An Evaluation of Machine Learning-based Anomaly Detection in a SCADA System Using the Modbus Protocol

Supervisory Control and Data Acquisition (SCADA) systems have been designed with the assumption that the system would run within a closed environment. They have only generated concerns for security issues that may appear during system deployment, and there are no clear methods to assess security threats when considered. Recent technological and economic trends have driven SCADA systems from serial communication networks to networks based on TCP/IP. This exposes legacy SCADA systems to new security threats they were not designed to defend against. This work examines the viability of machine learning techniques in detecting new security threats specific to SCADA systems and the Modbus protocol. Machine learning-based anomaly detection algorithms were used to detect malicious traffic in a generated dataset of Remote Terminal Unit (RTU) communications using the Modbus protocol. The implemented algorithms are Support Vector Machines, decision trees, k-nearest neighbors, and k-means clustering. While the algorithms performed well overall, Support Vector Machine, Decision Trees, and K-nearest Neighbors algorithms had the best performance with individual attack types. K-means clustering did not perform satisfactorily with specific attack types.