{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,7]],"date-time":"2026-01-07T23:25:13Z","timestamp":1767828313202,"version":"3.49.0"},"reference-count":55,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2022,12,27]],"date-time":"2022-12-27T00:00:00Z","timestamp":1672099200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100004955","name":"\u00d6sterreichische Forschungsf\u00f6rderungsgesellschaft (FFG)","doi-asserted-by":"publisher","award":["881844"],"award-info":[{"award-number":["881844"]}],"id":[{"id":"10.13039\/501100004955","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Graz University of Technology","award":["881844"],"award-info":[{"award-number":["881844"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Critical infrastructure, such as water treatment facilities, largely relies on the effective functioning of industrial control systems (ICSs). Due to the wide adoption of high-speed network and digital infrastructure technologies, these systems are now highly interconnected not only to corporate networks but also to the public Internet, mostly for remote control and monitoring purposes. Sophisticated cyber-attacks may take advantage the increased interconnectedness or other security gaps of an ICS and infiltrate the system with devastating consequences to the economy, national security, and even human life. Due to the paramount importance of detecting and isolating these attacks, we propose an unsupervised anomaly detection approach that employs causal inference to construct a robust anomaly score in two phases. First, minimal domain knowledge via causal models helps identify critical interdependencies in the system, while univariate models contribute to individually learn the normal behavior of the system\u2019s components. In the final phase, we employ the extreme studentized deviate (ESD) on the computed score to detect attacks and to exclude any irrelevant sensor signals. Our approach is validated on the widely used Secure Water Treatment (SWaT) benchmark, and it exhibits the highest F1 score with zero false alarms, which is extremely important for real-world deployment.<\/jats:p>","DOI":"10.3390\/s23010257","type":"journal-article","created":{"date-parts":[[2022,12,27]],"date-time":"2022-12-27T03:05:56Z","timestamp":1672110356000},"page":"257","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["A Causality-Inspired Approach for Anomaly Detection in a Water Treatment Testbed"],"prefix":"10.3390","volume":"23","author":[{"given":"Georgios","family":"Koutroulis","sequence":"first","affiliation":[{"name":"Pro2Future GmbH, 8010 Graz, Austria"}]},{"given":"Belgin","family":"Mutlu","sequence":"additional","affiliation":[{"name":"Pro2Future GmbH, 8010 Graz, Austria"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0202-6100","authenticated-orcid":false,"given":"Roman","family":"Kern","sequence":"additional","affiliation":[{"name":"Institute of Interactive Systems and Data Science, Graz University of Technology, 8010 Graz, Austria"},{"name":"Area of Knowledge Discovery, Know-Center GmbH, 8010 Graz, Austria"}]}],"member":"1968","published-online":{"date-parts":[[2022,12,27]]},"reference":[{"key":"ref_1","unstructured":"Gill, H. (2008, January 18\u201320). From vision to reality: Cyber-physical systems. Proceedings of the HCSS National Workshop on New Research Directions for High Confidence Transportation CPS: Automotive, Aviation, and Rail, Austin, TX, USA."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"50","DOI":"10.5942\/jawwa.2017.109.0021","article-title":"Protecting drinking water utilities from cyberthreats","volume":"109","author":"Clark","year":"2017","journal-title":"J. Am. Water Work. Assoc."},{"key":"ref_3","unstructured":"Magazine, S. (2022, November 05). Hacker Breaks into Florida Water Treatment Facility, Changes Chemical Levels. Available online: https:\/\/www.securitymagazine.com\/articles\/94552-hacker-breaks-into-florida-water-treatment-facility-changes-chemical-levels."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"03120003","DOI":"10.1061\/(ASCE)EE.1943-7870.0001686","article-title":"A review of cybersecurity incidents in the water sector","volume":"146","author":"Hassanzadeh","year":"2020","journal-title":"J. Environ. Eng."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Ahmed, C.M., MR, G.R., and Mathur, A.P. (2020, January 6). Challenges in machine learning based approaches for real-time anomaly detection in industrial control systems. Proceedings of the 6th ACM on Cyber-Physical System Security Workshop, Taipei, Taiwan.","DOI":"10.1145\/3384941.3409588"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Goh, J., Adepu, S., Tan, M., and Lee, Z.S. (2017, January 12\u201314). Anomaly detection in cyber physical systems using recurrent neural networks. Proceedings of the 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE), Singapore.","DOI":"10.1109\/HASE.2017.36"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Inoue, J., Yamagata, Y., Chen, Y., Poskitt, C.M., and Sun, J. (2017, January 18\u201321). Anomaly detection for a water treatment system using unsupervised machine learning. Proceedings of the 2017 IEEE International Conference on Data Mining Workshops (ICDMW), New Orleans, LA, USA.","DOI":"10.1109\/ICDMW.2017.149"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Sapkota, S., Mehdy, A.N., Reese, S., and Mehrpouyan, H. (2020). Falcon: Framework for anomaly detection in industrial control systems. Electronics, 9.","DOI":"10.3390\/electronics9081192"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"F\u00e4hrmann, D., Damer, N., Kirchbuchner, F., and Kuijper, A. (2022). Lightweight Long Short-Term Memory Variational Auto-Encoder for Multivariate Time Series Anomaly Detection in Industrial Control Systems. Sensors, 22.","DOI":"10.3390\/s22082886"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"104926","DOI":"10.1016\/j.engappai.2022.104926","article-title":"Constructing robust health indicators from complex engineered systems via anticausal learning","volume":"113","author":"Koutroulis","year":"2022","journal-title":"Eng. Appl. Artif. Intell."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Pearl, J. (2018). Theoretical impediments to machine learning with seven sparks from the causal revolution. arXiv.","DOI":"10.1145\/3159652.3176182"},{"key":"ref_12","unstructured":"Marcus, G. (2018). Deep learning: A critical appraisal. arXiv."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"741","DOI":"10.1109\/TRPMS.2021.3066428","article-title":"On interpretability of artificial neural networks: A survey","volume":"5","author":"Fan","year":"2021","journal-title":"IEEE Trans. Radiat. Plasma Med. Sci."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"102585","DOI":"10.1016\/j.cose.2021.102585","article-title":"CNN based method for the development of cyber-attacks detection algorithms in industrial control systems","volume":"114","author":"Nedeljkovic","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"100393","DOI":"10.1016\/j.ijcip.2020.100393","article-title":"A multilayer perceptron model for anomaly detection in water treatment plants","volume":"31","author":"MR","year":"2020","journal-title":"Int. J. Crit. Infrastruct. Prot."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"6003","DOI":"10.1109\/TSMC.2021.3131662","article-title":"A Hybrid Physics-Based Data-Driven Framework for Anomaly Detection in Industrial Control Systems","volume":"52","author":"Raman","year":"2021","journal-title":"IEEE Trans. Syst. Man Cybern. Syst."},{"key":"ref_17","first-page":"103046","article-title":"AICrit: A unified framework for real-time anomaly detection in water treatment plants","volume":"64","author":"MR","year":"2022","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Pearl, J. (2009). Causality, Cambridge University Press.","DOI":"10.1017\/CBO9780511803161"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Mathur, A.P., and Tippenhauer, N.O. (2016, January 11). SWaT: A water treatment testbed for research and training on ICS security. Proceedings of the 2016 International Workshop on Cyber-Physical Systems for Smart Water Networks (CySWater), Vienna, Austria.","DOI":"10.1109\/CySWater.2016.7469060"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3453155","article-title":"Deep learning-based anomaly detection in cyber-physical systems: Progress and opportunities","volume":"54","author":"Luo","year":"2021","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1080\/00401706.1983.10487848","article-title":"Percentage points for a generalized ESD many-outlier procedure","volume":"25","author":"Rosner","year":"1983","journal-title":"Technometrics"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"1146","DOI":"10.3390\/smartcities4030061","article-title":"Intrusion Detection in Critical Infrastructures: A Literature Review","volume":"4","author":"Panagiotis","year":"2021","journal-title":"Smart Cities"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"109032","DOI":"10.1016\/j.comnet.2022.109032","article-title":"A survey on deep learning for cybersecurity: Progress, challenges, and opportunities","volume":"212","author":"Macas","year":"2022","journal-title":"Comput. Netw."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"3453","DOI":"10.1109\/COMST.2018.2855563","article-title":"A survey of iot-enabled cyberattacks: Assessing attack paths to critical infrastructures and services","volume":"20","author":"Stellios","year":"2018","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"2248","DOI":"10.1109\/COMST.2021.3094360","article-title":"A survey on industrial control system testbeds and datasets for security research","volume":"23","author":"Conti","year":"2021","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Tuptuk, N., Hazell, P., Watson, J., and Hailes, S. (2021). A systematic review of the state of cyber-security in water systems. Water, 13.","DOI":"10.3390\/w13010081"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"549","DOI":"10.1080\/08839514.2021.1922840","article-title":"Anomaly Detection Model for Predicting Hard Disk Drive Failures","volume":"35","author":"Djurasevic","year":"2021","journal-title":"Appl. Artif. Intell."},{"key":"ref_28","first-page":"301216","article-title":"An easy-to-explain decision support framework for forensic analysis of dynamic signatures","volume":"38","author":"Mazzolini","year":"2021","journal-title":"Forensic Sci. Int. Digit. Investig."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Corizzo, R., Ceci, M., Pio, G., Mignone, P., and Japkowicz, N. (2021, January 11\u201313). Spatially-aware autoencoders for detecting contextual anomalies in geo-distributed data. Proceedings of the International Conference on Discovery Science, Halifax, NS, Canada.","DOI":"10.1007\/978-3-030-88942-5_36"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Macas, M., and Wu, C. (2019, January 16\u201319). An unsupervised framework for anomaly detection in a water treatment system. Proceedings of the 2019 18th IEEE International Conference on Machine Learning And Applications (ICMLA), Boca Raton, FL, USA.","DOI":"10.1109\/ICMLA.2019.00212"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Schneider, P., and B\u00f6ttinger, K. (2018, January 19). High-performance unsupervised anomaly detection for cyber-physical system networks. Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and Privacy, Toronto, ON, Canada.","DOI":"10.1145\/3264888.3264890"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Kravchik, M., and Shabtai, A. (2018, January 19). Detecting cyber attacks in industrial control systems using convolutional neural networks. Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and Privacy, Toronto, ON, Canada.","DOI":"10.1145\/3264888.3264896"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"2179","DOI":"10.1109\/TDSC.2021.3050101","article-title":"Efficient cyber attack detection in industrial control systems using lightweight neural networks and pca","volume":"19","author":"Kravchik","year":"2021","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_34","unstructured":"Shalyga, D., Filonov, P., and Lavrentyev, A. (2018). Anomaly detection for water treatment system based on neural network with automatic architecture optimization. arXiv."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Kim, Y., and Kim, H.K. (2020, January 20\u201321). Anomaly detection using clustered deep one-class classification. Proceedings of the 2020 15th Asia Joint Conference on Information Security (AsiaJCIS), Taipei, Taiwan.","DOI":"10.1109\/AsiaJCIS50894.2020.00034"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Liu, F.T., Ting, K.M., and Zhou, Z.H. (2008, January 15\u201319). Isolation forest. Proceedings of the 2008 Eighth IEEE International Conference on Data Mining, Washington, DC, USA.","DOI":"10.1109\/ICDM.2008.17"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Elnour, M., Meskin, N., and Khan, K.M. (2020, January 24\u201326). Hybrid attack detection framework for industrial control systems using 1D-convolutional neural network and isolation forest. Proceedings of the 2020 IEEE Conference on Control Technology and Applications (CCTA), Montreal, QC, Canada.","DOI":"10.1109\/CCTA41146.2020.9206394"},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"36639","DOI":"10.1109\/ACCESS.2020.2975066","article-title":"A dual-isolation-forests-based attack detection framework for industrial control systems","volume":"8","author":"Elnour","year":"2020","journal-title":"IEEE Access"},{"key":"ref_39","unstructured":"Adepu, S., and Mathur, A. (2021, January 22\u201324). Using process invariants to detect cyber attacks on a water treatment system. Proceedings of the IFIP International Conference on ICT Systems Security and Privacy Protection, Oslo, Norway."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Yoong, C.H., and Heng, J. (2019, January 25\u201327). Framework for continuous system security protection in SWaT. Proceedings of the 2019 3rd International Symposium on Computer Science and Intelligent Control, Amsterdam, The Netherlands.","DOI":"10.1145\/3386164.3387297"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1038\/s41467-019-10105-3","article-title":"Inferring causation from time series in Earth system sciences","volume":"10","author":"Runge","year":"2019","journal-title":"Nat. Commun."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3480971","article-title":"KOMPOS: Connecting causal knots in large nonlinear time series with non-parametric regression splines","volume":"12","author":"Koutroulis","year":"2021","journal-title":"ACM Trans. Intell. Syst. Technol. (TIST)"},{"key":"ref_43","first-page":"1","article-title":"A survey of learning causality with data: Problems and methods","volume":"53","author":"Guo","year":"2020","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Lin, Q., Adepu, S., Verwer, S., and Mathur, A. (2018, January 4\u20138). TABOR: A graphical model-based approach for anomaly detection in industrial control systems. Proceedings of the 2018 on Asia Conference on Computer and Communications Security, Incheon, Republic of Korea.","DOI":"10.1145\/3196494.3196546"},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"103741","DOI":"10.1016\/j.compind.2022.103741","article-title":"Multi-step attack detection in industrial control systems using causal analysis","volume":"142","author":"Jadidi","year":"2022","journal-title":"Comput. Ind."},{"key":"ref_46","unstructured":"Yang, W., Zhang, K., and Hoi, S.C. (2022). Causality-Based Multivariate Time Series Anomaly Detection. arXiv."},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"524","DOI":"10.3389\/fgene.2019.00524","article-title":"Review of causal discovery methods based on graphical models","volume":"10","author":"Glymour","year":"2019","journal-title":"Front. Genet."},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"e1449","DOI":"10.1002\/widm.1449","article-title":"Methods and tools for causal discovery and causal inference","volume":"12","author":"Nogueira","year":"2022","journal-title":"Wiley Interdiscip. Rev. Data Min. Knowl. Discov."},{"key":"ref_49","doi-asserted-by":"crossref","first-page":"162","DOI":"10.21629\/JSEE.2017.01.18","article-title":"Convolutional neural networks for time series classification","volume":"28","author":"Zhao","year":"2017","journal-title":"J. Syst. Eng. Electron."},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"20200209","DOI":"10.1098\/rsta.2020.0209","article-title":"Time-series forecasting with deep learning: A survey","volume":"379","author":"Lim","year":"2021","journal-title":"Philos. Trans. R. Soc. A"},{"key":"ref_51","unstructured":"van den Oord, A., Dieleman, S., Zen, H., Simonyan, K., Vinyals, O., Graves, A., Kalchbrenner, N., Senior, A., and Kavukcuoglu, K. (2016, January 13\u201315). WaveNet: A Generative Model for Raw Audio. Proceedings of the 9th ISCA Workshop on Speech Synthesis Workshop (SSW 9), Sunnyvale, CA, USA."},{"key":"ref_52","doi-asserted-by":"crossref","unstructured":"Borovykh, A., Bohte, S., and Oosterlee, C.W. (2018). Dilated convolutional neural networks for time series forecasting. J. Comput. Financ. Forthcom.","DOI":"10.21314\/JCF.2019.358"},{"key":"ref_53","doi-asserted-by":"crossref","unstructured":"Hastie, T., Tibshirani, R., Friedman, J.H., and Friedman, J.H. (2001). The Elements of Statistical Learning: Data Mining, Inference, and Prediction, Springer.","DOI":"10.1007\/978-0-387-21606-5"},{"key":"ref_54","doi-asserted-by":"crossref","unstructured":"Goh, J., Adepu, S., Junejo, K.N., and Mathur, A. (2016, January 10\u201312). A dataset to support research in the design of secure water treatment systems. Proceedings of the International Conference on Critical Information Infrastructures Security, Paris, France.","DOI":"10.1007\/978-3-319-71368-7_8"},{"key":"ref_55","unstructured":"Audibert, J., Michiardi, P., Guyard, F., Marti, S., and Zuluaga, M.A. (2020, January 6\u201310). Usad: Unsupervised anomaly detection on multivariate time series. Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, Virtual Event."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/1\/257\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T01:52:07Z","timestamp":1760147527000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/1\/257"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,12,27]]},"references-count":55,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2023,1]]}},"alternative-id":["s23010257"],"URL":"https:\/\/doi.org\/10.3390\/s23010257","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,12,27]]}}}