Managed Anomaly Detection for Industrial Control Systems
Date
2023-04-06
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
The evolution of process automation has led to corresponding improvements in operating efficiency, production output, and running costs across each industrial revolution, with the 4th one on the horizon. Achieving this requires connecting Industrial Control Systems (ICSs) to the Internet; however, combined with historically insecure protocols and increasingly sophisticated threat actors, this makes ICSs a prime target for cyberattacks. Anomaly detection is a promising countermeasure which aims to detect attacks in their early stages; such data-driven measures—often using deep learning—do not require knowledge of the system, thereby simplifying installation. However, with the trend of using increasingly large neural networks for improving performance, acquiring and maintaining such networks may eventually prove a burden too great for ICS operators to bear; therefore, changes in integrating anomaly detection for ICSs are necessary for it to achieve its true potential. One approach is to deploy such solutions remotely; by offloading its maintenance and management to a third party, economies of scale can be exploited to deliver efficient anomaly detection as a service. To this end, we present CloudPAD, an ICS anomaly detection pipeline designed for a cloud deployment; in tandem with the ClozeLSTM—a neural network based on the Long Short-Term Memory (LSTM) architecture—we show that CloudPAD allows for effective, managed anomaly detection. We train and test the ClozeLSTM on the Secure Water Treatment (SWaT) dataset, and show that it outperforms an advanced attention baseline on average by at least 2.4% in precision-recall AUCs. Furthermore, we develop CyberSWaT, a Mininet-based framework for designing hybrid ICS testbeds. This can aid in determining the viability of cloud anomaly detection for a given ICS; we validate CyberSWaT by porting a digital SWaT testbed to it. Finally, we discuss network effects arising from CloudPAD's remote deployment, along with possible countermeasures; we show that anomaly detection efficacy is retained even as measures are taken to reduce CloudPAD's bandwidth consumption.
Description
Keywords
industrial control systems, anomaly detection, deep learning, cloud computing
Citation
Rao, S. (2023). Managed anomaly detection for Industrial Control Systems (Master's thesis, University of Calgary, Calgary, Canada). Retrieved from https://prism.ucalgary.ca.