Security in Process: Visually Supported Triage Analysis in Industrial Process Data

TL;DR

This paper introduces a specialized visualization system combining spiral plots and anomaly detection results to aid triage analysis of industrial process data, enhancing cybersecurity awareness and response.

Contribution

It presents a novel visualization approach tailored for industrial process data, integrating anomaly detection with spiral plots to improve attack detection and analysis.

Findings

System effectively visualizes industrial sensor data

Enhances attack detection in industrial networks

User evaluation shows improved triage efficiency

Abstract

Operation technology networks, i.e. hard- and software used for monitoring and controlling physical/industrial processes, have been considered immune to cyber attacks for a long time. A recent increase of attacks in these networks proves this assumption wrong. Several technical constraints lead to approaches to detect attacks on industrial processes using available sensor data. This setting differs fundamentally from anomaly detection in IT-network traffic and requires new visualization approaches adapted to the common periodical behavior in OT-network data. We present a tailored visualization system that utilizes inherent features of measurements from industrial processes to full capacity to provide insight into the data and support triage analysis by laymen and experts. The novel combination of spiral plots with results from anomaly detection was implemented in an interactive system. The capabilities of our system are demonstrated using sensor and actuator data from a real-world water treatment process with introduced attacks. Exemplary analysis strategies are presented. Finally, we evaluate effectiveness and usability of our system and perform an expert evaluation.