A Prototype Tool for Distinguishing Attacks and Technical Failures in Industrial Control Systems

Abstract

Critical Infrastructures (CIs) are governed by Industrial Control Systems (ICSs). Modern ICSs do not operate in isolation anymore, but they are connected to the Internet. This transformation introduced numerous advantages, however, there are a few drawbacks as well. Integration with the Internet has left ICS exposed to potential cyber-attacks. Additionally, ICSs could also encounter technical failures during operation. Consequently, it is crucial to distinguish between attacks and technical failures to initiate an appropriate response. There is a deficiency of robust technology to assist operators in distinguishing attacks and technical failures in an ICS environment. However, a framework is proposed to construct Bayesian Network (BN) models that would help to distinguish between attacks and technical failures for different observable problems in our previous work. There are tools available to implement such BN models, but these tools are not appropriate to use in an ICS environment. In order to address this limitation, this paper develops and demonstrates a prototype tool for swift identification of the major cause (Intentional Attack/Accidental Technical Failure) in case of an abnormal behaviour in a component of ICS.
The proposed tool enables BN models to automatically update prior probabilities based on the historical data and/or expert knowledge corresponding to the application. The developed tool can be further evaluated and used to distinguish between attacks and technical failures during operation in CIs where ICSs are employed.