A prototype of cyber incident diagnosis mechanism for cyber attacks early recognition support system

When abnormalities, including equipment failure and/or cyberattacks, occur in the control system of a production site, it is essential to specify their cause to ensure rapid restoration of the productive equipment. However, it is difficult for control engineers to quickly determine whether the cause is a cyberattack, malware infection, or failure resulting from the state information captured by the plant, because they do not always understand cybersecurity and tend to think about failure diagnosis first. Motivated by this, this paper proposes an information provision system to separate cyberattack information from abnormality information for cyberattack early recognition support. A prototype of an early recognition support system was developed and its validity demonstrated via a simulated plant.