Detecting Anomalies in Industrial Control Systems

When to Use

• When deploying continuous monitoring for OT environments that lack intrusion detection
• When building behavior-based detection to complement signature-based IDS in OT networks
• When establishing baselines for deterministic SCADA communications to detect deviations
• When integrating machine learning anomaly detection with OT security monitoring platforms
• When investigating alerts from Nozomi Guardian or Dragos Platform that require deeper analysis

Do not use for signature-based detection of known exploits (see detecting-attacks-on-scada-systems), for IT network anomaly detection without OT protocols, or as a replacement for process safety systems (SIS).

Prerequisites

• Passive network monitoring sensors on OT network SPAN/TAP ports
• Minimum 2-4 weeks of baseline traffic capture during normal operations
• Python 3.9+ with scikit-learn, numpy, pandas for ML model training
• Process historian access for physical process correlation data
• Understanding of normal operational patterns including shift changes, batch processes, and maintenance windows