Unsupervised Learning Approach for Anomaly Detection in Industrial Control Systems

: Industrial control systems (ICSs) play a crucial role in managing and monitoring critical processes across various industries, such as manufacturing, energy, and water treatment. The connection of equipment from various manufacturers, complex communication methods, and the need for the continuity of operations in a limited environment make it difficult to detect system anomalies. Traditional approaches that rely on supervised machine learning require time and expertise due to the need for labeled datasets. This study suggests an alternative approach to identifying anomalous behavior within ICSs by means of unsupervised machine learning. The approach employs unsupervised machine learning to identify anomalous behavior within ICSs. This study shows that unsupervised learning algorithms can effectively detect and classify anomalous behavior without the need for pre-labeled data using a composite autoencoder model. Based on a dataset that utilizes HIL-augmented ICSs (HAIs), this study shows that the model is capable of accurately identifying important data characteristics and detecting anomalous patterns related to both value and time. Intentional error data injection experiments could potentially be used to validate the model’s robustness in real-time monitoring and industrial process performance optimization. As a result, this approach can improve system reliability and operational efficiency, which can establish a foundation for safe and sustainable ICS operations.


Introduction
The ICS plays an important role in industrial processes across various sectors, including manufacturing, energy, water treatment, and transportation.It is a critical component of Operational Technology (OT) and works in conjunction with supervisory control and data acquisition (SCADA) systems to manage complex control operations [1][2][3].These systems are designed to meet the unique needs of each industry and are highly adaptable.They come equipped with diverse Human-Machine Interfaces (HMIs) that enable operators to efficiently monitor and manage processes.In ICSs, network connectivity plays a critical role in enabling remote monitoring and control [4,5].It is imperative to prioritize the enhancement in system security and reliability in ICS applications, given the growing number of cybersecurity threats [6].
Nevertheless, it is worth noting that incidents like the 2010 Stuxnet attack on Siemens PLCs at an Iranian nuclear facility have highlighted the potential vulnerabilities of ICSs to cyber threats [7,8].The attack has brought attention to the need for improved ICS network security to prevent potential cyberattacks on critical infrastructure that could compromise physical systems.The 2015 cyberattack on Ukraine's power grid had a significant socioeconomic impact and severely disrupted the nation's power infrastructure.This incident highlights the importance of implementing robust ICS security measures [9,10].These events highlight the importance of ICS security not only for IT, but also for national security and societal stability.
As recent cyberattacks have shown, securing ICSs is imperative.However, detecting anomalies in these systems poses several challenges.The ICS is characterized by the use of diverse equipment from multiple vendors, proprietary protocols, and complex communication methods that add to the complexity of securing these systems [11].The continuous operation of these vital infrastructure management systems further limits access to real-world environments for security research.In addition, the application of security patches or updates to ICSs operating in environments such as production lines and energy infrastructures can be delayed, limiting their practical implementation [12].Past cyberattacks, such as the Stuxnet event and the Ukrainian power grid attack, underscore the challenge of detecting system anomalies before they cause damage [13].Anomaly detection in industrial control systems is a significant challenge due to the variety of devices from different vendors, each operating with proprietary protocols and complex communication methods [14].It is critical to provide timely information to operators to prevent actual damage before it occurs.Our research focused on OPC servers to address these challenges.
Figure 1 shows the conceptual diagram between OT, ICSs, and SCADA.It also shows the OT portion of the Purdue model.The function of an OPC server is to process signals and data from field devices in a standardized manner and convert them into a format that clients can understand.This is accomplished by assigning a unique identifier, or tag, to each piece of data.Tags allow users to identify and retrieve data collected by the OPC server from field devices.These tags typically contain information about the device's location, data type, and value, and are organized in a way that is easy for humans to understand.
Appl.Syst.Innov.2024, 7, x FOR PEER REVIEW 2 of 17 These events highlight the importance of ICS security not only for IT, but also for national security and societal stability.
As recent cyberattacks have shown, securing ICSs is imperative.However, detecting anomalies in these systems poses several challenges.The ICS is characterized by the use of diverse equipment from multiple vendors, proprietary protocols, and complex communication methods that add to the complexity of securing these systems [11].The continuous operation of these vital infrastructure management systems further limits access to real-world environments for security research.In addition, the application of security patches or updates to ICSs operating in environments such as production lines and energy infrastructures can be delayed, limiting their practical implementation [12].Past cyberattacks, such as the Stuxnet event and the Ukrainian power grid attack, underscore the challenge of detecting system anomalies before they cause damage [13].Anomaly detection in industrial control systems is a significant challenge due to the variety of devices from different vendors, each operating with proprietary protocols and complex communication methods [14].It is critical to provide timely information to operators to prevent actual damage before it occurs.Our research focused on OPC servers to address these challenges.
Figure 1 shows the conceptual diagram between OT, ICSs, and SCADA.It also shows the OT portion of the Purdue model.The function of an OPC server is to process signals and data from field devices in a standardized manner and convert them into a format that clients can understand.This is accomplished by assigning a unique identifier, or tag, to each piece of data.Tags allow users to identify and retrieve data collected by the OPC server from field devices.These tags typically contain information about the device's location, data type, and value, and are organized in a way that is easy for humans to understand.However, in the domain of the ICS, the absence of descriptive annotations for tag values can significantly impede user interaction with the system, making configuration and management tasks more complex.This research aims to solve the problem of detecting anomalies within a complex system composed of different devices, each characterized by its own protocols and communication methods.This research focuses on the use of unsupervised learning techniques as a solution to this problem.Unsupervised learning can identify patterns and structures in data, allowing it to develop predictive models without pre-labeled datasets or extensive prior knowledge of the system's operating paradigm.These features are especially valuable in ICS environments, as they effectively detect However, in the domain of the ICS, the absence of descriptive annotations for tag values can significantly impede user interaction with the system, making configuration and management tasks more complex.This research aims to solve the problem of detecting anomalies within a complex system composed of different devices, each characterized by its own protocols and communication methods.This research focuses on the use of unsupervised learning techniques as a solution to this problem.Unsupervised learning can identify patterns and structures in data, allowing it to develop predictive models without pre-labeled datasets or extensive prior knowledge of the system's operating paradigm.These features are especially valuable in ICS environments, as they effectively detect emerging security threats that traditional data analytics frameworks may miss.The strategies include an analytical review of data attributes and patterns, the implementation of cluster-ing techniques to aggregate tags with similar variations, and the incorporation of outlier detection mechanisms.
This study contributes to the field of ICS anomaly detection in the following ways: • Heterogeneous system anomaly detection: First, we have developed a methodology that can identify anomalies with unique protocols or complex communication methods in systems composed of devices from different vendors.It is highly adaptable to different ICS environments because it does not rely on pre-labeled data or predefined descriptions.

•
Leverage restricted network data: We leverage internal data from restricted networks, recognizing the sensitivity and security concerns within ICS networks.Our research focuses on developing techniques that utilize only the internal data accessible within restricted networks.This capability is essential for detecting system changes and anomalies using data that would otherwise be inaccessible for security analysis.

•
Proactive anomaly response: Our research aims to facilitate the early detection of anomalous changes within the ICS, providing operators with timely information.This allows for quick and informed responses to potential problems before they can escalate into actual damage, strengthening the proactive defense mechanisms within industrial environments.
This paper is organized as follows.Section 2 reviews existing research on anomaly detection in industrial control systems.Section 3 describes the research methodology used in this study.Section 4 describes the experimental design and results.Section 5 concludes this study with a discussion.

Related Work
Anomaly detection has become an important area of research in many fields, including finance, healthcare, manufacturing, and cybersecurity [15].The main objective of anomaly detection on multivariate time series is to quickly and accurately identify abnormal behavior of a system or process that may indicate a potential threat, failure, or error [16].This plays an important role in maintaining the stability of the system and avoiding potential risks.

Anomaly Detection in Industrial Control Systems
Anomaly detection is an important research topic, especially in cybersecurity in the ICS.The ICS is intimately involved in our daily lives and cyberattacks on these systems can cause significant damage [17].Therefore, technologies that can quickly detect anomalies in the ICS, and thereby prevent potential cyber-attacks, are crucial.AI technologies are becoming an important tool for this, with machine learning and deep learning techniques, in particular, showing promise in detecting anomalies.They can learn complex patterns in data and detect anomalies based on them.They are also effective at detecting anomalies in time series data, considering changes over time [18].Inoue et al. [19] applied unsupervised machine learning techniques to detect anomalies in a water treatment system.Putchala et al. [20] proposed to apply a deep learning method using gated recurrent units (GRUs) to an intrusion detection system for IoT networks.The method showed a higher detection accuracy than traditional methods.They also proposed a lightweight and multi-layered design to enhance the security of IoT networks.Du et al. [21] proposed an unsupervised machine learning-based detection model based on LSTM-AE and GANs, which can learn complex patterns in time series data to detect anomalies more accurately.In addition, Goh et al. [22] introduced an unsupervised learning approach using RNNs to learn the changes in data patterns over time and use them to detect anomalies.In addition, Mokhtari et al. [23] used random forests to detect anomalous activity in industrial control systems.They showed that this method outperformed other classifier algorithms, which can significantly improve the detection of cyberattacks.Inoue, Putchala, Du, Goh et al. applied various algorithms for anomaly detection in water treatment, IoT networks, and time series data, and Mokhtari et al. utilized random forests to effectively detect anomalous activity in industrial control systems.These techniques are proving to be highly effective in anomaly detection by learning complex data patterns and considering changes over time.

Recent Approaches to the Study of Anomaly Detection in Industrial Control System
Anomaly detection is emerging as a very important research topic, especially in industrial control systems.Industrial control systems play a pivotal role in many areas of production, energy management, traffic control, and more, and anomaly detection in these systems can significantly improve safety and efficiency.Recent studies, mentioned in Table 1, focus on improving intrusion detection and anomaly detection, specifically to address security and reliability issues in complex and diverse industrial environments such as ICS.A joint learning approach that integrates regularity representation learning and normalization from a small number of abnormal samples

Focus on improving intrusion detection performance
Gaggero et al. [31] Neural Network AutoEncoder Detects cyberattacks on battery electric storage systems (BESSs) in microgrid using neural network-based autoencoders.

Focus on outliers in electrical measurements
They study how to accurately detect anomalous activities or attacks in high-dimensional and complex industrial data using various techniques and methodologies such as graph neural networks, semi-supervised learning, clustering, and mixed algorithms.
However, this research is unique in two important ways.

1.
Data-driven tag analysis: The model in this study analyzes operational data from industrial control systems to accurately identify tags of abnormal operation.To do so, we introduce a novel methodology to identify the misbehavior of a particular device by defining its rate of change.This technique enables us to successfully identify complex anomalies that are difficult to detect using traditional methods.2.
Informatization of cluster changes: This research identifies tagged clusters and communicates their changes to control network operators, enabling a rapid response.This process allows security professionals to identify relevant sensors and contribute to the creation of a stable and secure industrial control system environment.
As such, AI-based anomaly detection techniques play an important role in enhancing the security of industrial control systems.Each of these studies presents different methodologies and approaches, which provide a methodology for the more accurate detection of anomalies in different environments.In the future, these studies will continue to evolve and become more prominent as important research topics in cybersecurity.

Overview of the Proposed Approach
Figure 2 provides an overview of the process proposed in our study.The process for anomaly detection using machine learning in industrial control systems is as follows: Data are collected from multiple sensors and systems in an ICS environment, with a special focus on the HAI (HIL-based augmented ICS) dataset [32] recorded for this purpose.The collected data are analyzed in detail to extract important characteristics and information.This includes dimensionality reduction using Principal Component Analysis (PCA) and data segmentation using K-means clustering.Next, a model is designed and trained using a neural network structure with input, hidden, and output layers.This allows the model to learn patterns from the data.Finally, the model's performance is evaluated on a separate dataset to validate its ability to accurately detect anomalies.When anomalies are detected, the tag name, detection time, and tag value of the anomalous behavior are displayed.
to the creation of a stable and secure industrial control system environment.
As such, AI-based anomaly detection techniques play an important role in enhancing the security of industrial control systems.Each of these studies presents different methodologies and approaches, which provide a methodology for the more accurate detection of anomalies in different environments.In the future, these studies will continue to evolve and become more prominent as important research topics in cybersecurity.

Overview of the Proposed Approach
Figure 2 provides an overview of the process proposed in our study.The process for anomaly detection using machine learning in industrial control systems is as follows: Data are collected from multiple sensors and systems in an ICS environment, with a special focus on the HAI (HIL-based augmented ICS) dataset [32] recorded for this purpose.The collected data are analyzed in detail to extract important characteristics and information.This includes dimensionality reduction using Principal Component Analysis (PCA) and data segmentation using K-means clustering.Next, a model is designed and trained using a neural network structure with input, hidden, and output layers.This allows the model to learn patterns from the data.Finally, the model's performance is evaluated on a separate dataset to validate its ability to accurately detect anomalies.When anomalies are detected, the tag name, detection time, and tag value of the anomalous behavior are displayed.

The Dataset
Our study used an HAI dataset specifically designed for ICS security and augmented with hardware-in-the-loop (HIL) simulations.Figure 3 shows a model that simulates a real industrial environment.This dataset accurately reflects the operation of a real ICS environment, including key components such as the boiler, turbine, water treatment system, and HIL simulation.The boiler operation promotes heat exchange between water at various pressures and temperatures, while the turbine mechanism uses a rotor kit testbed to replicate the operation of a rotating machine.These components are seamlessly integrated through the HIL simulator to ensure they match the speed of the steam generator.The water treatment module emulates hydroelectric power generation by pumping water into an upper reservoir and then discharging it into a lower reservoir.
tem, and HIL simulation.The boiler operation promotes heat exchange between water at various pressures and temperatures, while the turbine mechanism uses a rotor kit testbed to replicate the operation of a rotating machine.These components are seamlessly integrated through the HIL simulator to ensure they match the speed of the steam generator.The water treatment module emulates hydroelectric power generation by pumping water into an upper reservoir and then discharging it into a lower reservoir.Data were collected from 59 sensors every second for four days, during which 28 artificial attacks were launched against the system, targeting various system points such as control outputs and parameters.For our research, version 22.04 of the HAI dataset consisted of six train\#.csvfiles, each containing 87 variables (devices).Table 2 is part of the Train1.csvfile.We merged these files into a single dataset for model development.We then removed the "attack" column, which was deemed irrelevant to our study, resulting in a dataset of 86 operational variables.Data were collected from 59 sensors every second for four days, during which 28 artificial attacks were launched against the system, targeting various system points such as control outputs and parameters.For our research, version 22.04 of the HAI dataset consisted of six train\#.csvfiles, each containing 87 variables (devices).Table 2 is part of the Train1.csvfile.We merged these files into a single dataset for model development.We then removed the "attack" column, which was deemed irrelevant to our study, resulting in a dataset of 86 operational variables.

Data Preparation
In this study, we used the HAI dataset to normalize and standardize the data in the initial stage.We also used PCA to select features and reduce dimensionality, and clustering techniques to identify groups of similar objects and identify groups of similar objects, in addition to basic preprocessing tasks.A clustering algorithm is a technique that groups similar data within a dataset based on their characteristics to form clusters.In this study, we removed the 'timestamp' information from the time series dataset before applying the clustering algorithm.To scale the data, we adjusted it to the range [0, 1] using the minimum and maximum values.

Implementing Cluster Segmentation
The K-means algorithm is an unsupervised learning algorithm that groups data into K clusters.It works by minimizing the variance of the distance difference between the given data and each cluster.The sum of squared errors (SSE) within each cluster, which is the sum of the squares of the Euclidean distances between each data point and its cluster center, is expressed by the following formula.
where k is the number of clusters.C i is the set of data points in the ith cluster.x is a data point in cluster C i .µ i is the centroid or mean of all the data points in cluster C i .∥x − µ i ∥ 2 is the square of the Euclidean distance between the data point x and the centroid µ i .Figure 4 shows the number of tags between clusters.To cluster the data, we selected tags that showed similar patterns of behavior.The optimal number of clusters was set at the point where the SSE value of K-means dropped sharply, and our study set it at six groups obtained by the optimal value.clustering algorithm.To scale the data, we adjusted it to the range [0, 1] using the minimum and maximum values.

Implementing Cluster Segmentation
The K-means algorithm is an unsupervised learning algorithm that groups data into K clusters.It works by minimizing the variance of the distance difference between the given data and each cluster.The sum of squared errors (SSE) within each cluster, which is the sum of the squares of the Euclidean distances between each data point and its cluster center, is expressed by the following formula.

𝑆𝑆𝐸 = ∈ ∥ 𝑥 − 𝜇 ∥
where k is the number of clusters.Ci is the set of data points in the ith cluster.x is a data point in cluster Ci. μi is the centroid or mean of all the data points in cluster Ci. ∥x − μi∥ 2 is the square of the Euclidean distance between the data point x and the centroid μi. Figure 4 shows the number of tags between clusters.To cluster the data, we selected tags that showed similar patterns of behavior.The optimal number of clusters was set at the point where the SSE value of K-means dropped sharply, and our study set it at six groups obtained by the optimal value.Table 3 shows the number of tags classified by clustering.Clustering is a technique for grouping data with similar characteristics, which is useful for characterizing and analyzing data.The number of all tags was 86 and was reduced to 3 dimensions using PCA.Data scaling is a common preprocessing step in data analysis that involves adjusting the values in your data to a particular range or scale.This can make variables with different units comparable or prevent variables with larger values from becoming more important during model training.Table 3 shows the number of tags classified by clustering.Clustering is a technique for grouping data with similar characteristics, which is useful for characterizing and analyzing data.The number of all tags was 86 and was reduced to 3 dimensions using PCA.Data scaling is a common preprocessing step in data analysis that involves adjusting the values in your data to a particular range or scale.This can make variables with different units comparable or prevent variables with larger values from becoming more important during model training.Cluster 4 is shown in Figure 5.The data were visually grouped based on similar characteristics, with each time series reflecting a distinct pattern or behavior.This allows you to monitor the health and performance of the system.Cluster 4 is shown in Figure 5.The data were visually grouped based on similar characteristics, with each time series reflecting a distinct pattern or behavior.This allows you to monitor the health and performance of the system.

Preparation of the Input Data
To process the time series data for use in the composite autoencoder model, the following steps were taken: Firstly, each data point was separated into one-second increments, and a min-max normalization was performed on the data points to adjust all data values to a range between 0 and 1.After completing the normalization process, we divided the entire dataset into 3600 s window sizes and rolled the data based on these windows.We calculated important statistical properties such as the standard deviation, mean, slope, and intercept of the data points in each window.Figure 6 shows the statistical characteristics for "P1_B2004".

Preparation of the Input Data
To process the time series data for use in the composite autoencoder model, the following steps were taken: Firstly, each data point was separated into one-second increments, and a min-max normalization was performed on the data points to adjust all data values to a range between 0 and 1.After completing the normalization process, we divided the entire dataset into 3600 s window sizes and rolled the data based on these windows.We calculated important statistical properties such as the standard deviation, mean, slope, and intercept of the data points in each window.Figure 6 shows the statistical characteristics for "P1_B2004".Finally, to prepare the input data for the autoencoder model, we analyzed the peak values for each tag, broken down into 60 s increments.The normalization process saved the minimum and maximum values calculated for each tag by cluster, providing a reference point for the future ranging and thresholding of each tag.Table 4 displays the values for the statistical properties of collection tags.Finally, to prepare the input data for the autoencoder model, we analyzed the peak values for each tag, broken down into 60 s increments.The normalization process saved the minimum and maximum values calculated for each tag by cluster, providing a reference point for the future ranging and thresholding of each tag.Table 4 displays the values for the statistical properties of collection tags.

Design the Model Framework
This study applied a composite autoencoder model to detect anomalies in industrial control systems.The composite autoencoder evaluates anomalies by comparing the anomaly score of the output with a pre-generated threshold of the input and classifying it as an anomaly if it exceeds the threshold.The CNN layer filters the input data to activate specific features and then progressively abstracts them to reduce data complexity.The Rectified Linear Unit (ReLU) activation function introduces nonlinearity by setting negative values to zero.This allows the model to learn more complex functions, mitigating the problem of neuron deactivation and improving computational efficiency.Long Short-Term Memory (LSTM) networks, a type of Recurrent Neural Network (RNN), are particularly useful for detecting anomalies in time series data because they can remember long-term dependencies in sequential data.By combining CNNs and LSTM networks, composite autoencoders can identify and highlight important features in the data while encoding and decoding temporal variations.The encoder compresses the input data to extract significant features, and the decoder reconstructs the original data based on these features.Composite autoencoders can effectively detect anomalies, even if they are small or occur consistently over time, by capturing these important features and identifying anomalous patterns.Figure 7 shows the structure of the composite autoencoder used in our study.

•
Input layer: In this study, each tag obtained by clustering was used as input data.It was assumed that all tags had no explanation, but they can be processed simultaneously because different data such as temperature, pressure, and flow were clustered.

•
Output layer: The output layer of the model was designed to detect abnormal behavior.The output layer reconstructed the input data, compared it to the original data, and generated an abnormal behavior score.At this point, if the abnormal behavior score exceeded a certain threshold, it was considered abnormal and would inform you of the name, value, and time of occurrence of the tag.
• Activation functions and singularities: ReLU was used in the model to increase the nonlinearity of the model and to increase computational efficiency.Loss used the Mean Squared Error and the learning speed of the Adam optimizer was generally set to 0.001.
values to zero.This allows the model to learn more complex functions, mitigating the problem of neuron deactivation and improving computational efficiency.Long Short-Term Memory (LSTM) networks, a type of Recurrent Neural Network (RNN), are particularly useful for detecting anomalies in time series data because they can remember longterm dependencies in sequential data.By combining CNNs and LSTM networks, composite autoencoders can identify and highlight important features in the data while encoding and decoding temporal variations.The encoder compresses the input data to extract significant features, and the decoder reconstructs the original data based on these features.Composite autoencoders can effectively detect anomalies, even if they are small or occur consistently over time, by capturing these important features and identifying anomalous patterns.Figure 7 shows the structure of the composite autoencoder used in our study.• Input layer: In this study, each tag obtained by clustering was used as input data.It was assumed that all tags had no explanation, but they can be processed simultaneously because different data such as temperature, pressure, and flow were clustered.

•
Output layer: The output layer of the model was designed to detect abnormal behavior.The output layer reconstructed the input data, compared it to the original data, and generated an abnormal behavior score.At this point, if the abnormal behavior score exceeded a certain threshold, it was considered abnormal and would inform you of the name, value, and time of occurrence of the tag.

•
Activation functions and singularities: ReLU was used in the model to increase the nonlinearity of the model and to increase computational efficiency.Loss used the Mean Squared Error and the learning speed of the Adam optimizer was generally set to 0.001.

Tag-Cluster Detection Classification Model
In this study, statistical attribute data were collected and analyzed on a cluster basis for each tag.Any data point that exceeded the threshold was considered anomalous behavior for that tag. Figure 8 shows a boxplot that visually shows the statistical properties of the clusters.If any of the input data, represented by the red dots, exceeded the statistical upper limit defined in the boxplot, anomalous behavior was detected and the corresponding tag was classified as anomalous.In this study, statistical attribute data were collected and analyzed on a cluster basis for each tag.Any data point that exceeded the threshold was considered anomalous behavior for that tag. Figure 8 shows a boxplot that visually shows the statistical properties of the clusters.If any of the input data, represented by the red dots, exceeded the statistical upper limit defined in the boxplot, anomalous behavior was detected and the corresponding tag was classified as anomalous.As a result, outliers were identified by comparing the thresholds of the reconstructed values from the clustered input values to the output values.

Evaluation Metrics
One of the main objectives of this study was to systematically evaluate and validate the performance of the model.For this purpose, we used several performance metrics and validation methods.

•
Performance metrics: Basically, we used the confusion matrix to calculate the number of true positives, true negatives, false positives, and false negatives.From this, we derived statistical metrics such as accuracy, precision, and recall to evaluate the performance of the model.As a result, outliers were identified by comparing the thresholds of the reconstructed values from the clustered input values to the output values.

Evaluation Metrics
One of the main objectives of this study was to systematically evaluate and validate the performance of the model.For this purpose, we used several performance metrics and validation methods.

•
Performance metrics: Basically, we used the confusion matrix to calculate the number of true positives, true negatives, false positives, and false negatives.From this, we derived statistical metrics such as accuracy, precision, and recall to evaluate the performance of the model.• Validation methodology: To increase the reliability of our performance metrics, we modeled the case of a hacking threat by assuming abnormal situations and adding intentional error data.We can evaluate how our anomaly detection model handles these situations.
Performance evaluation and validation are important steps that determine the practicality and reliability of a model.In this study, we performed these steps thoroughly, and we expect the model to perform well in real industrial settings.
Accuracy shows how many samples are correctly classified as a percentage of the total samples.

Accuracy =
TP + TN TP + TN + FP + FN Precision shows how many of the predicted positive results are positive as a percentage of the total.
Precision = TP TP + FP Recall shows how many of the true positives are predicted to be positive, as a percentage.

Recall = TP TP + FN
The F1 score is the harmonic mean of precision and recall.It is a good indicator of the balance between the two.

Classification and Confusion Matrix
Figure 9 is the result of the performance of the classification model.First, it showed high precision for all classes, with cluster 4 attaining a particularly good precision of 0.96.The recall is also high across the board, with cluster 1 attaining the best recall of 0.96.The F1 score, which is the harmonic mean of precision and recall, shows a balanced value for each class, with values above 0.86.Finally, the overall accuracy is around 0.93, showing that the model correctly classifies most of the total sample.These results indicate that the classification model does a good job of distinguishing between each class, and that it has a high overall performance.
Figure 10 shows that each cluster is clearly distinct.In this study, we performed clustering of the data using unsupervised learning methods.We also performed a validation of the clustering using a test set and found that the results were good, with the data points within each cluster clustered closely together with a clear distinction between the different clusters.These results show that the chosen clustering algorithm has a good grasp of the structure and patterns in the data.
The recall is also high across the board, with cluster 1 attaining the best recall of 0.96.The F1 score, which is the harmonic mean of precision and recall, shows a balanced value for each class, with values above 0.86.Finally, the overall accuracy is around 0.93, showing that the model correctly classifies most of the total sample.These results indicate that the classification model does a good job of distinguishing between each class, and that it has a high overall performance.Figure 10 shows that each cluster is clearly distinct.In this study, we performed clustering of the data using unsupervised learning methods.We also performed a validation of the clustering using a test set and found that the results were good, with the data points within each cluster clustered closely together with a clear distinction between the different clusters.These results show that the chosen clustering algorithm has a good grasp of the structure and patterns in the data.

Single-Variable Abnormal Behavior
As an experiment to mimic sensor failure that may occur in a real operating environment or the abnormal operation of the system, we artificially manipulated data values of 3 s randomly selected from the total data points of 3,600 s to create a data anomaly.The main purpose of the experiment was to see how effective the detection system is in identifying a clear anomaly that occurred in a single variable.Figure 11 shows the detection result when a number of anomalous behaviors were detected in a single variable.

Abnormal Behavior Detection Experiment 4.2.1. Single-Variable Abnormal Behavior
As an experiment to mimic sensor failure that may occur in a real operating environment or the abnormal operation of the system, we artificially manipulated data values of 3 s randomly selected from the total data points of 3,600 s to create a data anomaly.The main purpose of the experiment was to see how effective the detection system is in identifying a clear anomaly that occurred in a single variable.Figure 11 shows the detection result when a number of anomalous behaviors were detected in a single variable.
ment or the abnormal operation of the system, we artificially manipulated data values of 3 s randomly selected from the total data points of 3,600 s to create a data anomaly.The main purpose of the experiment was to see how effective the detection system is in identifying a clear anomaly that occurred in a single variable.Figure 11 shows the detection result when a number of anomalous behaviors were detected in a single variable.The abnormal behavior detection algorithm successfully detected a number of abnormal behaviors in a single variable that exceeded the threshold.Table 5 shows that the value of a single variable changes for 3 s, indicating that a single sensor or system can detect abnormal behavior or events.The abnormal behavior detection algorithm successfully detected a number of abnormal behaviors in a single variable that exceeded the threshold.Table 5 shows that the value of a single variable changes for 3 s, indicating that a single sensor or system can detect abnormal behavior or events.This experiment focused on evaluating the ability of detection algorithms to detect anomalies occurring simultaneously in multiple variables.We selected two different tags and artificially manipulated one data value in each tag to create an anomaly data state.This experiment assumed a complex anomaly that may occur in different components or centers.The purpose of the experiment was to evaluate how the detection system performs in identifying these multivariate anomalies.Figure 12 shows the results of detecting anomalous behavior in multiple variables.This experiment focused on evaluating the ability of detection algorithms to detect anomalies occurring simultaneously in multiple variables.We selected two different tags and artificially manipulated one data value in each tag to create an anomaly data state.This experiment assumed a complex anomaly that may occur in different components or centers.The purpose of the experiment was to evaluate how the detection system performs in identifying these multivariate anomalies.Figure 12 shows the results of detecting anomalous behavior in multiple variables.Values exceeding the threshold were successfully detected in two or more variables.Table 6 shows the results of detecting these values.This demonstrates the ability to detect abnormal behavior or events across multiple sensors.Values exceeding the threshold were successfully detected in two or more variables.Table 6 shows the results of detecting these values.This demonstrates the ability to detect abnormal behavior or events across multiple sensors.The final experiment in our study was designed to verify that the detection system could accurately detect microscopic anomalies.We tested the anomalies by changing only one data value of a single tag, which was assumed to indicate subtle changes in the sensor or small system failures.The key to the experiment was to ensure that the detection algorithm could accurately detect these microscopic changes and generate the appropriate alerts.Figure 13 shows the detection of a single outlier in a variable.This result shows that the detection model accurately detects small changes in a single variable.Table 7 shows a single value exceeding the threshold in only one variable, demonstrating the ability of our model to proactively and accurately respond to problems before they occur.

Conclusions
The industrial control system (ICS) is an essential component in the management and control of industrial processes where security and reliability are of utmost importance.Anomaly detection is an essential mechanism for detecting deviations from normal system behavior and identifying potential attacks or system failures.However, generating labeled datasets for supervised machine learning models is a challenging task in ICSs because it requires significant effort and expertise.To address these challenges, this paper presents an unsupervised learning mechanism for anomaly detection in ICSs using instrumentation data.The approach is to use unlabeled datasets to train a machine learning model to detect anomalous behavior in the system.This approach is preferred because it does not require labeled datasets, making the process more feasible and cost-effective [33].We have found that a composite autoencoder model that captures the ability to detect anomalous behavior in the ICS and identifies unusual patterns in the data is most effective.This result shows that the detection model accurately detects small changes in a single variable.Table 7 shows a single value exceeding the threshold in only one variable, demonstrating the ability of our model to proactively and accurately respond to problems before they occur.

Conclusions
The industrial control system (ICS) is an essential component in the management and control of industrial processes where security and reliability are of utmost importance.Anomaly detection is an essential mechanism for detecting deviations from normal system behavior and identifying potential attacks or system failures.However, generating labeled datasets for supervised machine learning models is a challenging task in ICSs because it requires significant effort and expertise.To address these challenges, this paper presents an unsupervised learning mechanism for anomaly detection in ICSs using instrumentation data.The approach is to use unlabeled datasets to train a machine learning model to detect anomalous behavior in the system.This approach is preferred because it does not require labeled datasets, making the process more feasible and cost-effective [33].We have found that a composite autoencoder model that captures the ability to detect anomalous behavior in the ICS and identifies unusual patterns in the data is most effective.
In future work, we plan to investigate identifying attack types based on real-world measurement data.We believe that identifying attack types that occur in real systems and quickly detecting threats is best suited for anomaly detection in ICSs.It is also important to quickly identify and mitigate potential threats to prevent potential outages.To this end, we would like to explore different techniques and models that can effectively identify different types of attacks in ICSs.

Figure 1 .
Figure 1.OT, ICS, SCADA concept map with OT part in the Purdue model.

Figure 1 .
Figure 1.OT, ICS, SCADA concept map with OT part in the Purdue model.

Figure 6 .
Figure 6.Statistical characteristics of input data.

Figure 6 .
Figure 6.Statistical characteristics of input data.

Table 1 .
Recent ICS research focused on improving intrusion detection.
Wolsing et al. [27] SIMPLE-IID Intrusion detection based on four simple IIDs (min-max, gradient, steady-time, and histogram) Focus on improving industrial intrusion detection rates Park et al. [28] XGBOOST Based on alert aggregation intrusion detection system Focuses on attack detection for this model of IDS by integrating many alerts Kim et al. [29] LSTM Correlation-coefficient-clustering-based performance improvement techniques Focus on improving detection rates in simulated environments Xue et al. [30] Deep SAD

Table 3 .
Size of each cluster.

Table 3 .
Size of each cluster.

Table 4 .
The values of the statistical property collection tag.

Table 4 .
The values of the statistical property collection tag.