**1. Introduction**

In recent decades, urban areas all over the world have not stopped growing and becoming increasingly dense. Consequently, virtually all urban services are in dire need to become more efficient and accessible to all citizens. Water distribution systems (WDSs), which are obviously among the main urban components, have undergone many changes. In this paper, we focus on the connection between WDS physical and cyber layers, thus turning WDSs into cyber-physical systems. The physical layer of a WDS (pipes, valves, pumps, reservoirs, etc.) can be remotely controlled and monitored by the cyber layer, which allows the implementation of predictive control, and early-warning systems in case of anomalies. As a result, the efficiency of urban water systems is improved.

Cyber-physical systems may considerably improve the operation of water companies, but they will also increase the possibilities for system failure. This is chiefly because cyber layers can include gates that may be easily violated during various kinds of attacks (e.g., information access for damaging the entire water distribution process) [1]. Attackers can access programmable logic controllers and change pump and valve schedules, operational points, and/or corrupt data in SCADA systems. This could threaten the creation and expansion of smart cities that depend on the reliability of cyber systems [2].

**Citation:** Brentan, B.; Rezende, R.; Barros, D.; Meirelles, G.; Luvizotto, E., Jr.; Izquierdo, J. Cyber-Attack Detection in Water Distribution Systems Based on Blind Sources Separation Technique. *Water* **2021**, *13*, 795. https://doi.org/ 10.3390/w13060795

Academic Editors: Marco Franchini and Francesco De Paola

Received: 30 December 2020 Accepted: 11 March 2021 Published: 14 March 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

Scenarios of cyber-physical attacks in water systems have already become a reality. According to the United States Department of Homeland Security, in 2015, 25 cyberattacks were disclosed in various water systems [3]. In Israel, three attacks happened between 2019 and 2020. The first attack in 2019 managed to change the free chlorine level and, consequently, harmed the water quality of the system. In 2020 the attacks changed pumping operational points, bringing high pressure to the system and associated increasing leakage [4]. In their Systematic Review of the State of Cyber-Security in Water Systems, Tuptuk et al. [5] compile a set of cyber-physical attacks occurred between 2000 and 2020 that have been made public. Most of them were remotely performed and even a recent one used cryptocurrency mining for the attack. The examples of cyber-attacks in the USA and Israel show that despite a system may be highly protected, attackers manage to find their ways to enter the system and eventually produce chaos. Consequently, even virtually fully secure SCADA systems need additional mechanisms to try to close any access gate to the system and minimize the impact of any security breach.

With the aim of improving the reliability of cyber-physical systems, special attention has been given by researchers to the topic, as shown by the promotion of dedicated events. One milestone on cyber-physical system analysis applied to water systems was the International Workshop on Cyber-Physical Systems for Smart Water Networks, in 2015 [6]. The works in that conference mainly focused on data acquisition via SCADA system and the security of the system. Nevertheless, no cyber-physical failure detection methodologies were proposed. However, recently, the detection of malicious attacks in WDSs has become a problem highly faced by researchers and managers, and has been the subject of recommendations from various protection agencies (e.g., Environmental Protection Agency—EPA, from USA). The main objective of this kind of developments is the reduction of the system vulnerability, thus narrowing the potential damage to the physical layer.

Considering the importance of the problem, the Battle of the Attack Detection Algorithms (BATADAL) [7] was organized in a special session of the World Environmental and Water Resources Congress, in Sacramento, California on 21–25 May 2017. The challenge was proposed for comparing possible approaches in detection attacks. Several solutions, concisely described in the next section, were presented.

According to the above-mentioned systematic literature review [5], the vast majority of works in cyber-attack detection, including the ones presented in BATADAL, are based on machine learning, developing classifiers or auto-encoder algorithms. However, the authors of [5] pinpoint the need for targeting at other fields of study for building increased confidence on the algorithms. An alternative, exploited in other research fields, is the use of signal-detection models. These kinds of models handle a mixture of true signal and noisy data. When applied for cyber-attack detection, the main objective of a signaldetection model is to separate attack from normal data, which helps detect abnormal situations accurately and efficiently. One example of signal-processing data applied to detect anomalies in cyber-physical systems is the application of Independent Component Analysis (ICA) [8]. This algorithm separates original signals into components or sources by suitably demixing them. The demixing and consequent separation of signals can help highlight anomalies, thus easing their identification.

Moreover, for automatic identification, the application of statistical control processes such as cumulative sum (CUSUM) and abrupt change point detection (ACPD) have shown to be very useful tools.

Considering the substantial number of applications of ICA for anomaly detection problems in various research fields, and the simultaneous lack of applications in water distribution, this paper proposes a two-stage algorithm for cyber-attack detection in water distribution systems. In the first stage, hydraulic time series acquired by a SCADA system are processed by the ICA algorithm. The resulted signals, so-called sources, are highly affected by cyber-attacks, as shown in the results. This feature is used for automatic detection in the second stage, using an ACPD algorithm. The methodology is applied to the BATADAL case study, and the results are compared, under the same framework, including case study, objectives and metrics, with other approaches presented in the Battle. All seven attacks hidden on the test data sets used in the event are detected by this methodology, thus resulting in a reliable early-warning cyber-attack detection algorithm. Regarding the limitations of this approach, we must mention that some attack scenarios have been detected too late, which is a limitation, otherwise, typical of any detection evaluation methodology. However, overall, the methodology can be considered a novel non-machine-learning-based approach in the field of cyber-attack detection in WDSs.
