WICCON 2023

Cyber-Attack Detection in Water Distribution Networks
2023-10-31 , Second Main Stage

Water distribution networks are a fundamental component of modern urban infrastructure, supplying clean water to consumers. However, these networks are increasingly vulnerable to cyber-attacks, posing significant risks to public health and safety. As technology advances and interconnected systems become prevalent, the potential for malicious actors to exploit vulnerabilities in water distribution networks grows exponentially. Therefore, robust cyber-attack detection mechanisms are essential for safeguarding this critical infrastructure. This presentation aims to explore the current landscape of cyber-attack detection methods in water distribution networks and highlight the challenges faced.


Cyber-attacks such as replay attacks and false data injection, have the potential to cause severe damage to physical components of the water distribution network. The consequences of these attacks include pump outages, tank overflow, and empty tanks, which can prevent water companies from meeting the demands of their users. In order to detect these attacks two types of approaches are commonly employed to detect such attacks: Model-based and data-driven methods.

Model-based approaches utilize system identification to compose a mathematical model which describes the nominal dynamic behaviour of the water distribution system. Comparing real-time measurements with model estimations the residual can be composed. Analyzing these residuals to identify anomalies. Model-based methods are effective in identifying previously unseen anomalies because they rely on the predefined nominal behaviour of the system. However, these methods require an accurate representative model of the system. The assumptions and simplifications made during the model development may limit the ability to detect complex or subtle anomalies.

On the other hand, data-driven approaches employ machine learning algorithms to directly learn patterns and anomalies from the available data. Machine learning can be performed using either unsupervised or supervised learning techniques. Supervised learning requires labelled data containing information about known anomalies. However, these kinds of datasets are hard to obtain, especially for unknown anomalies. The data-driven methods exceed in capturing the complex network structure of water distribution networks.

In spite of the significant progress made in anomaly detection methods, it is important to acknowledge that certain types of attacks can still evade detection. These stealthy attacks can take the form of replay attacks or false data injections. Replay attacks involve concealing SCADA readings by using previously recorded data, while false data injection aims to maintain the energy and mass balance by injection of fabricated data.
To address these stealthy attacks effectively, one promising approach is the addition of a watermark to either the output or the input of the plant. This introduces a noticeable disparity between the perceived state of the plant from the perspectives of both the attacker and the controller. This active form of cyberattack detection shows great potential in successfully identifying and mitigating stealthy attacks, such as replay attacks and false data injections.

Hi, my name is Rosanne Aartman. I am a 2nd-year master's student in systems and control at the Technical University of Delft and currently graduating in the field of Industrial Cyber Security. During my studies, I continuously try to advocate for women in STEM. Organizing events for women in mechanical engineering and connecting students with female role models in the industry.