To detect cyber-physical attacks targeted at a water storage unit part of the Water Distribution Network (WDN), this thesis investigates the use of process data provided by Dunea, a Dutch drinking water production company, for this purpose.

In order to achieve this, a model-based anomaly detection method is employed. This consists of deriving an accurate model that represents the nominal dynamics of the system, computing the residual between the estimation and the measurement and evaluating the residual using the Non-Parametric CUSUM (NP-CUSUM). Additionally, cyber-physical attacks are designed to expose the water storage unit, during its draining and replenishing, to the most extreme attacks that could potentially impact the WDN.

Results show that all designed attacks initiated during the reservoir's replenishing are detected within this mode of operation. Regarding the attacks initiated during the reservoir's draining, various attacks are detected within this mode, and some attacks are detected afterwards when the system operates in the replenishing mode. The model-based anomaly detection method implemented using the process data can detect all the designed and simulated cyber-physical attacks against the water storage unit.

This thesis's contributions include developing a benchmark for implementing potential future anomaly detection methods for Dunea's and other drinking water production companies' water storage units. Additionally, given the provided process data, a nonlinear hybrid automaton is created to describe the nominal behaviour of the water storage unit. Lastly, multiple attack profiles are studied, including their impact on the physical system and effectiveness in evading detection.