Distributed Intrusion Detection System for Heterogeneous Data in Industrial Control Systems

In recent decades, Industrial Control Systems (ICS) have been affected by a wide range of cyberattacks that had a huge impact on the real world and people’s safety. These cyberattacks can compromise Critical Infrastructure (CI) in all countries and all fields, like agriculture, water supply, and transportation systems. For this reason, CI protection became an important concept related to the defense against cyberattacks. In the last few years, one of the main technique to protect these systems are Intrusion Detection Systems (IDSs), which allow to efficiently detect potential anomalies and cyberattacks, while being easy to deploy on existing networks. Nowadays, the techniques implemented inside industrial IDS to achieve the best performance in the detection of cyber anomalies are based on Machine Learning (ML) and Deep Learning (DL). However, proposed approaches mostly include black box methods, with a lack of generalization, and explainability and they require big computing power. Furthermore, these complex techniques may be specialized in the detection of well-defined cyberattacks, leaving the door open for other zero-days attacks. Some recent results show how simpler approaches based on static rules are comparable, sometimes better, than more complex algorithms. In this thesis, we propose a Distributed Intrusion Detection System (DIDS) using transparent and straightforward detectors. The detector is distributed because it includes all the heterogeneous types of data that characterize the ICS: physical and network. Network detectors are applied at different points inside the ICS to monitor the traffic, while the physical detector leverages the information from the Supervisory Control and Data Acquisition (SCADA) devices as input to find anomalies in the field devices processes. Indeed, most of the modern industrial IDS focus only on a single type of data, with the consequences of missing meaningful information. Moreover, our DIDS is compatible with the majority of industrial protocols. We tested the proposed methodology on two digital twin scenarios, each one including six different cyber attacks. The distributed approach demonstrates effectiveness in correctly identifying all attacks, as opposed to an approach that considers only one source of information. As a matter of fact, during our experiments, the distributed detector was able to identify six out of six attacks with zero false detections in both scenarios. Finally, after having identified the anomalies, we propose a method based on Random Forest which allows us to assign the type of attack to each anomaly. This approach obtains 83% Macro-averaged Precision, 85% Macro-averaged Recall, and 84% Macro-averaged F1 score.