Assessment of Cyber-Physical Intrusion Detection and Classification for Industrial Control Systems

The increasing interaction of industrial control systems (ICSs) with public networks and digital devices introduces new cyber threats to power systems and other critical infrastructure. Recent cyber-physical attacks such as Stuxnet and Irongate revealed unexpected ICS vulnerabilities and a need for improved security measures. Intrusion detection systems constitute a key security technology, which typically monitor network data for detecting malicious activities. However, a central characteristic of modern ICSs is the increasing interdependency of physical and cyber network processes. Thus, the integration of network and physical process data is seen as a promising approach to improve predictability in intrusion detection for ICSs by accounting for physical constraints and underlying process patterns. This work systematically assesses real-time cyber-physical intrusion detection and multiclass classification, based on a comparison to its purely network data-based counterpart and evaluation of misclassifications and detection delay. Multiple supervised machine learning models are applied on a recent cyber-physical dataset, describing various cyber attacks and physical faults on a generic ICS. A key finding is that integration of physical process data improves detection and classification of all attack types. In addition, it enables simultaneous processing of attacks and faults, paving the way for holistic cross-domain cause analysis.