Anomaly detection in Industrial Control Systems using Logical Analysis of Data

Cyber attacks on Industrial Control Systems (ICSs) to disrupt the associated physical systems, like power grids and water treatment plants, are a harsh reality of the world today. Detection and prevention of anomalous behaviors such as cyber attacks are of vital importance. This paper focuses on a method to detect such anomalous behaviors in near real-time using laptop class processing power. ICSs depend on the sensor measurements to monitor and operate a plant. Moreover, any change in the behaviors of a physical process due to an attack can also be unearthed from the sensor measurements. Under different circumstances, these sensor measurements follow typical patterns. A partially defined Boolean function based supervised classification method, known as Logical Analysis of Data (LAD), can extract patterns (or rules) from historical sensor measurements, and these rules can categorize the condition of a plant. In this paper, these rules are used to design an Anomaly Detection System (ADS) to unearth anomalous behaviors. The efficacy of the proposed method is assessed using the sensor measurements from a testbed known as Secure Water Treatment (SWaT) system. The proposed technique is generic and can be extended to other ICSs such as power and transportation. Additionally, compared to other anomaly detection approaches, LAD-based ADS also helps to localize the anomaly. (C) 2020 Elsevier Ltd. All rights reserved.