EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

STADe: An unsupervised time-windows method of detecting anomalies in oil and gas Industrial Cyber-Physical Systems (ICPS) networks

Abubakar Sadiq Mohammed, Eirini Anthi, Omer Rana, Pete Burnap and Andrew Hood

International Journal of Critical Infrastructure Protection, 2025, vol. 49, issue C

Abstract: Critical infrastructure and Operational Technology (OT) are becoming more exposed to cyber attacks due to the integration of OT networks to enterprise networks especially in the case of Industrial Cyber-Physical Systems (ICPS). These technologies that are a huge part of our daily lives usually operate by having sensors and actuators constantly communicating through an industrial network. To secure these industrial networks from cyber attacks, researchers have utilised misuse detection and Anomaly Detection (AD) techniques to detect potential attacks. Misuse detection methods are unable to detect zero-day attacks while AD methods can, but with high false positive rates and high computational overheads. In this paper, we present STADe, a novel Sliding Time-window Anomaly Detection method that uses a sole feature of network packet inter-arrival times to detect anomalous network communications. This work aims to explore a mechanism for detecting breaks in periodicity to flag anomalies. The method was validated using data from a real oil and gas wellhead monitoring testbed containing field flooding, SYN flooding, and Man-in-the-Middle (MITM) attacks — which are attacks that are popularly used to target the availability and integrity of oil and gas critical infrastructure. The results from STADe proved to be effective in detecting these attacks with zero false positives and F1 scores of 0.97, 0.923, and 0.8 respectively. Further experiments carried out to compare STADe with other unsupervised machine learning algorithms – KNN, isolation forest, and Local Outlier Factor (LOF) – resulted in F1 scores of 0.55, 0.673, and 0.408 respectively. STADe outperformed them with an F1 score of 0.933 using the same dataset.

Keywords: Cybersecurity; Anomaly detection; Operational technology; Cyber-physical systems; Time windows (search for similar items in EconPapers)
Date: 2025
References: Add references at CitEc
Citations:

Downloads: (external link)
http://www.sciencedirect.com/science/article/pii/S187454822500023X
Full text for ScienceDirect subscribers only

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:eee:ijocip:v:49:y:2025:i:c:s187454822500023x

DOI: 10.1016/j.ijcip.2025.100762

Access Statistics for this article

International Journal of Critical Infrastructure Protection is currently edited by Leon Strous

More articles in International Journal of Critical Infrastructure Protection from Elsevier
Bibliographic data for series maintained by Catherine Liu ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2025-06-17
Handle: RePEc:eee:ijocip:v:49:y:2025:i:c:s187454822500023x