Discrimination Between Attacks and Faults for FCC Fractionation System with Cross-Domain Causal Diagram

0
0
0

Discrimination Between Attacks and Faults for FCC Fractionation System with Cross-Domain Causal Diagram

Introduction

The fluid catalytic cracking (FCC) fractionation system is a critical component in petroleum refining processes. Any system anomaly can lead to product quality degradation or even catastrophic safety incidents. With the widespread adoption of industrial internet technologies, FCC fractionation systems have become vulnerable to cyber-attacks, which can also cause physical process anomalies. A significant challenge arises when cyber-attacks and system faults exhibit similar characteristics in process variable data. Since the mitigation strategies for cyber-attacks and faults are fundamentally different, accurately identifying the root cause of anomalies—whether an attack or a fault—is crucial for ensuring the security of industrial control systems in the internet era.

Existing research on attack-fault discrimination can be categorized into two main approaches: methods relying solely on physical process data and those integrating both physical process data and communication network data. The first category includes techniques such as non-intrusive anomaly diagnosis in power electronics systems, adaptive observer-based watermarking algorithms, and memory-based neural network approaches for smart grids. While these methods effectively detect anomalies, they often fail to distinguish between cyber-attacks and faults due to their reliance on physical data alone, ignoring traces of cross-domain attacks in communication networks.

The second category leverages both fault diagnosis and intrusion detection techniques, such as generative adversarial networks for learning attack and fault distributions, Markov chain models for detecting faults and data injection attacks, and hybrid encoding methods for simultaneous attack and fault detection. However, these approaches still struggle with the challenge of similar physical data characteristics and do not support anomaly traceability, making root cause localization difficult.

To address these limitations, this paper proposes a novel discrimination method based on a cross-domain causal diagram. The method integrates data-driven and topology-based approaches to construct a comprehensive causal graph covering both physical and information domains. By analyzing multi-source anomaly evidence and leveraging an improved Floyd algorithm for path search, the method identifies the root cause of anomalies and distinguishes between cyber-attacks and faults.

FCC Fractionation System and Attack-Fault Discrimination Framework

FCC Fractionation System

The FCC fractionation system is a typical industrial control system consisting of both information and physical layers. The information layer includes a control layer and a monitoring layer. The control layer comprises programmable logic controllers (PLCs) responsible for receiving instructions, collecting process data, and controlling the reaction process. The monitoring layer includes operator stations, engineer stations, human-machine interfaces (HMIs), and historical database servers for supervisory control. A real-time database server is deployed between the PLCs and the monitoring layer to handle massive data storage and real-time anomaly detection.

The physical layer consists of the FCC fractionation reaction process and associated sensors and actuators. The reaction process includes components such as the fractionation tower, oil-gas separator, and stripping tower.

Attack-Fault Discrimination Framework

The proposed framework is designed to distinguish between fault scenarios (e.g., coking and tower flooding) and attack scenarios (e.g., tampering attacks and false data injection attacks). The framework consists of two main components: cross-domain causal graph construction and root cause identification.

The cross-domain causal graph integrates data-driven and topology-based methods to build causal relationships between variables in the physical domain and devices in the information domain. The physical domain is divided into four process sections, each analyzed for variable causality. The information layer’s device causality is derived from communication network topology. The two layers are then connected based on control logic relationships to form a unified cross-domain causal graph.

For root cause identification, the method first extracts abnormal nodes from multi-source anomaly evidence and removes unreachable nodes. The remaining nodes serve as constraints for the Floyd algorithm, which computes the shortest paths between abnormal nodes. By applying constraints such as single-point anomalies and maximum dominator counts, the method identifies the most probable root cause and propagation paths. The root node’s location—whether in the physical or information domain—determines whether the anomaly is classified as a fault or an attack.

Cross-Domain Causal Graph Construction

Time-Lagged Mutual Information for Variable Causality Analysis

Traditional mutual information (MI) measures variable correlations but lacks directionality. To address this, the proposed method introduces a time-lagged parameter to compute time-lagged mutual information curves. By comparing the lead-lag relationships between these curves, the direction of information flow between variables is determined.

The principle is that the cause precedes the effect. For two time-series variables X and Y, the time-lagged mutual information is computed by shifting one variable relative to the other. If the mutual information curve for X leading Y peaks earlier than the curve for Y leading X, the causal direction is inferred as X → Y. This approach effectively captures asymmetric relationships in industrial processes where traditional MI fails.

Topology-Based Module Correlation and Cross-Domain Causality

To connect variable causality subgraphs across different process sections and integrate them with the information layer, the method leverages the FCC fractionation system’s process flow and simulation model structure. Key pipelines and equipment connections are analyzed to establish causality between modules. For example, the fractionation tower and oil-gas separator are connected via a top valve (FV01), which directly affects the separator’s pressure (PI03) and liquid level (LI03). Since FV01 is controlled by a PLC, its influence is stronger from the fractionation tower side.

Similarly, causality between other modules is established, such as the fractionation tower’s influence on the stripping tower and the slurry circulation system. The information layer’s device causality is derived from communication network flows, such as PLCs sending data to the real-time database server and operator stations issuing commands to PLCs.

Construction Process

The cross-domain causal graph is constructed in three steps:

  1. Modular Division: The system is divided into information and physical layers. The information layer’s device causality is built using topology-based methods, while the physical layer is segmented into four process sections for data-driven causality analysis.
  2. Integration of Variable Subgraphs: Based on key inter-module connections, variable causality subgraphs are merged into a complete physical domain causal graph.
  3. Cross-Domain Connection: The physical and information layers are linked using control logic relationships (e.g., which PLC controls which process variables), resulting in a unified cross-domain causal graph.

Attack-Fault Discrimination Based on Anomaly Propagation Path Search

Floyd Algorithm-Based Anomaly Causal Path Search

The goal is to identify causal relationships between abnormal nodes. Given a set of abnormal nodes, the method first checks reachability by removing nodes with no causal connections to others. The remaining nodes are processed using the Floyd algorithm to compute the shortest paths under the following constraints:
• Dominator Constraint: Only paths passing through the abnormal nodes are considered.

• Single-Point Anomaly Constraint: Assumes anomalies originate from a single node.

• Maximum Dominator Count: Limits the number of intermediate nodes to avoid overly complex paths.

The Floyd algorithm iteratively updates the shortest paths between all pairs of nodes, ensuring efficient identification of the most probable propagation paths.

Root Cause Localization and Attack-Fault Discrimination

After generating candidate propagation paths, the method applies constraints to filter the most plausible paths. The root node is determined based on the earliest occurrence time of anomalies. If the root node is in the information domain (e.g., a compromised PLC), the anomaly is classified as a cyber-attack. If the root is in the physical domain (e.g., a faulty sensor or valve), it is classified as a system fault.

The method also verifies the completeness of the propagation path. A fully traceable path spanning both information and physical domains strongly indicates a cyber-attack, whereas a path confined to the physical domain suggests a fault.

Experimental Results and Analysis

Experimental Setup

The FCC fractionation simulation system includes a physical layer modeled using Aspen Plus Dynamics and an information layer with PLCs, operator stations, and database servers. Communication between layers is simulated using Modbus TCP.

Two fault scenarios (tower flooding and heat exchanger coking) and two attack scenarios (tampering and false data injection) were designed. Each scenario generated 415 samples for testing.

Results

  1. Tower Flooding Fault: The root cause was traced to the mid-cycle reflux valve (FV04), which caused temperature imbalances in the fractionation tower, leading to anomalies in multiple downstream variables.
  2. Tampering Attack: The attack originated from the engineer station (ES), which modified setpoints in PLC1, causing physical process anomalies resembling tower flooding.
  3. Heat Exchanger Coking Fault: The root cause was a reduction in heat load, leading to increased slurry flow rates and temperature deviations in the tower bottom.
  4. False Data Injection Attack: The attack manipulated temperature readings in PLC4, causing incorrect control actions and physical anomalies similar to coking.

The method achieved an overall discrimination accuracy of 94.84%, with recall rates of 97.11% for normal conditions, 93.25% for faults, and 95.30% for attacks.

Comparative Analysis

Compared to existing methods, the proposed approach offers three key advantages:

  1. Cross-Domain Coverage: Integrates physical and information layer data for comprehensive anomaly analysis.
  2. Anomaly Traceability: Provides detailed propagation paths for root cause localization.
  3. Handling Similar Physical Features: Effectively distinguishes between attacks and faults despite overlapping physical symptoms.

Conclusion

This paper presents a cross-domain causal diagram-based method for discriminating between cyber-attacks and faults in FCC fractionation systems. By combining data-driven and topology-based techniques, the method constructs a comprehensive causal graph and leverages an improved Floyd algorithm to trace anomaly propagation paths. Experimental results demonstrate high accuracy in identifying root causes and distinguishing between attack and fault scenarios.

Future work will focus on enhancing the robustness of time-lagged mutual information analysis and generalizing the framework for broader industrial control system applications.

doi.org/10.19734/j.issn.1001-3695.2024.01.0164

Was this helpful?

0 / 0