Traceable Transformer-Based Anomaly Detection for a Water Treatment System

Abstract

As industrial control system malfunctions caused by attacks become more complex and frequent, anomaly detection and subsequent forensic analyses are more important than ever. When an anomaly is detected, security professionals need to accurately identify the components that are under attack. However, traditional methods do not provide enough traces, which makes it difficult to identify the targeted components. This chapter describes a traceable anomaly detection method that leverages unsupervised learning using industrial control system component time series data. The method generates customized transformer-encoder classifiers for industrial control system components. The final detection result is ensembled from all the classifier outputs. Experiments with water treatment testbed data indicate that the method achieves good performance with low false positive rates and delays, and strong traceability.