Anomaly Detection in ICS based on Data-history Analysis

Abstract

Data of industrial control systems (ICS) are increasingly subject to cyber attacks which should be detected by approaches such as anomaly detection before they can take effect. However, examples such as Stuxnet, Industroyer or Triton show that, despite all the precautions taken, it is still possible to overcome anomaly detection systems and cause damage. Similarly, damage can be made by intentional malicious and unintentional changes by employees in programming or configuration of ICS components. An example is an employee who unintentionally manipulates a machine's configuration to a higher temperature limit than it should have. The potential consequence would be that the machine overheats and breaks. The aim of the project MADISA (Machine Learning for Attack Detection Using Data of Industrial Control Systems) is to identify such anomalies in the data of ICS by examining the data-sets and creating a machine learning system (MLS) based on heuristics over meta-data, configurations and code content. For this purpose, this poster provides a structured analysis of real-world projects from a German automobile manufacturer which lead to first attributes in this unexplored approach for creating heuristics to anomaly detection of historic data in ICS.