Comparison of Industrial Control System Anomaly Detection Methods

Piotr Sobonski; Utz Roedig

doi:10.1145/3689930.3695211

Comparison of Industrial Control System Anomaly Detection Methods

Piotr Sobonski
, Utz Roedig

School of Computer Science and Information Technology

Collins Aerospace

Research output: Chapter in Book/Report/Conference proceedings › Conference proceeding › peer-review

Abstract

Industrial Control System (ICS) are used to produce goods that must be free of errors. Examples are medicines, medical equipment or vehicle parts. It is essential in such production environments to detect an attack which may aim to compromise goods. While Anomaly Detection (AD) is common to protect Information Technology (IT) infrastructure, it is not yet widely used to protect Operational Technology (OT) elements such as ICS and ultimately production. In this work we analyze the usefulness of different AD algorithms in the context of ICS. We aim to determine if simple statistical methods such as K-Means clustering (K-Means), Density-Based Spatial Clustering of Applications with Noise (DBSCAN), Stochastic Gradient Decent (SGD) or Support Vector Machine (SVM) are sufficient or if more advanced Machine Learning (ML) algorithms such as an Autoencoder are necessary to achieve a useful performance. Specifically, we consider real-world constraints such as limited available attack examples in training data and variations in background conditions. We use an evaluation framework called Anomaly Detection Evaluation Framework (ADEF) to model an autoclave manufacturing use case and possible attacks. Using ADEF we benchmark different AD algorithms. Our results show that simple methods perform very well, that large amount of attack examples are unnecessary and that fluctuations in environmental conditions pose a significant challenge.

Original language	English
Title of host publication	RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with
Subtitle of host publication	CCS 2024
Publisher	Association for Computing Machinery, Inc
Pages	79-85
Number of pages	7
ISBN (Electronic)	9798400712265
DOIs	https://doi.org/10.1145/3689930.3695211
Publication status	Published - 20 Nov 2024
Event	2nd International Workshop on Re-design Industrial Control Systems with Security, RICSS 2024 - Salt Lake City, United States Duration: 14 Oct 2024 → 18 Oct 2024

Publication series

Name	RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024

Conference

Conference	2nd International Workshop on Re-design Industrial Control Systems with Security, RICSS 2024
Country/Territory	United States
City	Salt Lake City
Period	14/10/24 → 18/10/24

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 9 Industry, Innovation, and Infrastructure

Keywords

CPS security
ICS anomaly detection
ICS attacks
ICS security
ICS simulation

Access to Document

10.1145/3689930.3695211

Cite this

Sobonski, P., & Roedig, U. (2024). Comparison of Industrial Control System Anomaly Detection Methods. In RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024 (pp. 79-85). (RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024). Association for Computing Machinery, Inc. https://doi.org/10.1145/3689930.3695211

Sobonski, Piotr ; Roedig, Utz. / Comparison of Industrial Control System Anomaly Detection Methods. RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024. Association for Computing Machinery, Inc, 2024. pp. 79-85 (RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024).

@inproceedings{a6e23badd70b46a49d68f22fedfc707e,

title = "Comparison of Industrial Control System Anomaly Detection Methods",

abstract = "Industrial Control System (ICS) are used to produce goods that must be free of errors. Examples are medicines, medical equipment or vehicle parts. It is essential in such production environments to detect an attack which may aim to compromise goods. While Anomaly Detection (AD) is common to protect Information Technology (IT) infrastructure, it is not yet widely used to protect Operational Technology (OT) elements such as ICS and ultimately production. In this work we analyze the usefulness of different AD algorithms in the context of ICS. We aim to determine if simple statistical methods such as K-Means clustering (K-Means), Density-Based Spatial Clustering of Applications with Noise (DBSCAN), Stochastic Gradient Decent (SGD) or Support Vector Machine (SVM) are sufficient or if more advanced Machine Learning (ML) algorithms such as an Autoencoder are necessary to achieve a useful performance. Specifically, we consider real-world constraints such as limited available attack examples in training data and variations in background conditions. We use an evaluation framework called Anomaly Detection Evaluation Framework (ADEF) to model an autoclave manufacturing use case and possible attacks. Using ADEF we benchmark different AD algorithms. Our results show that simple methods perform very well, that large amount of attack examples are unnecessary and that fluctuations in environmental conditions pose a significant challenge.",

keywords = "CPS security, ICS anomaly detection, ICS attacks, ICS security, ICS simulation",

author = "Piotr Sobonski and Utz Roedig",

note = "Publisher Copyright: {\textcopyright} 2024 Copyright held by the owner/author(s).; 2nd International Workshop on Re-design Industrial Control Systems with Security, RICSS 2024 ; Conference date: 14-10-2024 Through 18-10-2024",

year = "2024",

month = nov,

day = "20",

doi = "10.1145/3689930.3695211",

language = "English",

series = "RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024",

publisher = "Association for Computing Machinery, Inc",

pages = "79--85",

booktitle = "RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with",

}

Sobonski, P & Roedig, U 2024, Comparison of Industrial Control System Anomaly Detection Methods. in RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024. RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024, Association for Computing Machinery, Inc, pp. 79-85, 2nd International Workshop on Re-design Industrial Control Systems with Security, RICSS 2024, Salt Lake City, United States, 14/10/24. https://doi.org/10.1145/3689930.3695211

Comparison of Industrial Control System Anomaly Detection Methods. / Sobonski, Piotr; Roedig, Utz.
RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024. Association for Computing Machinery, Inc, 2024. p. 79-85 (RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024).

Research output: Chapter in Book/Report/Conference proceedings › Conference proceeding › peer-review

TY - GEN

T1 - Comparison of Industrial Control System Anomaly Detection Methods

AU - Sobonski, Piotr

AU - Roedig, Utz

PY - 2024/11/20

Y1 - 2024/11/20

N2 - Industrial Control System (ICS) are used to produce goods that must be free of errors. Examples are medicines, medical equipment or vehicle parts. It is essential in such production environments to detect an attack which may aim to compromise goods. While Anomaly Detection (AD) is common to protect Information Technology (IT) infrastructure, it is not yet widely used to protect Operational Technology (OT) elements such as ICS and ultimately production. In this work we analyze the usefulness of different AD algorithms in the context of ICS. We aim to determine if simple statistical methods such as K-Means clustering (K-Means), Density-Based Spatial Clustering of Applications with Noise (DBSCAN), Stochastic Gradient Decent (SGD) or Support Vector Machine (SVM) are sufficient or if more advanced Machine Learning (ML) algorithms such as an Autoencoder are necessary to achieve a useful performance. Specifically, we consider real-world constraints such as limited available attack examples in training data and variations in background conditions. We use an evaluation framework called Anomaly Detection Evaluation Framework (ADEF) to model an autoclave manufacturing use case and possible attacks. Using ADEF we benchmark different AD algorithms. Our results show that simple methods perform very well, that large amount of attack examples are unnecessary and that fluctuations in environmental conditions pose a significant challenge.

AB - Industrial Control System (ICS) are used to produce goods that must be free of errors. Examples are medicines, medical equipment or vehicle parts. It is essential in such production environments to detect an attack which may aim to compromise goods. While Anomaly Detection (AD) is common to protect Information Technology (IT) infrastructure, it is not yet widely used to protect Operational Technology (OT) elements such as ICS and ultimately production. In this work we analyze the usefulness of different AD algorithms in the context of ICS. We aim to determine if simple statistical methods such as K-Means clustering (K-Means), Density-Based Spatial Clustering of Applications with Noise (DBSCAN), Stochastic Gradient Decent (SGD) or Support Vector Machine (SVM) are sufficient or if more advanced Machine Learning (ML) algorithms such as an Autoencoder are necessary to achieve a useful performance. Specifically, we consider real-world constraints such as limited available attack examples in training data and variations in background conditions. We use an evaluation framework called Anomaly Detection Evaluation Framework (ADEF) to model an autoclave manufacturing use case and possible attacks. Using ADEF we benchmark different AD algorithms. Our results show that simple methods perform very well, that large amount of attack examples are unnecessary and that fluctuations in environmental conditions pose a significant challenge.

KW - CPS security

KW - ICS anomaly detection

KW - ICS attacks

KW - ICS security

KW - ICS simulation

UR - https://www.scopus.com/pages/publications/85214088449

U2 - 10.1145/3689930.3695211

DO - 10.1145/3689930.3695211

M3 - Conference proceeding

AN - SCOPUS:85214088449

T3 - RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024

SP - 79

EP - 85

BT - RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with

PB - Association for Computing Machinery, Inc

T2 - 2nd International Workshop on Re-design Industrial Control Systems with Security, RICSS 2024

Y2 - 14 October 2024 through 18 October 2024

ER -

Sobonski P, Roedig U. Comparison of Industrial Control System Anomaly Detection Methods. In RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024. Association for Computing Machinery, Inc. 2024. p. 79-85. (RICSS 2024 - Proceedings of the 2024 Workshop on Re-design Industrial Control Systems with Security, Co-Located with: CCS 2024). doi: 10.1145/3689930.3695211

Comparison of Industrial Control System Anomaly Detection Methods

Abstract

Publication series

Conference

UN SDGs

Keywords

Access to Document

Other files and links

Fingerprint

Cite this