Improving SIEM for critical SCADA water infrastructures using machine learning

Hindy, Hanan and Brosset, David and Bayne, Ethan and Seeam, Amar and Bellekens, Xavier; Katsikas, Sokratis K. and Cuppens, Frédéric and Cuppens, Nora and Lambrinoudakis, Costas and Antón, Annie and Gritzalis, Stefanos and Mylopoulos, John and Kalloniatis, Christos, eds. (2019) Improving SIEM for critical SCADA water infrastructures using machine learning. In: Computer Security. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) . Springer-Verlag, ESP, pp. 3-19. ISBN 9783030127855 (

[thumbnail of Hindy-etal-CyberICPS2018-Improving-SIEM-for-critical-SCADA-water-infrastructures-using-machine-learning]
Text. Filename: Hindy_etal_CyberICPS2018_Improving_SIEM_for_critical_SCADA_water_infrastructures_using_machine_learning.pdf
Accepted Author Manuscript

Download (1MB)| Preview


Network Control Systems (NAC) have been used in many industrial processes. They aim to reduce the human factor burden and efficiently handle the complex process and communication of those systems. Supervisory control and data acquisition (SCADA) systems are used in industrial, infrastructure and facility processes (e.g. manufacturing, fabrication, oil and water pipelines, building ventilation, etc.) Like other Internet of Things (IoT) implementations, SCADA systems are vulnerable to cyber-attacks, therefore, a robust anomaly detection is a major requirement. However, having an accurate anomaly detection system is not an easy task, due to the difficulty to differentiate between cyber-attacks and system internal failures (e.g. hardware failures). In this paper, we present a model that detects anomaly events in a water system controlled by SCADA. Six Machine Learning techniques have been used in building and evaluating the model. The model classifies different anomaly events including hardware failures (e.g. sensor failures), sabotage and cyber-attacks (e.g. DoS and Spoofing). Unlike other detection systems, our proposed work helps in accelerating the mitigation process by notifying the operator with additional information when an anomaly occurs. This additional information includes the probability and confidence level of event(s) occurring. The model is trained and tested using a real-world dataset.


Hindy, Hanan, Brosset, David, Bayne, Ethan, Seeam, Amar and Bellekens, Xavier ORCID logoORCID:; Katsikas, Sokratis K., Cuppens, Frédéric, Cuppens, Nora, Lambrinoudakis, Costas, Antón, Annie, Gritzalis, Stefanos, Mylopoulos, John and Kalloniatis, Christos