LSTM-Based Detection of OT Cyber-Attacks for an Offshore HVAC-Cooling Process

This work explored the possibility to use a deep machine learning method for cost-effective development of an Intrusion Detection System (IDS) for an offshore Operational Technology (OT) cooling process driven by a HVAC system. Two types of cyber-attacks, namely Man-in-the-Middle (MitM) attack and Deny-of-Service (DoS), are considered at different intruding locations within a Modbus-based Supervisory-Control-And-Data-Acquisition (SCADA) and Programmable Logic Controller (PLC) network. By using the Long Short-Term Memory Neural Network (LSTM-NN) as a middle layer, the IDS is developed as a multi-layer feature classifier, which consists of sequential input, LSTM, dense, softmax and classifier layers. Training and testing data are produced from a corresponding simulation system. The IDS system uses the measurements from the ongoing system (i.e., compressor status) and the relevant process (i.e., ambient and room temperatures) along with the network information to monitor potential abnormal behaviors induced by dedicated cyber-attacks in an real-time manner. All considered attack scenarios can be successfully detected by the developed IDS within 2 min after the attack occurs. There is only one situation in which the IDS cannot identify the abnormal phenomenon is caused by a MitM(2) or DoS attack due to lack of extra signals to distinguish them. In general, this study showed a clear benefit for cost-effective development of OT IDS system using the machine learning method, subject to good availability of sufficient and high-quality data.