Leveraging Machine Learning for Enhanced Industrial Control System Cybersecurity

By Samudrapom DamReviewed by Susha Cheriyedath, M.Sc.Nov 3 2023

In a paper recently published in the journal Sensors, the authors reviewed the integration of machine learning (ML) techniques to improve the cybersecurity of industrial control systems (ICSs).

Background

The application of ML techniques in cybersecurity makes malware detection more effective, scalable, and actionable compared to conventional approaches that need human intervention. ML allows the detection of active threats in real time, enabling cybersecurity teams to proactively prevent security breaches.

ICSs are critical for regulating and managing industrial processes. Several ML-based approaches can be utilized to improve the cybersecurity of ICSs, including distributed control systems (DCS), programmable logic controllers (PLC), and supervisory control and data acquisition (SCADA) systems, by effectively detecting and mitigating cyber threats.

For instance, ML techniques that are used for anomaly detection (AD) tasks in ICSs include support vector machines (SVM), random forest (RF), neural networks (NNs), gradient boosting, autoencoders, isolation forest, density-based clustering, local outlier factor, and Gaussian mixture models (GMM).

AD entails training an ML model on a dataset representing normal behavior to enable the model to identify anomalies or deviations effectively. The approach can be used to detect abnormal activities, such as suspicious user behavior, system misuse, or network intrusions.

Supervised ML-based AD approaches

These approaches involve training an ML model using labeled data to classify abnormal behavior/anomalies and normal behavior in the ICSs. For instance, SVM trained using labeled data where anomalies labeled as one class and normal behavior as another class can find a hyperplane that separates these two classes maximally.

Similarly, a technique combining unsupervised fuzzy C-means clustering with a supervised SVM can be employed to calculate the distance between the communication data within the cluster center and industrial control networks. The SVM can categorize the data segments that fulfill specific threshold criteria. Studies have demonstrated that this approach can significantly increase classification accuracy and reduce training duration compared to the traditional intrusion detection approach without any advance knowledge of class labels.

In AD, every decision tree of RF is trained using labeled data, and the final decision is made depending on the majority vote of the decision trees. RF can efficiently handle high-dimensional data and effectively identify anomalies. NNs, such as recurrent neural networks (RNNs) or feed-forward networks, can be utilized for supervised AD. NNs, specifically RNNs, can understand complex relationships and patterns within the ICS data to detect anomalies.

Gradient boosting algorithms, such as LightGBM or XGBoost, can be used to successfully detect different anomalies. Although gradient boosting techniques can effectively handle non-linearity and are scalable, these techniques are computationally expensive and lack interpretability.

Autoencoders can identify the most nonlinear and challenging dependencies within the data, which makes them extremely effective for high-quality AD. An intrusion detection system (IDS) devised using deep learning (DL) algorithms, such as deep belief networks and stacked autoencoders, can effectively recognize different injection attacks. DL-based IDS that leverages the autoencoder for feature extraction and the One Hot encoder for preprocessing can quickly detect intrusions and other similar activities that can lead to disruptions in networking systems.

Unsupervised ML-based AD approaches

These approaches improve ICS cybersecurity by identifying potential cyber threats or abnormal behavior without requiring labeled data. For instance, an isolation forest isolates anomalies by partitioning data recursively until every data point is isolated in its tree leaf. Anomalies are primarily identified as instances requiring fewer partitions to isolate.

In ICS, density-based clustering methods can identify normal behavior clusters and consider the isolated points as abnormal behaviors. The method involves evaluating the density values for both faulty and healthy machinery. The density change rate from healthy to faulty is measured as a fault threshold. Density-based clustering is suitable for scenarios where collecting faulty data is expensive or arduous.

One-Class SVM (OCSVM) can be utilized in ICS to learn the classify instances and normal behavior boundaries and is effective for intrusion detection in ICSs. OCSVM can train the AD model using only one sample class, build a model with higher accuracy, and possess robustness for noise samples. A GMM-based statistical traffic analysis approach can be employed to detect anomalies, such as man-in-the-middle attacks, in a communication process by analyzing the traffic communication timing.

IDS based on ML

ML techniques can be integrated into IDS to achieve better outcomes regarding intrusion detection. For instance, deep autoencoders can be utilized to detect Internet of Things (IoT) botnet attacks. In a study, researchers proposed a model comprising an ensemble of autoencoders, with each of them trained to recognize normal network behaviors of a particular IoT device and detect any unusual traffic generated from that specific device. The model demonstrated excellent performance by attaining a 100% true positive rate of 100% and a 7% false positive rate.

In another study, researchers combined Q-learning-based reinforcement learning (RL) with a deep feed-forward NN technique for network intrusion detection. DL models, such as convolutional neural networks (CNNs) and RNNs, can be employed in IDS to identify temporal dependencies and complex patterns in the ICS data.

ML can also be used to improve authorization and authentication processes to prevent/increase the challenges for attackers from bypassing the access controls. RL methods, such as Q-learning, can be used for IoT device authentication and detection of malware attacks and jamming.

To summarize, ML methods have displayed significant potential in enhancing ICS cybersecurity. However, the use of ML methods in cybersecurity also has several challenges related to data quality and quantity, imbalanced data, and logic manipulation, which must be addressed to further increase the effectiveness of these methods.