Improving Computer Security Anomaly Detection Techniques through Coordinated Research Projects

Identifying anomalies in the operations of computer systems that control critical safety and security functions calls for extensive expertise, and the actions required need to be tested, analysed and amended in order to be robust.

“Anomaly detection plays an important part in early assessment of possible threats targeting the computer-based systems at nuclear and radiological facilities,” said Scott Purvis, Head of the Information Management Section in the IAEA’s Division of Nuclear Security. “Usually, the anomaly detection techniques are based on artificial intelligence applications such as machine learning, statistics-based, knowledge-based methods or other technologies,” he said. Such technologies are used to identify deviations from expected network communications or process measurements which can be the first indicator that a computer system’s defenses have been bypassed by an intruder, and can provide real-time detection of cyberattacks.

These technologies are important because a highly capable malicious actor may introduce malware that compromises the safety or security functions of a digital system while falsifying data from sensors and indicators sent to an operator. This means that the operator may be unaware of any malicious activity taking place and will initially react based on what is displayed in the control room, potentially being misled into taking the incorrect action. Only through the automated detection of the smallest anomalies in such a cyberattack could an operator be correctly informed.

To address this important area of work and other computer security challenges, the IAEA launched a specific coordinated research project (CRP) in 2016.

Research and development through CRPs are an indispensable part of the IAEA’s activities in computer security for nuclear security. These projects produce a body of research and actionable conclusions that complement the IAEA’s ongoing efforts to enhance countries’ capabilities in the prevention, detection of, response to, and recovery after computer security incidents that have the potential to directly or indirectly impact the safety and security of nuclear and radiological facilities. 

“Adversaries are becoming more sophisticated, and their cyber capabilities present increasing challenges in developing anomaly detection tools,” said Purvis. “The development of anomaly detection techniques requires access to realistic and physically consistent network and plant process data to train and test the detection models.”

Cyberattack scenario to build capacity

The 2016 CRP, entitled “Enhancing Computer Security Incident Analysis at Nuclear Facilities”, produced significant results, such as enabling further research into targeted tools and techniques that had previously been impossible to investigate without the risk of exposing sensitive information from nuclear and radiological facilities.

The CRP team, consisting of researchers from 13 countries and 17 organizations, developed a fictitious facility referred to as the ‘Asherah’ nuclear power plant (NPP), and a simulator (ANS) was developed by the University of São Paulo based on this facility. Together, they developed realistic cyberattack scenarios within a nuclear facility. These cyberattack scenarios have made it possible to explore and assess the effectiveness of computer security measures, as well as the potential operational consequences of a digital asset being compromised. Additionally, the team worked on data collection and analysis and the development and testing of techniques for detecting cyberattacks.

“We developed and used the ANS to generate a repository of data for training our machine learning models and to evaluate their efficiency. The IAEA CRP brought together international partners to conduct research and created new knowledge in this area,” said Ricardo Marques, a professor at the Polytechnic School of the University of São Paulo in Brazil. The cooperation between the CRP participants was essential to validate the work done.”

Additionally, the CRP outcomes have been used for ongoing education and training involving a large number of graduate students and researchers in varying disciplines. This has further enhanced research and efforts made with the aim of continuously improving computer security at nuclear and radiological facilities.

“Part of my research as a PhD student has been conducted using the ANS and its Human Machine Interface (HMI), an interface that allows a user to observe and communicate with the simulator, developed within the IAEA CRP,” said Si Wen, a PhD student from Tsinghua University in China. “I conducted research on anomaly detection techniques, and the ANS was essential to produce the necessary data to train and evaluate a detection algorithm developed for NPPs. Without the collaboration among all participating institutes, and the tools developed by the CRP team, it would be impossible to conduct my PhD research on cybersecurity of NPP digital systems,” she added.

The CRP outcomes — the ANS, tools and guidance — are available to interested research institutes around the world. They can be obtained by submitting to the IAEA, through the relevant national authority, a request form available on the IAEA’s Nuclear Security Information Portal (NUSEC).

More recently, in 2023, the IAEA launched a new CRP entitled “Enhancing Computer Security for Radiation Detection Systems” to investigate methodologies and techniques to improve computer security of radiation detection equipment. The research projects planned under the new CRP, with 12 participating organizations (including national laboratories, universities and national researcher institutes) from 11 countries, will address the use of emerging digital technologies, such as cloud computing, and continue to explore and develop innovative anomaly detection techniques.