SimProcess: High Fidelity Simulation of Noisy ICS Physical Processes

TL;DR

SimProcess is a framework that evaluates and improves the fidelity of ICS simulations by modeling noise using machine learning, enhancing honeypot realism for better cybersecurity defense.

Contribution

It introduces a novel noise ranking framework for ICS simulations that operates with only timeseries data, applicable to complex systems, and demonstrates effectiveness with real power grid data.

Findings

Accurately classifies real system noise with up to 100% recall.

Identifies Gaussian and Gaussian Mixture as optimal noise distributions.

Uses autoencoder-based generative models to enhance simulation fidelity.

Abstract

Industrial Control Systems (ICS) manage critical infrastructures like power grids and water treatment plants. Cyberattacks on ICSs can disrupt operations, causing severe economic, environmental, and safety issues. For example, undetected pollution in a water plant can put the lives of thousands at stake. ICS researchers have increasingly turned to honeypots -- decoy systems designed to attract attackers, study their behaviors, and eventually improve defensive mechanisms. However, existing ICS honeypots struggle to replicate the ICS physical process, making them susceptible to detection. Accurately simulating the noise in ICS physical processes is challenging because different factors produce it, including sensor imperfections and external interferences. In this paper, we propose SimProcess, a novel framework to rank the fidelity of ICS simulations by evaluating how closely they resemble real-world and noisy physical processes. It measures the simulation distance from a target system by estimating the noise distribution with machine learning models like Random Forest. Unlike existing solutions that require detailed mathematical models or are limited to simple systems, SimProcess operates with only a timeseries of measurements from the real system, making it applicable to a broader range of complex dynamic systems. We demonstrate the framework's effectiveness through a case study using real-world power grid data from the EPIC testbed. We compare the performance of various simulation methods, including static and generative noise techniques. Our model correctly classifies real samples with a recall of up to 1.0. It also identifies Gaussian and Gaussian Mixture as the best distribution to simulate our power systems, together with a generative solution provided by an autoencoder, thereby helping developers to improve honeypot fidelity. Additionally, we make our code publicly available.