Article: Feature-driven anomalous behaviour detection and incident classification model for ICS in water treatment plants Journal: International Journal of Electronic Security and Digital Forensics (IJESDF) 2025 Vol.17 No.1/2 pp.1 - 29 Abstract: Industry 5.0 envisions humans working alongside emerging technologies and enabled by the fusion of devices and sensors using information and communication technologies (ICT) to facilitate process automation, monitoring and distributed control in industrial control systems (ICS). However, the application of disruptor technologies and exposure of insecure devices broadens the attack surface making ICS an attractive target for sophisticated threat actors. Furthermore, ICS deliver a range of critical services hence disruption of industrial operations and services could have serious consequences. This study proposes an anomaly-based intrusion detection system for a water treatment plant based on a new model to determine variable significance for improved detection accuracy using machine learning (ML) algorithms coupled with incident classification based on functional impact. Determining statistical significance for independent ICS variables was addressed using logistic regression. Overall, 39 variables are deemed relevant in diagnosing the system state of the ICS operation to be expected or under attack. Our approach is validated using the secure water treatment (SWaT) testbed. Experimental results reveal that anomaly detection was effective using k-NN, ANN and SVM achieving an F1-score of 0.99, 0.98 and 0.97 respectively. Inderscience Publishers - linking academia, business and industry through research

Title: Feature-driven anomalous behaviour detection and incident classification model for ICS in water treatment plants

Authors: Gabriela Ahmadi-Assalemi; Haider Al-Khateeb; Tanaka Laura Makonese; Vladlena Benson; Samiya Khan; Usman Javed Butt

Addresses: University of Cambridge, Cambridge, UK ' Cyber Security Innovation Centre, Aston University, Birmingham, UK ' Faculty of Science and Engineering, University of Wolverhampton, Wolverhampton, UK ' Cyber Security Innovation Centre, Aston University, Birmingham, UK ' Faculty of Science and Engineering, University of Wolverhampton, Wolverhampton, UK ' Northumbria University, London, UK

Abstract: Industry 5.0 envisions humans working alongside emerging technologies and enabled by the fusion of devices and sensors using information and communication technologies (ICT) to facilitate process automation, monitoring and distributed control in industrial control systems (ICS). However, the application of disruptor technologies and exposure of insecure devices broadens the attack surface making ICS an attractive target for sophisticated threat actors. Furthermore, ICS deliver a range of critical services hence disruption of industrial operations and services could have serious consequences. This study proposes an anomaly-based intrusion detection system for a water treatment plant based on a new model to determine variable significance for improved detection accuracy using machine learning (ML) algorithms coupled with incident classification based on functional impact. Determining statistical significance for independent ICS variables was addressed using logistic regression. Overall, 39 variables are deemed relevant in diagnosing the system state of the ICS operation to be expected or under attack. Our approach is validated using the secure water treatment (SWaT) testbed. Experimental results reveal that anomaly detection was effective using k-NN, ANN and SVM achieving an F1-score of 0.99, 0.98 and 0.97 respectively.

Keywords: critical national infrastructure; fifth industrial revolution; operational technology; smart city; advanced persistent threats; APT; artificial intelligence.

DOI: 10.1504/IJESDF.2025.143470

International Journal of Electronic Security and Digital Forensics, 2025 Vol.17 No.1/2, pp.1 - 29

Received: 18 Apr 2023
Accepted: 22 Jun 2023
Published online: 23 Dec 2024 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: Feature-driven anomalous behaviour detection and incident classification model for ICS in water treatment plants

Keep up-to-date