CyPhERS: A Cyber-Physical Event Reasoning System providing real-time situational awareness for attack and fault response

TL;DR

CyPhERS is a real-time reasoning system that detects, characterizes, and explains cyber-physical incidents in critical infrastructure systems, even without prior event data, enhancing situational awareness and response capabilities.

Contribution

It introduces CyPhERS, a novel system capable of real-time event identification and signature generation for cyber attacks and physical failures without relying on historical data.

Findings

Effective detection of diverse attack and fault events

Generation of interpretable event signatures for known and unknown incidents

Benchmark results show high relevance and inferability of event information

Abstract

Cyber-physical systems (CPSs) constitute the backbone of critical infrastructures such as power grids or water distribution networks. Operating failures in these systems can cause serious risks for society. To avoid or minimize downtime, operators require real-time awareness about critical incidents. However, online event identification in CPSs is challenged by the complex interdependency of numerous physical and digital components, requiring to take cyber attacks and physical failures equally into account. The online event identification problem is further complicated through the lack of historical observations of critical but rare events, and the continuous evolution of cyber attack strategies. This work introduces and demonstrates CyPhERS, a Cyber-Physical Event Reasoning System. CyPhERS provides real-time information pertaining the occurrence, location, physical impact, and root cause of potentially critical events in CPSs, without the need for historical event observations. Key novelty of CyPhERS is the capability to generate informative and interpretable event signatures of known and unknown types of both cyber attacks and physical failures. The concept is evaluated and benchmarked on a demonstration case that comprises a multitude of attack and fault events targeting various components of a CPS. The results demonstrate that the event signatures provide relevant and inferable information on both known and unknown event types.