Feature-driven Anomalous Behaviour Detection and Incident Classification Model for ICS in Water Treatment Plants

Industry 5.0 envisions humans working alongside emerging technologies and enabled by the fusion of devices and sensors using Information and Communication Technologies (ICT) to facilitate process automation, monitoring and distributed control in Industrial Control Systems (ICS). However, the application of disruptor technologies and exposure of insecure devices broadens the attack surface making ICS an attractive target for sophisticated threat actors. Furthermore, ICS deliver a range of critical services hence disruption of industrial operations and services could have serious consequences. This study proposes an anomaly-based intrusion detection system for a water treatment plant based on a new model to determine variable significance for improved detection accuracy using Machine Learning (ML) algorithms coupled with incident classification based on functional impact. Determining statistical significance for independent ICS variables was addressed using logistic regression. Overall, thirty-nine variables are deemed relevant in diagnosing the system state of the ICS operation to be expected or under attack. Our approach is validated using the Secure Water Treatment (SWaT) testbed. Experimental results reveal that anomaly detection was effective using k-NN, ANN and SVM achieving an F1-score of 0.99, 0.98 and 0.97 respectively.