Multi-step attack detection in industrial control systems using causal analysis

In the old generation of industrial control systems (ICSs), their sub-components communicated within private networks and, therefore, it was assumed that ICSs are safe from cyber-attacks. However, new advanced ICS sub-components need Internet connectivity to control and monitor their geographically dispersed structure. Connection to corporate networks and the public Internet create various security issues. The increasing number of attacks has become a serious threat for ICS networks. These sophisticated attacks use multiple steps and affect different devices. A major weakness of existing attack detection methods is that they only detect attacks and they do not help security analysts identify the cause and effect of attacks. Therefore, manual analysis is required to identify and isolate the cause of the attack. Causal analysis can help to track the propagation of an attack. While there is weak security in ICS networks, there is not sufficient research in the causal analysis of attacks in these networks. To address this research gap in ICS networks, we present a solution that detects the causal impact of attacks by investigating causal dependencies in ICS logs. Our ICS causal anomaly detection (ICS-CAD) method consists of two phases. It initially detects attacks and identifies the ICS device generating the malicious traffic. Secondly, it analyses causal relationships between ICS logs to diagnose the attacker's future effect. We use a causal decomposition method to discover causality relationships in ICS logs. The performance of the ICS-CAD is evaluated using two datasets collected in real-world ICS networks. The ICS-CAD provides 98% accuracy in detecting attacks and the causal impact of the detected attacks.