NIAD+ML
Advanced
Industrial Control Systems

Industrial Control Systems

ICSs are a type of control system that is used to monitor and control industrial processes

  • They are typically used in industries such as manufacturing, energy, water treatment, and transportation Functions: The main function of an ICS is to manage, control, and monitor industrial processes

  • This is achieved by collecting data from sensors, processing this data to make decisions, and then sending commands to actuators to carry out these decisions SCADA ICS: A Supervisory Control and Data Acquisition (SCADA) system is a type of ICS used to monitor and control industrial processes and infrastructure

  • SCADA systems are widely used in industries such as manufacturing, energy, water treatment, and transportation to ensure efficient and reliable operation

  • SCADA system consists of several components: HMIs, Master unit, PLCs, sensors, actuators, etc.

SCADA system architecture

SCADA Components

Human-Machine Interfaces (HMIs) allow human operators to interact with the ICS

  • They provide a visual representation of the system, display data from the sensors, and allow operators to control the system
  • For example, an HMI in a power plant might display the status of the generators, the electricity output, and any alarms or warnings
  • The operator could use the HMI to start or stop generators, adjust output levels, or respond to alarms
  • It typically includes graphical displays, control panels, and dashboards that visualise the process data and status

SCADA Master Unit (Master Terminal Unit, MTU) is essentially the brain of the SCADA system

  • It processes data from sensors, makes decisions based on this data, and sends commands to actuators to carry out these decisions

Programmable Logic Controllers (PLCs) are used for automation and control of machinery and processes

  • In a SCADA system, their function is to collect data from sensors and execute control commands from the MTU The network enables communication between the MTU, PLCs, HMIs, sensors, and actuators

  • Networks can be wired (Ethernet, fiber optics) or wireless (radio, satellite, cellular) and can use various protocols, including Ethernet, Modbus, and Profibus.

Sensors and actuators

  • Sensors collect real-time data from the physical environment, such as temperature, pressure, flow rate, and level
  • Actuators perform physical actions based on commands from the control system, such as opening a valve or starting a motor.

Secure Water Treatment (SWaT) Testbed

The testbed is a reduced version of an operational clean water treatment plant It consists of multiple physical and cyber components that combine to form a six-stage water treatment process

The SWaT testbed: https://itrust.sutd.edu.sg/itrust-labs-home/itrust-labs_swat/ Video presentation:https://www.youtube.com/watch?v=8rk4hJvePFo&ab_channel=iTrustSUTD

The SWaT testbed in a nutshell

  • The water treatment process is monitored by a SCADA workstation and is divided into six sub-processes, including raw water supply and storage, ultra-filtration and backwash
  • The sub-processes are controlled by a pair of PLCs that communicate with sensors (water flow indication transmitters, level indicator transmitters, analyser indicator transmitters, such as pH analysers, and ultra-violet modules) and actuators (e.g., pumps, motorised valves)
  • The PLCs collect the readings from the sensors that monitor the status of the physical process, and send actuation commands to the actuators
    • Based on the PLC’s internal logic, such commands may be used to either change or keep the current state of an actuator

The SWaT dataset

This dataset has been collected from the SWaT testbed

  • It consists of 946,722 records of sensors and actuators collected during 11 days of operation at a rate of one sample per second
  • Each record contains 51 attributes, representing 25 sensors readings and 26 actuators states
  • The dataset is divided into a 7-day portion of normal operations, which has been used as the training set
  • plus a 4-day portion of normal activity combined with 36 attacks (test set)

Attacks

  • LIT: Level Transmitter; Raw water tank level (sensor)
  • FIT: Flow meter; Measures inflow into raw water tank (sensor)
  • AIT: e.g., pH analyser (sensor)
  • P101: Pump; Pumps water from raw water tank to second stage (actuator)
  • MV101: motorized valve; Controls water flow to the raw water tank (actuator)

Table from S. Adepu and A. Mathur, “An investigation into the response of a water treatment system to cyber attacks,” in Proc. of IEEE 17th International Symposium on High Assurance Systems Engineering (HASE), 2016.

Concept drift and the SWaT dataset

In the SWaT dataset, we can observe changes in the normal behaviour of some devices across the training and test sets

  • Actuators: during the normal operation, the pump P102 has a single state of value 1 in the training set, then it takes an additional “normal” state of value 2 in the test set
  • Sensors: The probability distribution of some sensors changes between the two sets. For example, in the training set the output of the Conductivity Analyser AIT201 ranges in interval [251, 272] µs/cm (micro Siemens per centimetre), while in the test set it ranges in [168, 267].

DAICS: A Deep Learning Solution for Anomaly Detection in Industrial Control Systems

DAICS [1] in a deep neural network designed for anomaly detection in Industrial Control Systems

  • DAICS has been evaluated on the SWaT dataset
  • DAICS addresses concept drift by dynamically tuning the anomaly threshold
  • False positives (false alarms) are used by the operator to trigger model re-training

27

[1] Abdelaty, Maged, Roberto Doriguzzi-Corin, and Domenico Siracusa. “DAICS: A deep learning solution for anomaly detection in industrial control systems.” IEEE Transactions on Emerging Topics in Computing 10.2 (2021): 1117-1129.

The DAICS approach

Anomaly condition on sensor readings: Lt = 1, if ∃g ∈ [1,G] s.t. MSEg,i > Tgi ∈ [tWanom, t] 0, otherwise

where model’s outputs (SWaT processes) and is the Mean Square Error between the model’s prediction and the actual sensor readings of the process at time . G = 6 MSEg,i g i

An anomaly is reported to the operator when , which happens when the prediction error is larger than the threshold for seconds. Lt = 1 Wanom

  • The output section of the NN is retrained upon operator’s request after spotting false positives (only domain-specific knowledge is required to the operator)

The DAICS threshold tuning mechanism

DAICS implements a method to update the threshold at runtime and address concept drift

The mechanism is based on a neural network:

  • input: a time series of prediction errors measured for the samples collected in past time window
  • output: the estimation of the optimal anomaly threshold for the current sensors states

Concept Drift in Anomaly DetectionOpenWorld