Artefact Provenance Graphs for Anomaly Inference in Industrial Control Systems

Artefact Provenance Graphs for Anomaly Inference in Industrial Control Systems

연구 분야: Infrastructure

학회: IFIP International Conference on ICT Systems Security and Privacy Protection

The digitalisation of Critical National Infrastructure (CNI) to improve automation has resulted in the underlying Industrial Control Systems (ICS) becoming increasingly interconnected. This sudden connectivity combined with a lack of inherent security controls in ICS components such as Programmable Logic Controllers (PLCs) has enabled sophisticated cyber adversaries to disrupt physical processes. Detecting and analysing attacks is therefore essential for ICS operators to ensure the continuous availability of critical systems. However, existing research has made limited advances into data provenance for anomalies occurring in ICS networks. This is fundamental for enabling rapid triaging of cyber incidents. In this paper, we introduce a novel vendor-independent approach for representing the behaviour of PLC states using graphs for anomaly detection. Through the modelling of dependencies between memory and network data artefacts, we facilitate the data provenance of different types of PLC attack scenarios using graph-based metrics as a generalisable feature set for accurate state and node classification. We evaluate our approach using two physical ICS testbeds with real PLCs to demonstrate generalisability across industrial vendors and environments. The results reveal high, achieving up to 98.9% and 98.7% accuracy for anomalous state and node detection, respectively.