Assessment of Cyber-Physical Intrusion Detection and Classification for Industrial Control Systems

The increasing interaction of industrial control systems (ICSs) with public networks and digital devices introduces new cyber threats to power systems and other critical infrastructure. Recent cyber-physical attacks such as Stuxnet and Irongate revealed unexpected ICS vulnerabilities and a need for improved security measures. Intrusion detection systems constitute a key security technology, which typically monitors cyber network data for detecting malicious activities. However, a central characteristic of modern ICSs is the increasing interdependency of physical and cyber network processes. Thus, the integration of network and physical process data is seen as a promising approach to improve predictability in real-time intrusion detection for ICSs by accounting for physical constraints and underlying process patterns. This work systematically assesses machine learning-based cyber-physical intrusion detection and multi-class classification through a comparison to its purely network data-based counterpart and evaluation of misclassifications and detection delay. Multiple supervised detection and classification pipelines are applied on a recent cyber-physical dataset, which describes various cyber attacks and physical faults on a generic ICS. A key finding is that the integration of physical process data improves detection and classification of all considered attack types. In addition, it enables simultaneous processing of attacks and faults, paving the way for holistic cross-domain root cause identification.