A supervisory control and data acquisition (SCADA) system may be subject to integrity attacks. Anomalies in sensor measurements may be used to detect these attacks, but such techniques do not permit us to locate attacking nodes. We propose a novel technique to enable this. Each participating network node probabilistically copies packets and marks them with routing information, before encrypting them with private keys and forwarding them to the operator. Nodes regularly release the keys used to encrypt packets. At that point, the operator may compare the copied packets with the original. Using the differences in packet content and routing information, it is possible to deduce to within one or two processes the location of an attack. Our approach is based on IP traceback techniques originally used for detecting the origin of denial of service attacks. The complexity of the approach is low and the technique can be shown to be resilient to counter–attack.
Keywords: pi–calculus, supervisory control, data acquisition, SCADA systems, adversary detection, subverted processes, random packet comparison, integrity attacks, attacking node location, attack location, packet content, routing information, IP traceback, critical infrastructures