Improving SIEM for Critical SCADA Water Infrastructures Using Machine Learning

  • Hanan HindyEmail author
  • David Brosset
  • Ethan Bayne
  • Amar Seeam
  • Xavier Bellekens
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11387)


Network Control Systems (NAC) have been used in many industrial processes. They aim to reduce the human factor burden and efficiently handle the complex process and communication of those systems. Supervisory control and data acquisition (SCADA) systems are used in industrial, infrastructure and facility processes (e.g. manufacturing, fabrication, oil and water pipelines, building ventilation, etc.) Like other Internet of Things (IoT) implementations, SCADA systems are vulnerable to cyber-attacks, therefore, a robust anomaly detection is a major requirement. However, having an accurate anomaly detection system is not an easy task, due to the difficulty to differentiate between cyber-attacks and system internal failures (e.g. hardware failures). In this paper, we present a model that detects anomaly events in a water system controlled by SCADA. Six Machine Learning techniques have been used in building and evaluating the model. The model classifies different anomaly events including hardware failures (e.g. sensor failures), sabotage and cyber-attacks (e.g. DoS and Spoofing). Unlike other detection systems, our proposed work helps in accelerating the mitigation process by notifying the operator with additional information when an anomaly occurs. This additional information includes the probability and confidence level of event(s) occurring. The model is trained and tested using a real-world dataset.


Cyber-physical systems Machine learning SCADA SIEM 


  1. 1.
    Adepu, S., Mathur, A.: Distributed detection of single-stage multipoint cyber attacks in a water treatment plant. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 449–460. ACM (2016)Google Scholar
  2. 2.
    Ahmed, I., Roussev, V., Johnson, W., Senthivel, S., Sudhakaran, S.: A SCADA system testbed for cybersecurity and forensic research and pedagogy. In: Proceedings of the 2nd Annual Industrial Control System Security Workshop, pp. 1–9. ACM (2016)Google Scholar
  3. 3.
    Amin, S., Litrico, X., Sastry, S.S., Bayen, A.M.: Cyber security of water scada systems-part ii: attack detection using enhanced hydrodynamic models. IEEE Trans. Control. Syst. Technol. 21(5), 1679–1693 (2013)CrossRefGoogle Scholar
  4. 4.
    Amin, S., Litrico, X., Sastry, S., Bayen, A.M.: Cyber security of water scada systems-part i: analysis and experimentation of stealthy deception attacks. IEEE Trans. Control. Syst. Technol. 21(5), 1963–1970 (2013)CrossRefGoogle Scholar
  5. 5.
    Barber, D.: Bayesian Reasoning and Machine Learning. Cambridge University Press, Cambridge (2012)zbMATHGoogle Scholar
  6. 6.
    Bellekens, X., et al.: Cyber-physical-security model for safety-critical IoT infrastructures. In: Wireless World Research Forum Meeting, vol. 35 (2015)Google Scholar
  7. 7.
    Brenner, J.F.: Eyes wide shut: the growing threat of cyber attacks on industrial control systems. Bull. At. Sci. 69(5), 15–20 (2013). Scholar
  8. 8.
    Bujari, A., Furini, M., Mandreoli, F., Martoglia, R., Montangero, M., Ronzani, D.: Standards, security and business models: key challenges for the iot scenario. Mob. Netw. Appl. 23(1), 147–154 (2018)CrossRefGoogle Scholar
  9. 9.
    Calderón Godoy, A.J., González Pérez, I.: Integration of sensor and actuator networks and the scada system to promote the migration of the legacy flexible manufacturing system towards the industry 4.0 concept. J. Sens. Actuator Netw. 7(2), 23 (2018)CrossRefGoogle Scholar
  10. 10.
    Cárdenas, A.A., Amin, S., Lin, Z.S., Huang, Y.L., Huang, C.Y., Sastry, S.: Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 355–366. ACM (2011)Google Scholar
  11. 11.
    Cheng, L., Tian, K., Yao, D.D.: Orpheus: Enforcing cyber-physical execution semantics to defend against data-oriented attacks. In: Proceedings of the 33rd Annual Computer Security Applications Conference, pp. 315–326. ACM (2017)Google Scholar
  12. 12.
    Gupta, B., Agrawal, D.P., Yamaguchi, S., Arachchilage, N.A., Veluru, S.: Editorial security, privacy, and forensics in the critical infrastructure: advances and future directions (2017)CrossRefGoogle Scholar
  13. 13.
    Hindy, H., et al.: A taxonomy and survey of intrusion detection system design techniques, network threats and datasets. arXiv preprint arXiv:1806.03517 (2018)
  14. 14.
    Hindy, H., Hodo, E., Bayne, E., Seeam, A., Atkinson, R., Bellekens, X.: A taxonomy of malicious traffic for intrusion detection systems. In: Proceedings of the Cyber SA 2018. IEEE, June 2018Google Scholar
  15. 15.
    Huitsing, P., Chandia, R., Papa, M., Shenoi, S.: Attack taxonomies for the modbus protocols. Int. J. Crit. Infrastruct. Prot. 1, 37–44 (2008)CrossRefGoogle Scholar
  16. 16.
    Jensen, E.T.: Computer attacks on critical national infrastructure: a use of force invoking the right of self-defense. Stanf. J. Int. Law 38, 207 (2002)Google Scholar
  17. 17.
    Jiang, N., Lin, H., Yin, Z., Xi, C.: Research of paired industrial firewalls in defense-in-depth architecture of integrated manufacturing or production system. In: 2017 IEEE International Conference on Information and Automation (ICIA), pp. 523–526. IEEE (2017)Google Scholar
  18. 18.
    Hosmer Jr., D.W., Lemeshow, S., Sturdivant, R.X.: Applied Logistic Regression, vol. 398. Wiley, Hoboken (2013)CrossRefGoogle Scholar
  19. 19.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011). Scholar
  20. 20.
    Larose, D.T., Larose, C.D.: Discovering Knowledge in Data: An Introduction to Data Mining. Wiley, Hoboken (2014)zbMATHGoogle Scholar
  21. 21.
    Laso, P.M., Brosset, D., Puentes, J.: Dataset of anomalies and malicious acts in a cyber-physical subsystem (2017).,, iD: 311593CrossRefGoogle Scholar
  22. 22.
    Lee, R.M., Assante, M.J., Conway, T.: Analysis of the cyber attack on the Ukrainian power grid. SANS ICS Report (2016)Google Scholar
  23. 23.
    Lior, R.: Data Mining with Decision Trees: Theory and Applications, vol. 81. World Scientific, Singapore (2014)Google Scholar
  24. 24.
    Mathur, A.: On the limits of detecting process anomalies in critical infrastructure. In: Proceedings of the 4th ACM Workshop on Cyber-Physical System Security, p. 1. ACM (2018)Google Scholar
  25. 25.
    Mitchell, R., Chen, I.R.: A survey of intrusion detection techniques for cyber-physical systems. ACM Comput. Surv. 46(4), 55:1–55:29 (2014). Scholar
  26. 26.
    Steinwart, I., Christmann, A.: Support Vector Machines. Springer, Heidelberg (2008). Scholar
  27. 27.
    Tan, E.E.: Cyber Deterrence in Singapore: Framework & Recommendations, RSIS Working Paper, No. 309. Nanyang Technological University, Singapore (2018)Google Scholar
  28. 28.
    Ten, C.W., Manimaran, G., Liu, C.C.: Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans. Syst. Man Cybern.-Part A: Syst. Hum. 40(4), 853–865 (2010)CrossRefGoogle Scholar
  29. 29.
    VanderPlas, J.: Python Data Science Handbook: Essential Tools for Working with Data. O’ Reilly Media, Inc., Sebastopol (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Division of Cyber SecurityAbertay UniversityDundeeScotland, UK
  2. 2.Naval Academy Research InstituteBrestFrance
  3. 3.Department of Computer ScienceMiddlesex UniversityFlic-en-FlacMauritius

Personalised recommendations