https://www.mdu.se/

mdu.sePublications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
ICSSIM — A framework for building industrial control systems security testbeds
Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. RISE Research Institute of Sweden, Västerås, Sweden.ORCID iD: 0000-0001-5332-1033
Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems.ORCID iD: 0000-0002-4473-7763
Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems.ORCID iD: 0000-0003-3354-1463
Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. RISE Research Institute of Sweden, Västerås, Sweden.ORCID iD: 0000-0002-7235-6888
Show others and affiliations
2023 (English)In: Computers in industry (Print), ISSN 0166-3615, E-ISSN 1872-6194, Vol. 148, article id 103906Article in journal (Refereed) Published
Abstract [en]

With the advent of the smart industry, Industrial Control Systems (ICS) moved from isolated environments to connected platforms to meet Industry 4.0 targets. The inherent connectivity in these services exposes such systems to increased cybersecurity risks. To protect ICSs against cyberattacks, intrusion detection systems (IDS) empowered by machine learning are used to detect abnormal behavior of the systems. Operational ICSs are not safe environments to research IDSs due to the possibility of catastrophic risks. Therefore, realistic ICS testbeds enable researchers to analyze and validate their IDSs in a controlled environment. Although various ICS testbeds have been developed, researchers' access to a low-cost, extendable, and customizable testbed that can accurately simulate ICSs and suits security research is still an important issue.

In this paper, we present ICSSIM, a framework for building customized virtual ICS security testbeds in which various cyber threats and network attacks can be effectively and efficiently investigated. This framework contains base classes to simulate control system components and communications. Simulated components are deployable on actual hardware such as Raspberry Pis, containerized environments like Docker, and simulation environments such as GNS-3. ICSSIM also offers physical process modeling using software and hardware in the loop simulation. This framework reduces the time for developing ICS components and aims to produce extendable, versatile, reproducible, low-cost, and comprehensive ICS testbeds with realistic details and high fidelity. We demonstrate ICSSIM by creating a testbed and validating its functionality by showing how different cyberattacks can be applied.
Place, publisher, year, edition, pages
2023. Vol. 148, article id 103906
Keywords [en]
Cybersecurity, Industrial Control System, Testbed, Network Emulation, Cyberattack
National Category
Engineering and Technology Computer Sciences
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:mdh:diva-62321DOI: 10.1016/j.compind.2023.103906ISI: 000966310200001Scopus ID: 2-s2.0-85151016386OAI: oai:DiVA.org:mdh-62321DiVA, id: diva2:1752834
Available from: 2023-04-24 Created: 2023-04-24 Last updated: 2025-10-10Bibliographically approved
In thesis
1. Identification of Cyberattacks in Industrial Control Systems
Open this publication in new window or tab >>Identification of Cyberattacks in Industrial Control Systems
2023 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

As critical infrastructure increasingly relies on Industrial Control Systems (ICS), these systems have become a prime target for cyberattacks. As a result of the move towards Industry 4.0 targets, ICSs are increasingly being connected to the outside world, which makes them even more vulnerable to attacks. To enhance the ICS's security, Intrusion Detection Systems (IDS) are used in detecting and mitigating attacks. However, using real ICS installations for testing IDS can be challenging, as any interference with the ICS could have serious consequences, such as production downtime or compromised safety. Alternatively, ICS testbeds and cybersecurity datasets can be used to analyze, validate, and evaluate the IDS capabilities in a controlled environment. In addition, the complexity of ICSs, combined with the unpredictable and intricate nature of attacks, present a challenge in achieving high detection precision using traditional rule-based models. To tackle this challenge, Machine Learning (ML) have become increasingly attractive for identifying a broader range of attacks.

 

This thesis aims to enhance ICS cybersecurity by addressing the mentioned challenges. We introduce a framework for simulation of virtual ICS security testbeds that can be customized to create extensible, versatile, reproducible, and low-cost ICS testbeds. Using this framework, we create a factory simulation and its ICS to generate an ICS security dataset. We present this dataset as a validation benchmark for intrusion detection methods in ICSs. Finally, we investigate the efficiency and effectiveness of the intrusion detection capabilities of a range of Machine Learning techniques. Our findings show (1) that relying solely on intrusion evidence at a specific moment for intrusion detection can lead to misclassification, as various cyber-attacks may have similar effects at a specific moment, and (2) that AI models that consider the temporal relationship between events are effective in improving the ability to detect attack types.
Place, publisher, year, edition, pages
Västerås: Mälardalen University, 2023
Series
Mälardalen University Press Licentiate Theses, ISSN 1651-9256 ; 341
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Research subject
Computer Science
Identifiers
urn:nbn:se:mdh:diva-62403 (URN)978-91-7485-598-2 (ISBN)
Presentation
2023-06-16, Beta, Mälardalens universitet, Västerås, 13:15 (English)
Opponent
Supervisors
Available from: 2023-05-09 Created: 2023-05-05 Last updated: 2025-10-10Bibliographically approved
2. Machine Learning-Based Network Intrusion Detection for Industrial Control
Open this publication in new window or tab >>Machine Learning-Based Network Intrusion Detection for Industrial Control
2025 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

The growing connectivity of Industrial Control Systems (ICS) has increased their exposure to cyber threats, posing serious risks to both critical infrastructure (e.g., power plants, water systems) and industrial operations. Although Machine Learning (ML)-based Intrusion Detection Systems (IDS) show potential to detect complex and novel attacks, their practical application in ICS environments remains challenging. This thesis investigates the feasibility, design considerations, and barriers to applying ML-based IDS in ICSs. Key challenges include limited labeled data, high sensitivity to false alarms, distributed architectures, and constrained hardware. Through empirical evaluations and prototype implementations, we show how tailored ML and system design strategies can address these issues.

Our first goal is to enable experimentation with cybersecurity and intrusion detection in industrial systems. The thesis introduces ICSSIM, a novel framework for creating flexible, scalable, and cost-effective ICS testbeds.  It also presents ICSFlowGenerator, a tool for analyzing network traffic and computing customized network flow parameters. Using this tool, the thesis presents ICS-Flow, a new dataset developed to train and evaluate anomaly detection models, which serves as a realistic benchmark for assessing ML-based intrusion detection in ICS networks. 

In addition, the thesis tackles several technical deployment barriers. To support distributed ICS architectures and minimize the reliance on central servers, federated learning is explored as a decentralized training strategy. It also investigates semi-supervised learning techniques for detecting anomalies using only normal traffic.  To reduce the burden of false alarms, we integrate a decision support system with the IDS to filter alerts and suggest mitigation actions. Furthermore, the thesis emphasizes the importance of temporal traffic patterns in identifying attack types and evaluates the efficiency and resource demands of various ML models on ICS-representative hardware. Collectively, these contributions advance the practical application of ML-based intrusion detection in ICSs.
Abstract [sv]

Digitaliseringen och ökande uppkoppling av industriella styrsystem (ICS) har medfört ökad exponering för cyberhot och innebär allvarliga risker för både kritisk infrastruktur (t.ex. kraftverk, vattensystem) och industriella verksamheter. Även om intrångsdetekteringssystem (IDS) baserade på maskininlärning (ML) har potential att upptäcka komplexa och nya attacker, är deras praktiska tillämpning i ICS-miljöer fortfarande utmanande. I den här avhandlingen analyseras genomförbarheten, designöverväganden och hinder för att applicera ML-baserade IDS i ICS. Centrala utmaningar omfattar begränsad mängd annoterad data, hög känslighet för falsklarm, distribuerade arkitekturer och hårdvarubegränsningar. Genom empiriska utvärderingar och prototypimplementeringar visar vi hur skräddarsydda ML- och systemdesignstrategier kan adressera dessa problem.

Det första målet är att möjliggöra cybersäkerhetsexperiment och detektion av intrång i industriella system. Avhandlingen introducerar ICSSIM, ett nytt ramverk för att skapa flexibla, skalbara och kostnadseffektiva ICS-testbäddar. Vi har dessutom utvecklat ICSFlowGenerator, ett verktyg för att analysera nätverkstrafik och beräkna anpassade nätverksflödesparametrar. Med hjälp av detta verktyg har vi skapat ICS-Flow, en ny datamängd (dataset) för att träna och utvärdera anomalidetekteringsmodeller. ICS-Flow fungerar som en realistisk benchmark för att bedöma ML-baserad intrångsdetektering i ICS-nätverk. 

Med stöd av ICS-Flow adresserar avhandlingen flera tekniska hinder vid driftsättning. För att stödja distribuerade ICS-arkitekturer och minimera beroendet av centrala servrar utforskas en decentraliserad träningsstrategi. Vi undersöker även semi-övervakade inlärningstekniker för att detektera anomalier med enbart normal trafik. För att minska risken för falsklarm integrerar vi ett beslutsstödssystem med IDS:en för att filtrera larm och föreslå åtgärder. Vidare betonar avhandlingen betydelsen av tidsberoende trafikmönster för att identifiera attacktyper och utvärderar effektivitet och resurskrav för olika ML-modeller på ICS-representativ hårdvara. Sammantaget främjar dessa bidrag den praktiska tillämpningen av ML-baserad intrångsdetektering för ICS.
Place, publisher, year, edition, pages
Västerås: Mälardalens universitet, 2025. p. 286
Series
Mälardalen University Press Dissertations, ISSN 1651-4238 ; 440
National Category
Computer Systems Control Engineering Embedded Systems Communication Systems
Research subject
Computer Science
Identifiers
urn:nbn:se:mdh:diva-73132 (URN)978-91-7485-718-4 (ISBN)
Public defence
2025-10-23, Delta och digitalt, Mälardalens universitet, Västerås, 13:30 (English)
Opponent
Supervisors
Available from: 2025-08-28 Created: 2025-08-28 Last updated: 2025-10-10Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Dehlaghi-Ghadim, AlirezaBalador, AliHelali Moghadam, MahshidHansson, Hans

Search in DiVA

By author/editor
Dehlaghi-Ghadim, AlirezaBalador, AliHelali Moghadam, MahshidHansson, Hans
By organisation
Embedded Systems
In the same journal
Computers in industry (Print)
Engineering and TechnologyComputer Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 893 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
Mälardalen University Library
|
DiVA Log in