Ghaderi, MajidRao, Sanjeev2023-04-122023-04-122023-04-06Rao, S. (2023). Managed anomaly detection for Industrial Control Systems (Master's thesis, University of Calgary, Calgary, Canada). Retrieved from https://prism.ucalgary.ca.https://prism.ucalgary.ca/handle/1880/116059The evolution of process automation has led to corresponding improvements in operating efficiency, production output, and running costs across each industrial revolution, with the 4th one on the horizon. Achieving this requires connecting Industrial Control Systems (ICSs) to the Internet; however, combined with historically insecure protocols and increasingly sophisticated threat actors, this makes ICSs a prime target for cyberattacks. Anomaly detection is a promising countermeasure which aims to detect attacks in their early stages; such data-driven measures—often using deep learning—do not require knowledge of the system, thereby simplifying installation. However, with the trend of using increasingly large neural networks for improving performance, acquiring and maintaining such networks may eventually prove a burden too great for ICS operators to bear; therefore, changes in integrating anomaly detection for ICSs are necessary for it to achieve its true potential. One approach is to deploy such solutions remotely; by offloading its maintenance and management to a third party, economies of scale can be exploited to deliver efficient anomaly detection as a service. To this end, we present CloudPAD, an ICS anomaly detection pipeline designed for a cloud deployment; in tandem with the ClozeLSTM—a neural network based on the Long Short-Term Memory (LSTM) architecture—we show that CloudPAD allows for effective, managed anomaly detection. We train and test the ClozeLSTM on the Secure Water Treatment (SWaT) dataset, and show that it outperforms an advanced attention baseline on average by at least 2.4% in precision-recall AUCs. Furthermore, we develop CyberSWaT, a Mininet-based framework for designing hybrid ICS testbeds. This can aid in determining the viability of cloud anomaly detection for a given ICS; we validate CyberSWaT by porting a digital SWaT testbed to it. Finally, we discuss network effects arising from CloudPAD's remote deployment, along with possible countermeasures; we show that anomaly detection efficacy is retained even as measures are taken to reduce CloudPAD's bandwidth consumption.enUniversity of Calgary graduate students retain copyright ownership and moral rights for their thesis. You may use this material in any way that is permitted by the Copyright Act or through licensing that has been assigned to the document. For uses that are not allowable under copyright legislation or licensing, you are required to seek permission.industrial control systemsanomaly detectiondeep learningcloud computingComputer ScienceArtificial IntelligenceManaged Anomaly Detection for Industrial Control Systemsmaster thesis