密钥生成。对于数字注入的微扰动，我们提出并讨论了一种基于双层最低有效位的检测算法的优缺点。当微扰动通过物理方式添加时，主要设计挑战在于确保引入的微扰动不会被实际读数的波动淹没，并仍能提供准确的检测能力。为此，我们提出了一种简单而有效的滤波-Δ-均值差分算法，该算法能够以高精度和快速方式揭露隐藏攻击者。通过使用来自不同工业控制（包括智能电网）系统的真实传感器读数序列，我们证明了所提出防御方法的有效性和通用性。