Anomalous behaviour detection for cyber defence in modern industrial control systems

A thesis submitted in partial fulfilment of the requirements of the University of Wolverhampton for the degree of Doctor of Philosophy.The fusion of pervasive internet connectivity and emerging technologies in smart cities creates fragile cyber-physical-natural ecosystems. Industrial Control Systems (ICS) are intrinsic parts of smart cities and critical to modern societies. Not designed for interconnectivity or security, disruptor technologies enable ubiquitous computing in modern ICS. Aided by artificial intelligence and the industrial internet of things they transform the ICS environment towards better automation, process control and monitoring. However, investigations reveal that leveraging disruptive technologies in ICS creates security challenges exposing critical infrastructure to sophisticated threat actors including increasingly hostile, well-organised cybercrimes and Advanced Persistent Threats. Besides external factors, the prevalence of insider threats includes malicious intent, accidental hazards and professional errors. The sensing capabilities create opportunities to capture various data types. Apart from operational use, this data combined with artificial intelligence can be innovatively utilised to model anomalous behaviour as part of defence-in-depth strategies. As such, this research aims to investigate and develop a security mechanism to improve cyber defence in ICS. Firstly, this thesis contributes a Systematic Literature Review (SLR), which helps analyse frameworks and systems that address CPS’ cyber resilience and digital forensic incident response in smart cities. The SLR uncovers emerging themes and concludes several key findings. For example, the chronological analysis reveals key influencing factors, whereas the data source analysis points to a lack of real CPS datasets with prevalent utilisation of software and infrastructure-based simulations. Further in-depth analysis shows that cross-sector proposals or applications to improve digital forensics focusing on cyber resilience are addressed by a small number of research studies in some smart sectors. Next, this research introduces a novel super learner ensemble anomaly detection and cyber risk quantification framework to profile anomalous behaviour in ICS and derive a cyber risk score. The proposed framework and associated learning models are experimentally validated. The produced results are promising and achieve an overall F1-score of 99.13%, and an anomalous recall score of 99% detecting anomalies lasting only 17 seconds ranging from 0.5% to 89% of the dataset. Further, a one-class classification model is developed, leveraging stream rebalancing followed by adaptive machine learning algorithms and drift detection methods. The model is experimentally validated producing promising results including an overall Matthews Correlation Coefficient (MCC) score of 0.999 and the Cohen’s Kappa (K) score of 0.9986 on limited variable single-type anomalous behaviour per data stream. Wide data streams achieve an MCC score of 0.981 and a K score of 0.9808 in the prevalence of multiple types of anomalous instances. Additionally, the thesis scrutinises the applicability of the learning models to support digital forensic readiness. The research study presents the concept of digital witness and digital chain of custody in ICS. Following that, a use case integrating blockchain technologies into the design of ICS to support digital forensic readiness is discussed. In conclusion, the contributions of this research thesis help towards developing the next generation of state-of-the-art methods for anomalous behaviour detection in ICS defence-in-depth

Federated blockchain-based tracking and liability attribution framework for employees and cyber-physical objects in a smart workplace

The systematic integration of the Internet of Things (IoT) and Cyber-Physical Systems (CPS) into the supply chain to increase operational efficiency and quality has also introduced new complexities to the threat landscape. The myriad of sensors could increase data collection capabilities for businesses to facilitate process automation aided by Artificial Intelligence (AI) but without adopting an appropriate Security-by-Design framework, threat detection and response are destined to fail. The emerging concept of Smart Workplace incorporates many CPS (e.g. Robots and Drones) to execute tasks alongside Employees both of which can be exploited as Insider Threats. We introduce and discuss forensic-readiness, liability attribution and the ability to track moving Smart SPS Objects to support modern Digital Forensics and Incident Response (DFIR) within a defence-in-depth strategy. We present a framework to facilitate the tracking of object behaviour within Smart Controlled Business Environments (SCBE) to support resilience by enabling proactive insider threat detection. Several components of the framework were piloted in a company to discuss a real-life case study and demonstrate anomaly detection and the emerging of behavioural patterns according to objects' movement with relation to their job role, workspace position and nearest entry or exit. The empirical data was collected from a Bluetooth-based Proximity Monitoring Solution. Furthermore, a key strength of the framework is a federated Blockchain (BC) model to achieve forensic-readiness by establishing a digital Chain-of-Custody (CoC) and a collaborative environment for CPS to qualify as Digital Witnesses (DW) to support post-incident investigations

Genomic epidemiology of SARS-CoV-2 in a UK university identifies dynamics of transmission

AbstractUnderstanding SARS-CoV-2 transmission in higher education settings is important to limit spread between students, and into at-risk populations. In this study, we sequenced 482 SARS-CoV-2 isolates from the University of Cambridge from 5 October to 6 December 2020. We perform a detailed phylogenetic comparison with 972 isolates from the surrounding community, complemented with epidemiological and contact tracing data, to determine transmission dynamics. We observe limited viral introductions into the university; the majority of student cases were linked to a single genetic cluster, likely following social gatherings at a venue outside the university. We identify considerable onward transmission associated with student accommodation and courses; this was effectively contained using local infection control measures and following a national lockdown. Transmission clusters were largely segregated within the university or the community. Our study highlights key determinants of SARS-CoV-2 transmission and effective interventions in a higher education setting that will inform public health policy during pandemics.</jats:p

Cyber Resilience and Incident Response in Smart Cities: A Systematic Literature Review

The world is experiencing a rapid growth of smart cities accelerated by Industry 4.0, including the Internet of Things (IoT), and enhanced by the application of emerging innovative technologies which in turn create highly fragile and complex cyber&ndash;physical&ndash;natural ecosystems. This paper systematically identifies peer-reviewed literature and explicitly investigates empirical primary studies that address cyber resilience and digital forensic incident response (DFIR) aspects of cyber&ndash;physical systems (CPSs) in smart cities. Our findings show that CPSs addressing cyber resilience and support for modern DFIR are a recent paradigm. Most of the primary studies are focused on a subset of the incident response process, the &ldquo;detection and analysis&rdquo; phase whilst attempts to address other parts of the DFIR process remain limited. Further analysis shows that research focused on smart healthcare and smart citizen were addressed only by a small number of primary studies. Additionally, our findings identify a lack of available real CPS-generated datasets limiting the experiments to mostly testbed type environments or in some cases authors relied on simulation software. Therefore, contributing this systematic literature review (SLR), we used a search protocol providing an evidence-based summary of the key themes and main focus domains investigating cyber resilience and DFIR addressed by CPS frameworks and systems. This SLR also provides scientific evidence of the gaps in the literature for possible future directions for research within the CPS cybersecurity realm. In total, 600 papers were surveyed from which 52 primary studies were included and analysed

Super-learner ensemble for anomaly detection and cyber-risk quantification in industrial control systems

This is an accepted manuscript of an article published by IEEE in IEEE Internet of Things Journal on 20/01/2022. The accepted version of the publication may differ from the final published version.Industrial Control Systems (ICS) are integral parts of smart cities and critical to modern societies. Despite indisputable opportunities introduced by disruptor technologies, they proliferate the cybersecurity threat landscape, which is increasingly more hostile. The quantum of sensors utilised by ICS aided by Artificial Intelligence (AI) enables data collection capabilities to facilitate automation, process streamlining and cost reduction. However, apart from operational use, the sensors generated data combined with AI can be innovatively utilised to model anomalous behaviour as part of layered security to increase resilience to cyber-attacks. We introduce a framework to profile anomalous behaviour in ICS and derive a cyber-risk score. A novel super learner ensemble for one-class classification is developed, using overlapping rolling windows with stratified, k-fold, n-repeat cross-validation applied to each base-learner followed by majority voting to derive the best learner. Our approach is demonstrated on a liquid distribution sensor dataset. The experimental results reveal that the proposed technique achieves an overall F1-score of 99.13%, an anomalous recall score of 99% detecting anomalies lasting only 17 seconds. The key strength of the framework is the low computational complexity and error rate. The framework is modular, generic, applicable to other ICS and transferable to other smart city sectors

Optimising driver profiling through behaviour modelling of in-car sensor and global positioning system data

This is an accepted manuscript of an article published by Elsevier in Computers & Electrical Engineering, available online at: https://doi.org/10.1016/j.compeleceng.2021.107047 The accepted version of the publication may differ from the final published version.Connected cars have a massive impact on the automotive sector, and whilst this catalyst and disruptor technology introduce threats, it brings opportunities to address existing vehicle-related crimes such as carjacking. Connected cars are fitted with sensors, and capable of sophisticated computational processing which can be used to model and differentiate drivers as means of layered security. We generate a dataset collecting 14 hours of driving in the city of London. The route was 8.1 miles long and included various road conditions such as roundabouts, traffic lights, and several speed zones. We identify and rank the features from the driving segments, classify our sample using Random Forest, and optimise the learning-based model with 98.84% accuracy (95% confidence) given a small 10 seconds driving window size. Differences in driving patterns were uncovered to distinguish between female and male drivers especially through variations in longitudinal acceleration, driving speed, torque and revolutions per minute

Feature-driven Anomalous Behaviour Detection and Incident Classification Model for ICS in Water Treatment Plants

Industry 5.0 envisions humans working alongside emerging technologies and enabled by the fusion of devices and sensors using Information and Communication Technologies (ICT) to facilitate process automation, monitoring and distributed control in Industrial Control Systems (ICS). However, the application of disruptor technologies and exposure of insecure devices broadens the attack surface making ICS an attractive target for sophisticated threat actors. Furthermore, ICS deliver a range of critical services hence disruption of industrial operations and services could have serious consequences. This study proposes an anomaly-based intrusion detection system for a water treatment plant based on a new model to determine variable significance for improved detection accuracy using Machine Learning (ML) algorithms coupled with incident classification based on functional impact. Determining statistical significance for independent ICS variables was addressed using logistic regression. Overall, thirty-nine variables are deemed relevant in diagnosing the system state of the ICS operation to be expected or under attack. Our approach is validated using the Secure Water Treatment (SWaT) testbed. Experimental results reveal that anomaly detection was effective using k-NN, ANN and SVM achieving an F1-score of 0.99, 0.98 and 0.97 respectively