Using machine learning to detect and identify cyberattacks in Industrial Control Systems (ICS) offers a promising solution for uncovering zero-day attacks that traditional rulebased models cannot detect. However, applying ML-based intrusion detection in ICS environments presents challenges, including limited availability of attack data and difficulty in accurately identifying attack types. This paper addresses these challenges by proposing two key strategies. First, we demonstrate that the predictable traffic patterns of ICS networks enable the use of semi-supervised learning models for attack detection. We validate this approach using a benchmark dataset, showing that semi-supervised models achieve comparable performance to fully supervised models while relying solely on training with normal network data. Second, we propose a sequence-based approach for attack identification, using temporal data to improve the accuracy of identifying specific attack types. Our experiments reveal that incorporating historical network parameters improves the attack identification. Our research underscores the potential of semisupervised learning for effective attack detection and highlights the importance of incorporating network temporal properties to improve attack identification. 

Integration of the Internet of Things (IoT) in industrial settings necessitates robust cybersecurity measures to mitigate risks such as data leakage, vulnerability exploitation, and compromised information flows. Recent cyberattacks on critical industrial systems have highlighted the lack of threat analysis in software development processes. While existing threat modeling frameworks such as STRIDE enumerate potential security threats, they often lack detailed mapping of the sequences of threats that adversaries might exploit to apply cyberattacks. Our study proposes an enhanced approach to systematic threat modeling and data flow-based attack scenario analysis for integrating cybersecurity measures early in the development lifecycle. We enhance the STRIDE framework by extending it to include attack scenarios as sequences of threats exploited by adversaries. This extension allows us to illustrate various attack scenarios and demonstrate how these insights can aid system designers in strengthening their defenses. Our methodology prioritizes vulnerabilities based on their recurrence across various attack scenarios, offering actionable insights for enhancing system security. A case study in the automotive industry illustrates the practical application of our proposed methodology, demonstrating significant improvements in system security through proactive threat modeling and analysis of attack impacts. The results of our study provide actionable insights to improve system design and mitigate vulnerabilities. 

The recent advances in digitalization, improved connectivity and cloud based services are making a huge revolution in manufacturing domain. In spite of the huge potential benefits in productivity, these trends also bring in some concerns related to safety and security to the traditionally closed industrial operation scenarios. This paper presents a high-level view of some of the research results and technological contributions of the InSecTT Project for meeting safety/security goals. These technology contributions are expected to support both the design and operational phases in the production life cycle. Specifically, our contributions spans enforcing stricter but flexible access control, evaluation of machine learning techniques for intrusion detection, generation of realistic process control and network oriented datasets with injected anomalies and performing safety and security analysis on automated guided vehicle platoons.

This paper presents a cybersecurity solution designed to fortify Industrial Control Systems (ICS) against cyberattacks. The proposed solution integrates a Network-based Intrusion Detection System (NIDS) with a Decision Support System (DSS), leveraging machine learning to detect anomalies in network data and employing a filtering mechanism to reduce false alarms. The NIDS protects a simulated ICS testbed, detecting anomalies and forwarding them to the DSS for further analysis and selection of mitigation strategies. We outline the system architecture and showcase promising outcomes from a prototype implementation. Our proof of concept evaluation demonstrates high accuracy in detecting attack scenarios. Challenges such as detection delays between attacks and potential mitigations high-light areas for future improvement. This research contributes to bridging the gap between ML-based IDS and security solutions, paving the way for enhanced cybersecurity in ICS environments.

Over the past few decades, Industrial Control Systems (ICS) have been targeted by cyberattacks and are becoming increasingly vulnerable as more ICSs are connected to the internet. Using Machine Learning (ML) for Intrusion Detection Systems (IDS) is a promising approach for ICS cyber protection, but the lack of suitable datasets for evaluating ML algorithms is a challenge. Although a few commonly used datasets may not reflect realistic ICS network data, lack necessary features for effective anomaly detection, or be outdated. This paper introduces the ’ICS-Flow’ dataset, which offers network data and process state variables logs for supervised and unsupervised ML-based IDS assessment. The network data includes normal and anomalous network packets and flows captured from simulated ICS components and emulated networks, where the anomalies were applied to the system through various cyberattacks. We also proposed an open-source tool, ’ICSFlowGenerator,’ for generating network flow parameters from Raw network packets. The final dataset comprises over 25,000,000 raw network packets, network flow records, and process variable logs. The paper describes the methodology used to collect and label the dataset and provides a detailed data analysis. Finally, we implement several ML models, including the decision tree, random forest, and artificial neural network to detect anomalies and attacks, demonstrating that our dataset can be used effectively for training intrusion detection ML models.

With the advent of the smart industry, Industrial Control Systems (ICS) moved from isolated environments to connected platforms to meet Industry 4.0 targets. The inherent connectivity in these services exposes such systems to increased cybersecurity risks. To protect ICSs against cyberattacks, intrusion detection systems (IDS) empowered by machine learning are used to detect abnormal behavior of the systems. Operational ICSs are not safe environments to research IDSs due to the possibility of catastrophic risks. Therefore, realistic ICS testbeds enable researchers to analyze and validate their IDSs in a controlled environment. Although various ICS testbeds have been developed, researchers’ access to a low-cost, extendable, and customizable testbed that can accurately simulate ICSs and suits security research is still an important issue. In this paper, we present ICSSIM, a framework for building customized virtual ICS security testbeds in which various cyber threats and network attacks can be effectively and efficiently investigated. This framework contains base classes to simulate control system components and communications. Simulated components are deployable on actual hardware such as Raspberry Pis, containerized environments like Docker, and simulation environments such as GNS-3. ICSSIM also offers physical process modeling using software and hardware in the loop simulation. This framework reduces the time for developing ICS components and aims to produce extendable, versatile, reproducible, low-cost, and comprehensive ICS testbeds with realistic details and high fidelity. We demonstrate ICSSIM by creating a testbed and validating its functionality by showing how different cyberattacks can be applied. © 2023 The Authors

There is a growing body of knowledge on network intrusion detection, and several open data sets with network traffic and cyber-security threats have been released in the past decades. However, many data sets have aged, were not collected in a contemporary industrial communication system, or do not easily support research focusing on distributed anomaly detection. This paper presents the Westermo network traffic data set, 1.8 million network packets recorded in over 90 minutes in a network built up of twelve hardware devices. In addition to the raw data in PCAP format, the data set also contains pre-processed data in the form of network flows in CSV files. This data set can support the research community for topics such as intrusion detection, anomaly detection, misconfiguration detection, distributed or federated artificial intelligence, and attack classification. In particular, we aim to use the data set to continue work on resource-constrained distributed artificial intelligence in edge devices. The data set contains six types of events: harmless SSH, bad SSH, misconfigured IP address, duplicated IP address, port scan, and man in the middle attack.

Modern manufacturing systems collect a huge amount of data which gives an opportunity to apply various Machine Learning (ML) techniques. The focus of this paper is on the detection of anomalous behavior in industrial manufacturing systems by considering the temporal nature of the manufacturing process. Long Short-Term Memory (LSTM) networks are applied on a publicly available dataset called Modular Ice-cream factory Dataset on Anomalies in Sensors (MIDAS), which is created using a simulation of a modular manufacturing system for ice cream production. Two different problems are addressed: anomaly detection and anomaly classification. LSTM performance is analysed in terms of accuracy, execution time, and memory consumption and compared with non-time-series ML algorithms including Logistic Regression, Decision Tree, Random Forest, and Multi-Layer Perceptron. The experiments demonstrate the importance of considering the temporal nature of the manufacturing process in detecting anomalous behavior and the superiority in accuracy of LSTM over non-time-series ML algorithms. Additionally, runtime adaptation of the predictions produced by LSTM is proposed to enhance its applicability in a real system.

Digital twins have recently gained significant interest in simulation, optimization, and predictive maintenance of Industrial Control Systems (ICS). Recent studies discuss the possibility of using digital twins for intrusion detection in industrial systems. Accordingly, this study contributes to a digital twin-based security framework for industrial control systems, extending its capabilities for simulation of attacks and defense mechanisms. Four types of process-aware attack scenarios are implemented on a standalone open-source digital twin of an industrial filling plant: command injection, network Denial of Service (DoS), calculated measurement modification, and naive measurement modification. A stacked ensemble classifier is proposed as the real-time intrusion detection, based on the offline evaluation of eight supervised machine learning algorithms. The designed stacked model outperforms previous methods in terms of F1Score and accuracy, by combining the predictions of various algorithms, while it can detect and classify intrusions in near real-time (0.1 seconds). This study also discusses the practicality and benefits of the proposed digital twin-based security framework

Cost optimization for workflow scheduling while meeting deadline is one of the fundamental problems in utility computing. In this paper, a two-phase cost-efficient scheduling algorithm called critical chain is presented. The proposed algorithm uses the concept of slack time in both phases. The first phase is deadline distribution over all tasks existing in the workflow which is done considering critical path properties of workflow graphs. Critical chain uses slack time to iteratively select most critical sequence of tasks and then assigns sub-deadlines to those tasks. In the second phase named mapping step, it tries to allocate a server to each task considering task’s sub-deadline. In the mapping step, slack time priority in selecting ready task is used to reduce deadline violation. Furthermore, the algorithm tries to locally optimize the computation and communication costs of sequential tasks exploiting dynamic programming. After proposing the scheduling algorithm, three measures for the superiority of a scheduling algorithm are introduced, and the proposed algorithm is compared with other existing algorithms considering the measures. Results obtained from simulating various systems show that the proposed algorithm outperforms four well-known existing workflow scheduling algorithms.