ANOMALY DETECTION FOR INDUSTRIAL CONTROL SYSTEMS

  • Vincent Boerjan

Student thesis: Master's Thesis

Abstract

The complexity and critical nature of Industrial Control Systems (ICS) highlight the need for robust and effective safety measures. Historically, anomalies in ICS have included design errors and technical failures. However, with the increasing scale and interconnectivity of ICS constituents, malevolent actors and events now also contribute to the range of possible anomalies. Anomaly Detection is a cornerstone to provide this safety net. Effective implementation of an Anomaly Detection system allows for the timely detection, intervention, and resolution of events that threaten ICS functionality, thus preventing potential safety or security incidents. This thesis proposes and implements a generic approach to
Anomaly Detection built around expert knowledge, Attack Trees, and machine learning. Specifically, Attack Trees designed based on gathered expert knowledge are leveraged in the feature selection and engineering process, contributing directly to a streamlined and reduced machine learning workload. The aim of this approach is to be repeatable, understandable, and founded in established literature and best practices. The proposed methodology is widely applicable due to the inclusion of many facets and the production of clear
and traceable artefacts that support the process and directly factor into the design of the machine learning solution. Our approach considers potential pitfalls when working with ICS, such as unlabelled data and class imbalance. The proposed framework is applied to the European Train Control System in this thesis. This case study demonstrates the applicability of our generic approach, as real-world pitfalls were addressed and discussed. A successful machine learning Anomaly Detection process was implemented, considering
organisational goals from inception to final evaluation. These results validate the approach and suggest its potential for broader application to various ICS environments.
Date of Award1 Jul 2024
Original languageEnglish
SupervisorStefano Schivo (Examiner) & Clara Maathuis (Co-assessor)

Keywords

  • Anomaly Detection
  • Attack Trees
  • Expert Knowledge
  • Machine Learning

Master's Degree

  • Master Computer Science

Cite this

'