Critical infrastructure and manufacturing use distributed systems for processing data collectedfrom sensors networks and control physical actuators which usually known as SCADA
Systems. System malfunction can be devastating which cost time, money, or even human
life. Our paper aim to overcome two challenges in SCADA systems security: (1.) The
systems require to satisfy hard timing constraint and low resource is provided by robust
industrial equipments. (2.) Most of the time, the data available from SCADA systems
are unbalanced. To achieve our target, we focused on the SCADA system’s unique cyclic
communication characteristic. We found that it can be explained using theory of PLCautomata. We then analyze the timing constraints in HMI and PLC communication which
show that the inter­arrival time of packets between devices contains the footprint of system
state transitions. We propose a network­based anomaly detection algorithm for SCADA
system using benign inter­arrival time only. Experimental evaluation on public MODBUS
dataset from IEEE Dataport.

Critical infrastructure and manufacturing use distributed systems for processing data collectedfrom sensors networks and control physical actuators which usually known as SCADA
Systems. System malfunction can be devastating which cost time, money, or even human
life. Our paper aim to overcome two challenges in SCADA systems security: (1.) The
systems require to satisfy hard timing constraint and low resource is provided by robust
industrial equipments. (2.) Most of the time, the data available from SCADA systems
are unbalanced. To achieve our target, we focused on the SCADA system’s unique cyclic
communication characteristic. We found that it can be explained using theory of PLCautomata. We then analyze the timing constraints in HMI and PLC communication which
show that the inter­arrival time of packets between devices contains the footprint of system
state transitions. We propose a network­based anomaly detection algorithm for SCADA
system using benign inter­arrival time only. Experimental evaluation on public MODBUS
dataset from IEEE Dataport.

[1] M. Tiegelkamp and K.­H. John, IEC 61131­3: Programming industrial automation systems. Springer, 2010.
[2] I. F. P. A. T. C. H. A. P. Simões, “Cyber­security modbus ics dataset,” 2019.
[3] K. E. Hemsley, E. Fisher, et al., “History of industrial control system cyber incidents,” tech. rep., Idaho National Lab.
(INL), Idaho Falls, ID (United States), 2018.
[4] E.­R. Olderog and H. Dierks, Real­time systems: formal specification and automatic verification. Cambridge University
Press, 2008.
[5] S. V. B. Rakas, M. D. Stojanović, and J. D. Marković­Petrović, “A review of research work on network­based scada
intrusion detection systems,” IEEE Access, vol. 8, pp. 93083–93108, 2020.
[6] A. Shlomo, M. Kalech, and R. Moskovitch, “Temporal pattern­based malicious activity detection in scada systems,”
Computers & Security, vol. 102, p. 102153, 2021.
[7] C. Sheng, Y. Yao, Q. Fu, and W. Yang, “A cyber­physical model for scada system and its intrusion detection,” Computer
Networks, vol. 185, p. 107677, 2021.
[8] H. Dierks, “Plc­automata: a new class of implementable real­time automata,” Theoretical Computer Science, vol. 253,
no. 1, pp. 61–93, 2001.
[9] L. H. Yoong, P. S. Roop, Z. E. Bhatti, and M. M. Kuo, Model­driven design using IEC 61499: a synchronous approach
for embedded and automation systems. Springer, 2014.
[10] F. Pukelsheim, “The three sigma rule,” The American Statistician, vol. 48, no. 2, pp. 88–91, 1994.
[11] I. Frazão, P. H. Abreu, T. Cruz, H. Araújo, and P. Simões, “Denial of service attacks: Detecting the frailties of machine
learning algorithms in the classification process,” in Critical Information Infrastructures Security (E. Luiijf, I. Žutautaitė,
and B. M. Hämmerli, eds.), (Cham), pp. 230–235, Springer International Publishing, 2019.
[12] Z. Chaochen, C. A. R. Hoare, and A. P. Ravn, “A calculus of durations,” Information processing letters, vol. 40, no. 5,
pp. 269–276, 1991.
[13] N. Erez and A. Wool, “Control variable classification, modeling and anomaly detection in modbus/tcp scada systems,”
International Journal of Critical Infrastructure Protection, vol. 10, pp. 59–70, 2015.
[14] A. Al Balushi, K. McLaughlin, and S. Sezer, “Oscids: An ontology based scada intrusion detection framework.,” in
SECRYPT, pp. 327–335, 2016.
[15] A. Almalawi, A. Fahad, Z. Tari, A. Alamri, R. AlGhamdi, and A. Y. Zomaya, “An efficient data­driven clustering technique to detect attacks in scada systems,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 5,
pp. 893–906, 2015.
[16] T. Cruz, L. Rosa, J. Proença, L. Maglaras, M. Aubigny, L. Lev, J. Jiang, and P. Simoes, “A cybersecurity detection
framework for supervisory control and data acquisition systems,” IEEE Transactions on Industrial Informatics, vol. 12,
no. 6, pp. 2236–2246, 2016.
[17] E. G. da Silva, A. S. da Silva, J. A. Wickboldt, P. Smith, L. Z. Granville, and A. Schaeffer­Filho, “A one­class nids for
sdn­based scada systems,” in 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC),
vol. 1, pp. 303–312, IEEE, 2016.
[18] J. Zhang, S. Gan, X. Liu, and P. Zhu, “Intrusion detection in scada systems by traffic periodicity and telemetry analysis,”
in 2016 IEEE Symposium on Computers and Communication (ISCC), pp. 318–325, IEEE, 2016.
[19] C. Feng, T. Li, and D. Chana, “Multi­level anomaly detection in industrial control systems via package signatures and
lstm networks,” in 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN),
pp. 261–272, IEEE, 2017.
41[20] M. Wan, W. Shang, and P. Zeng, “Double behavior characteristics for one­class classification anomaly detection in networked control systems,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 12, pp. 3011–3023,
2017.
[21] A. Hijazi, A. El Safadi, and J.­M. Flaus, “A deep learning approach for intrusion detection system in industry network.,”
in BDCSIntell, pp. 55–62, 2018.
[22] I. A. Khan, D. Pi, Z. U. Khan, Y. Hussain, and A. Nawaz, “Hml­ids: A hybrid­multilevel anomaly prediction approach
for intrusion detection in scada systems,” IEEE Access, vol. 7, pp. 89507–89521, 2019.
[23] K. Kuchar, R. Fujdiak, P. Blazek, Z. Martinasek, and E. Holasova, “Simplified method for fast and efficient incident
detection in industrial networks,” in 2020 4th Cyber Security in Networking Conference (CSNet), pp. 1–3, IEEE, 2020.
[24] G. Ravikumar, A. Singh, J. R. Babu, M. Govindarasu, et al., “D­ids for cyber­physical der modbus system­architecture,
modeling, testbed­based evaluation,” in 2020 Resilience Week (RWS), pp. 153–159, IEEE, 2020.
[25] P. Radoglou­Grammatikis, I. Siniosoglou, T. Liatifis, A. Kourouniadis, K. Rompolos, and P. Sarigiannidis, “Implementation and detection of modbus cyberattacks,” in 2020 9th International Conference on Modern Circuits and Systems
Technologies (MOCAST), pp. 1–4, IEEE, 2020.
[26] W. Wang, J. Guo, Z. Wang, H. Wang, J. Cheng, C. Wang, M. Yuan, J. Kurths, X. Luo, and Y. Gao, “Abnormal flow
detection in industrial control network based on deep reinforcement learning,” Applied Mathematics and Computation,
vol. 409, p. 126379, 2021.
[27] N. Goldenberg and A. Wool, “Accurate modeling of modbus/tcp for intrusion detection in scada systems,” International
Journal of Critical Infrastructure Protection, vol. 6, no. 2, pp. 63–75, 2013.
[28] J. Goh, S. Adepu, K. N. Junejo, and A. Mathur, “A dataset to support research in the design of secure water treatment
systems,” in International conference on critical information infrastructures security, pp. 88–99, Springer, 2016.
[29] T. Morris and W. Gao, “Industrial control system traffic data sets for intrusion detection research,” in International
Conference on Critical Infrastructure Protection, pp. 65–78, Springer, 2014.
[30] A. Lemay and J. M. Fernandez, “Providing SCADA network data sets for intrusion detection research,” in 9th Workshop
on Cyber Security Experimentation and Test (CSET 16), (Austin, TX), USENIX Association, Aug. 2016.
[31] N. Rodofile, T. Schmidt, S. Sherry, C. Djamaludin, K. Radke, and E. Foo, “Process control cyber­attacks and labelled
datasets on s7comm critical infrastructure,” in Information Security and Privacy: 22nd Australasian Conference, ACISP
2017, Proceedings, Part II (Lecture Notes in Computer Science, Volume 10343) (S. Suriadi and J. Pieprzyk, eds.), pp. 452–
459, Switzerland: Springer, 2017.
[32] C. Jin, N. Vyas, and R. Williams, “Fast low­space algorithms for subset sum,” in Proceedings of the 2021 ACM­SIAM
Symposium on Discrete Algorithms (SODA), pp. 1757–1776, SIAM, 2021.