Detecting Physical Sensor Anomalies In Interdependent SCADA Systems Using A Hybrid CNN-LSTM Approach

Prof. Priya S. Kulkarni; Dr. Neha Deshmukh

Authors

Prof. Priya S. Kulkarni Department of Computer Science and Engineering, Indian Institute of Technology Madras, Chennai, India
Dr. Neha Deshmukh School of Computer and Information Sciences, University of Hyderabad, Hyderabad, India

Keywords:

SCADA systems, sensor anomaly detection, hybrid CNN-LSTM model, deep learning

Abstract

Supervisory Control and Data Acquisition (SCADA) systems are critical to modern industrial operations, managing everything from power grids to oil pipelines. The increasing interconnectedness of these systems, particularly in the context of the Industrial Internet of Things (IIoT), introduces significant cybersecurity vulnerabilities. False Data Injection Attacks (FDIAs) against physical sensors represent a severe threat, capable of manipulating system behavior without immediate detection and potentially leading to catastrophic physical damage or economic losses [2, 3, 4, 8, 9]. Traditional anomaly detection methods often struggle to identify sophisticated attacks that leverage the interdependencies between SCADA controllers and their associated physical processes. This article proposes a novel anomaly detection framework utilizing a hybrid Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM) model. This CNN-LSTM architecture is designed to capture both spatial features and temporal dependencies within the multivariate time-series data generated by interdependent SCADA controllers. By analyzing correlations between sensor readings across connected control loops, the proposed model aims to identify subtle deviations indicative of malicious data manipulation. The efficacy of this approach is demonstrated through experiments on a simulated industrial control system environment, showcasing its ability to accurately detect various forms of sensor anomalies, including those designed to evade simpler detection mechanisms. The findings highlight the potential of deep learning techniques to enhance the resilience and security of critical infrastructure.

References

Altuhafi AW. A review on peer-to-peer live video streaming topology. Int J Comput Appl. 2013;68(5):6–14. doi:10.5120/11573-6881.

Combita LF, Cardenas A, Quijano N. Mitigating sensor attacks against industrial control systems. IEEE Access. 2019;7: 92444–92455. doi:10.1109/ACCESS.2019.2927484.

Wang Q, Tai W, Tang Y, Ni M. Review of the false data injection attack against the cyber-physical power system. IET Cyber-Phys Syst: Theory Appl. 2019;4(2):101–107. doi:10.1049/iet-cps.2018.5022.

Ahmed M, Pathan ASK. False data injection attack (FDIA): an overview and new metrics for fair evaluation of its countermeasure. Complex Adapt Syst Model. 2020;8(1):4. doi:10.1186/s40294-020-00070-w.

Chromik JJ. Process-aware SCADA traffic monitoring: a local approach [DSI Ph.D. Thesis Series; 19-009]. Enschede: University of Twente; 2019. 231 p. doi:10.3990/1.9789036548014.

Chromik JJ, Remke A, Haverkort BR. Improving SCADA security of a local process with a power grid model. In: Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research. BCS Learning and Development Ltd.; 2016. p. 1–10. doi:10.14236/ewic/ICS2016.13.

Giraldo J, Urbina D, Cardenas A, Valente J, Faisal M, Ruths J, A survey of physics-based attack detection in cyber-physical systems. ACM Comput Surv. 2018;51(4):1–36. doi:10.1145/3203245.

Cárdenas AA, Amin S, Lin ZS, Huang YL, Huang CY, Sastry S. Attacks against process control systems. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security - ASIACCS ’11. Association for Computing Machinery; 2011. p. 355–366. doi:10.1145/1966913.1966959.

Huang YL, Cárdenas AA, Amin S, Lin ZS, Tsai HY, Sastry S. Understanding the physical and economic consequences of attacks on control systems. Int J Crit Infrastruct Prot. 2009;2(3):73–83. doi:10.1016/j.ijcip.2009.06.001.

Nafees MN, Saxena N, Cardenas A, Grijalva S, Burnap P. Smart grid cyber-physical situational awareness of complex operational technology attacks: a review. ACM Comput Surv. 2023;55(10):1–36. doi:10.1145/3565570.

Gaggero G, Girdinio P, Marchese M. Artificial intelligence and physics-based anomaly detection in the smart grid: a survey. IEEE Access. 2025;13: 23597–23606. doi:10.1109/ACCESS.2025.3537410.

Chromik JJ, Remke A, Haverkort BR. An integrated testbed for locally monitoring SCADA systems in smart grids. Energy Inform. 2018;1: 1–29. 56. doi:10.1186/s42162-018-0058-7.

Hadžiosmanović D, Sommer R, Zambon E, Hartel P. Through the eye of the PLC: semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference. Association for Computing Machinery; 2014. p. 126–135. doi:10.1145/2664243.2664277.

Kumar BP, Hariharan K, Shanmugam R, Shriram S, Sridhar J. Enabling internet of things in road traffic forecasting with deep learning models. J Intell Fuzzy Syst. 2022;43(5):6265–6276. doi:10.3233/JIFS-220230.

Dwivedi S, Attry A, Parekh D, Singla K. Analysis and forecasting of time-series data using S-ARIMA, CNN and LSTM. In: 2021 International Conference on Computing, Communication, and Intelligent Systems (ICCCIS). IEEE; 2021. p. 131–136. doi:10.1109/ICCCIS51004.2021.9397134.

Chen M. Comparative analysis of forecasting Chevron’s crude oil stock performance with machine learning techniques. Adv Econom Management Political Sci. 2024;86(1):21–27. doi:10.54254/2754-1169/86/20240935.

Liang L. ARIMA with attention-based CNN-LSTM and XGBoost hybrid model for stock prediction in the US stock market. SHS Web Conf. 2024;196: 02001. doi:10.1051/shsconf/202419602001.

Mohammad Ata KI, Hassan MK, Ismaeel AG, Al-Haddad SAR, Alquthami T, Alani S. A multi-Layer CNN-GRUSKIP model based on transformer for spatial-TEMPORAL traffic flow prediction. Ain Shams Eng J. 2024;15(12):103045. doi:10.1016/j.asej.2024.103045.

Alves T, Morris T. OpenPLC: an IEC 61,131–3 compliant open source industrial controller for cyber security research. Comput Secur. 2018;78: 364–379. doi:10.1016/j.cose.2018.07.007.

Sur S, Srimani PK. A depth-first search routing algorithm for star graphs and its performance evaluation. Math Comput Model. 1994;19(9):35–52. doi:10.1016/0895-7177(94)90039-6.

Ma Y, Tan Z, Chang G, Gao XA. P2P network topology optimized algorithm based on minimum maximum K-means principle. In: 2009 Ninth International Conference on Hybrid Intelligent Systems. IEEE; 2009. p. 396–399. doi:10.1109/HIS.2009.193.

Condie T, Kamvar S, Garcia-Molina H. Adaptive peer-to-peer topologies. In: Proceedings of the Fourth International Conference on Peer-to-Peer Computing. IEEE Computer Society; 2004. p. 53–62. doi:10.1109/PTP.2004.1334931.

Xu Y, Chi D, Min G. The topology of P2P network, vol. 3 (8), Mianyang, Sichuan, China: School of Information Engineering, Southwest University of Science and Technology; 2012.

Pearson K. VII. Note on regression and inheritance in the case of two parents. Proc R Soc. Lond. 1895;58: 240–242. doi:10.1098/rspl.1895.0041.

Li L, Lu Z, Zhou C. Importance analysis for models with correlated input variables by the state dependent parameters method. Comput Math Appl. 2011;62(12):4547–4556. doi:10.1016/j.camwa.2011.10.034.

Donahue J, Hendricks L, Rohrbach M, Venugopalan S, Guadarrama S, Saenko K, Long-term recurrent convolutional networks for visual recognition and description. IEEE Trans Pattern Anal Mach. Intell. 2017;39(4):677–691. doi:10.1109/TPAMI.2016.2599174.

Vinyals O, Toshev A, Bengio S, Erhan D. Show and tell: a neural image caption generator. In: 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). IEEE; 2015. p. 3156–3164. doi:10.1109/CVPR.2015.7298935.

Olah C. Understanding LSTM networks. Colah’s Blog [Internet]. 2015 [cited 2025 Jun 14]. Available from: https://colah.github.io/posts/2015-08-Understanding-LSTMs/.

3.2. Tuning the hyper-parameters of an estimator—scikit-learn 0.21.3 documentation. Scikit-learn.org [Internet]. 2019 [cited 2025 Jun 14]. Available from: https://scikit-learn.org/0.21/modules/grid_search.html.

Zhu L, Laptev N. Deep and confident prediction for time series at Uber. In: 2017 IEEE International Conference on Data Mining Workshops (ICDMW). IEEE; 2017. p. 103–110. doi:10.1109/ICDMW.2017.19.

Das R, Morris T. Modeling a midstream oil terminal for cyber security risk evaluation. In: Staggs J, Shenoi S, editors. Critical Infrastructure Protection XII. ICCIP 2018. IFIP Advances in Information and Communication Technology. vol. 542, Springer; 2018. doi:10.1007/978-3-030-04537-1_9.

Das R. An embedded defense-in-depth module for detecting cyberattacks on interdependent SCADA controllers [dissertations]. 2020; 204 p. https://louis.uah.edu/uah-dissertations/204.

American Petroleum Institute. Specification for Electric Motor Prime Mover for Beam Pumping Unit Service. 1st ed. API SPEC 11L6, Washington, DC: API; 1993.

American Petroleum Institute. Specification for End Closures, Connectors and Swivels. 2nd ed. API SPEC 6H, Washington, DC: API; 1998.

American Petroleum Institute. Specification for Line Pipe. 43rd ed. API SPEC 5L, Washington, DC: API; 2004.

American Petroleum Institute. Specification for Bolted Tanks for Storage of Production Liquids. 15th ed. API SPEC 12B, Washington, DC: API; 2008.

American Petroleum Institute. Specification for Pipeline Valves. 23rd ed. API SPEC 6D, Washington, DC: API; 2008.

American Petroleum Institute. Loading and Unloading of MC 306/DOT 406 Cargo Tank Motor Vehicles. API RP 1007, Washington, DC: API; 2011.

American Petroleum Institute. Line Markers and Signage for Hazardous Liquid Pipelines and Facilities. 5th ed. API RP 1109, Washington, DC: API; 2017.

Tian J, Tan R, Guan X, Xu Z, Liu T. Moving target defense approach to detecting stuxnet-like attacks. IEEE Trans Smart Grid. 2020;11(1):291–300. doi:10.1109/TSG.2019.2921245.

Yang N, Zhong Y, Li Y, Shi L. Model-unknown spoofing attack via false data injections. In: 2023 62nd IEEE Conference on Decision and Control (CDC). IEEE; 2023. p. 1814–1819. doi:10.1109/CDC49753.2023.10383617.

Masood R, Um-e-Ghazia, Anwar Z. SWAM: Stuxnet worm analysis in metasploit. In: 2011 Frontiers of Information Technology. IEEE; 2011. p. 142–147. doi:10.1109/FIT.2011.34.

Lindsay JR. Stuxnet and the limits of cyber warfare. Secur Stud. 2013;22(3):365–404. doi:10.1080/09636412.2013.816122.

Langner R. Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur Priv. 2011;9(3):49–51. doi:10.1109/MSP.2011.67.

Banks W. Developing Norms for Cyber Conflict (February 22, 2016) [Internet]. doi:10.2139/ssrn.2736456.

Frontiers in Emerging Artificial Intelligence and Machine Learning

Article Details Page