System for Operational Technology Attack Detection in Industrial IoT

Industrial Control Systems (ICS) can be remotely controlled allowing easy access for better management and increasing productivity, but with the cost of becoming susceptible to attacks. Disrupting operation in critical systems can be catastrophic and lead to different types of disasters. It is, therefore, of a paramount importance to detect abnormalities of the operation process at an early stage before irreversible damages occur. Intrusion Detection Systems can detect operational faults when trained based on how the system is expected to operate, but also on what is not considered a normal operation. In the current work we propose SOTAD, a System for Operational Technology Attack Detection, to detect malicious interventions in Industrial IoT. SOTAD outlines the steps to be taken for creating the detection models, the data to be used for training and the monitoring time periods that allow high detection rates. The SOTAD detection mechanisms evaluated were the Threshold Baseline detection and the Binary Logistic Regression (BLR). The models were conducted using values from the field devices. The experimental validation of the proposed method was performed using two datasets obtained from iTrust, namely Secure Water Treatment (SWaT) and Water Distribution (WADI). The two datasets represent real world industrial processes and consists of benign and malicious data samples.