Security in Process: Visually Supported Triage Analysis in Industrial Process Data
This work addresses the need for improved security analysis in operation technology networks, which are increasingly targeted by cyber attacks, by providing a tool for both laymen and experts, though it is incremental as it adapts existing visualization techniques to a specific domain.
The paper tackles the problem of detecting cyber attacks in industrial process networks by developing a visualization system that combines spiral plots with anomaly detection results, demonstrated on a real-world water treatment process with introduced attacks.
Operation technology networks, i.e. hard- and software used for monitoring and controlling physical/industrial processes, have been considered immune to cyber attacks for a long time. A recent increase of attacks in these networks proves this assumption wrong. Several technical constraints lead to approaches to detect attacks on industrial processes using available sensor data. This setting differs fundamentally from anomaly detection in IT-network traffic and requires new visualization approaches adapted to the common periodical behavior in OT-network data. We present a tailored visualization system that utilizes inherent features of measurements from industrial processes to full capacity to provide insight into the data and support triage analysis by laymen and experts. The novel combination of spiral plots with results from anomaly detection was implemented in an interactive system. The capabilities of our system are demonstrated using sensor and actuator data from a real-world water treatment process with introduced attacks. Exemplary analysis strategies are presented. Finally, we evaluate effectiveness and usability of our system and perform an expert evaluation.