Qualitative Behavioral Analyzer for Fault Detection and Cyber Security of Control Networks

Cybersecurity for networked industrial control systems presents challenges not faced in information technology systems. The use of heritage protocols, such as Modbus, on unrouted serial buses makes it difficult to authenticate actuator commands and sensor data. Furthermore, rigid master/slave architectures such as Modbus are especially vulnerable to compromise of the master unit. We describe a logic program called the Qualitative Behavioral Analyzer (QBA) for monitoring a controlled physical process on an unrouted Modbus network. The proposed approach uses knowledge of process physics to identify a possible component fault or cyberattack. To avoid relying on the integrity of the master unit, the QBA directly analyzes Modbus network traffic. The first stage of the QBA is called the Network Analyzer, which evaluates each Modbus packet and extract qualitative information. The second stage is called the Physics Analyzer, which evaluates a qualitative physics model based on qualitative information from Network Analyzer. The QBA is demonstrated on simulations of a water treatment process.