Jianxin Xu,Dongqin Feng

DOI: https://doi.org/10.1155/2017/2430835

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:This paper discusses two aspects of major risks related to the cyber security of an industrial control system (ICS), including the exploitation of the vulnerabilities of legitimate communication parties and the features abused by unauthorized parties. We propose a novel framework for exposing the above two types of risks. A state fusion finite state machine (SF-FSM) model is defined to describe multiple request-response packet pair sequence signatures of various applications using the same protocol. An inverted index of keywords in an industrial protocol is also proposed to accomplish fast state sequence matching. Then we put forward the concept of scenario reconstruction, using state sequence matching based on SF-FSM, to present the known vulnerabilities corresponding to applications of a specific type and version by identifying the packet interaction characteristics from the data flow in the supervisory control layer network. We also implement an anomaly detection approach to identifying illegal access using state sequence matching based on SF-FSM. An anomaly is asserted if none of the state sequence signatures in the SF-FSM is matched with a packet flow. Ultimately, an example based on industrial protocols is demonstrated by a prototype system to validate the methods of scenario reconstruction and anomaly detection.

Rongyao Cai,Xiao Xv,Zhengming Lu,Kexin Zhang,Yong Liu

DOI: https://doi.org/10.1109/isas61044.2024.10552597

2024-01-01

Abstract:Fault tree analysis is the most commonly used methodology in industrial safety analysis to predict the probability or frequency of system failure. Although fault tree analysis has been proposed for more than six decades, the assumptions used in most commercial fault tree analysis codes have not changed significantly, which limits the ability of the method to represent design, operation, and maintenance characteristics in the context of the increasing complexity and specialization of modern industrial systems. The basic setup of traditional fault trees is unable to include dependencies between events, time-varying failures, and repair rate realities to explain complex maintenance strategies. To address the above shortcomings, we propose a fusion tree model combining fault tree and attack tree, and simplify the causal structure of the fusion tree by modularization, and utilize the dynamic Markov model to represent the complex coupling relationship between components or nodes. Finally, we demonstrate the calculation process of fusion tree in pressure vessel systems with temporal control.

Geng-hong LU,Dong-qin FENG

DOI: https://doi.org/10.13195/j.kzyjc.2016.0551

2017-01-01

Abstract:The attacks against the industrial control network have different types and various attack intensity. Under this circumstance, the traditional detection techniques cannot identify the multiple types of attacks effectively, and can not assess the security situations of the industrial control network comprehensively and accurately. Therefore, the industrial control network security situation awareness model is proposed. Firstly, the rule extraction can be done by applying the improved C-SVC algorithm to the multi-sensor data. Then with the application of decision fusion algorithm, the decision-level fusion is completed and the results of situation awareness are procured. The simulation experiment results show that the proposed model and algorithms can distinguish multiple types of attacks effectively, identify the attacks that are launched against the industrial control system accurately, and generate the results of situation awareness.

Shuyu Fan,Yangzhao Li,Mengfan Zhang,Dongqin Feng,Qingyun Chen,Ying Jiang

DOI: https://doi.org/10.1109/cac51589.2020.9326773

2020-01-01

Abstract:In this paper, problems of anomaly detection and scenario classification in industrial control systems(ICSs) are investigated. Anomalies caused by attacks can have impacts on product quality, production stability and device security in ICSs to varying degrees, where different countermeasures are needed. To distinguish anomalies with different damage, the rationale of ICSs is analyzed in detail and four security scenarios are defined with typical characteristics, taking Tennessee Eastman process as an example. A set of attributes are extracted from typical data of scenarios and fuzzy c-means algorithm is adopted to classify sample cases into these security scenarios. At last, an anomaly detection and scenario classification scheme is proposed with a data-driven security scenario model. Experiments are provided to verify the validity and generality of the proposed method.

Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Taejun Choi,Guangdong Bai,Ryan K L Ko,Naipeng Dong,Wenlu Zhang,Shunyao Wang

DOI: https://doi.org/10.48550/arXiv.2101.11866

2021-01-28

Abstract:Industrial control systems (ICS) of critical infrastructure are increasingly connected to the Internet for remote site management at scale. However, cyber attacks against ICS - especially at the communication channels between humanmachine interface (HMIs) and programmable logic controllers (PLCs) - are increasing at a rate which outstrips the rate of mitigation. In this paper, we introduce a vendor-agnostic analytics framework which allows security researchers to analyse attacks against ICS systems, even if the researchers have zero control automation domain knowledge or are faced with a myriad of heterogenous ICS systems. Unlike existing works that require expertise in domain knowledge and specialised tool usage, our analytics framework does not require prior knowledge about ICS communication protocols, PLCs, and expertise of any network penetration testing tool. Using `digital twin' scenarios comprising industry-representative HMIs, PLCs and firewalls in our test lab, our framework's steps were demonstrated to successfully implement a stealthy deception attack based on false data injection attacks (FDIA). Furthermore, our framework also demonstrated the relative ease of attack dataset collection, and the ability to leverage well-known penetration testing tools. We also introduce the concept of `heuristic inference attacks', a new family of attack types on ICS which is agnostic to PLC and HMI brands/models commonly deployed in ICS. Our experiments were also validated on a separate ICS dataset collected from a cyber-physical scenario of water utilities. Finally, we utilized time complexity theory to estimate the difficulty for the attacker to conduct the proposed packet analyses, and recommended countermeasures based on our findings.

Cryptography and Security

Kang-Di Lu,Zheng-Guang Wu

DOI: https://doi.org/10.1109/tcsii.2022.3181827

2022-01-01

Abstract:In cyber-physical power systems (CPPSs), false data injection attack (FDIA) has drawn much attention due to its stealthiness. It is of great importance to investigate the potential behaviors of attackers to improve the cyber-security of CPPSs. However, most FDIA models are often constructed separately on the effect of attackers or the impact of attacks. Accordingly, this brief proposes a multi-objective stealthy FDIA scheme in AC grid model. The attack model is described as a multi-objective optimization problem, where minimization of contaminated measurements and maximization of the attack impact are considered as two objectives while remaining stealthy. To deal with the established attack model, a non-dominated sorting genetic algorithm II (NSGAII) is introduced as the solver. To improve the efficiency of generating attack vector, a new representation mechanism is proposed to describe locations and values of injected states. Additionally, during the evolutionary process, we propose a mutation operation to balance the sparsity and impact of FDIA. Simulation results on the IEEE 14-bus, 30-bus, and 118-bus systems demonstrate the feasibility of the NSGAII-based FDIA model.

Yanhua Liu,Wentao Deng,Zhihuang Liu,Fanhao Zeng

DOI: https://doi.org/10.1007/s11227-024-06018-8

IF: 3.3

2024-03-22

The Journal of Supercomputing

Abstract:With the rapid development of Industry 4.0, the importance of cyber security for industrial control systems has become increasingly prominent. The complexity and diversity of industrial control systems result in data with high dimensionality and strong correlation, posing significant challenges in obtaining labeled data. However, current intrusion detection methods often demand large amounts of labeled data for effective training. To address this limitation, this paper proposes a semi-supervised anomaly detection framework, called SFSD, which leverages feature selection and deviation networks to detect anomalies in industrial control systems. Specifically, we introduce a feature selection algorithm (IG-PCA) that utilizes information gain and principal component analysis to reduce the dimensionality of features in industrial control data by eliminating redundant features. Then, we propose a semi-supervised learning method based on an improved deviation network, which utilizes an anomaly scoring network to learn end-to-end anomaly scores for the training data, thus assigning anomaly scores to each training data. Finally, using a limited amount of anomaly-labeled data, we design a specific deviation loss function to optimize the anomaly scoring network, enabling a significant score bias between positive and negative samples. Experimental results demonstrate that the proposed SFSD outperforms existing semi-supervised anomaly detection frameworks by improving the accuracy and detection rate by an average of 1–2%. Moreover, SFSD requires less training time compared to existing frameworks, resulting in a training time reduction of approximately 10% or more.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Liang Xin,Guang He,Zhiqiang Long

DOI: https://doi.org/10.1109/tase.2023.3347538

IF: 6.636

2024-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Cyber-physical systems (CPSs) are increasingly threatened by stealthy false data injection (SFDI) attacks, which compromise system integrity by manipulating control signals and introducing false sensor data. These attacks are particularly challenging due to their diversity and often indistinguishable nature. In response to this issue, our work uncovers the fundamental causes behind SFDI attacks in linear time-invariant (LTI) systems and elucidates the principles enabling their stealth. We present a novel virtual extended system framework designed to eliminate strictly stealthy attacks within the entire CPS. Utilizing deep reinforcement learning (DRL) methodologies, we pioneer the use of detection results for real-time SFDI attack classification. Through numerical simulations, we validate our proposed method’s effectiveness, demonstrating a classification accuracy of no less than 95%. Notably, even in scenarios where attackers manage to breach the framework partially, our method continues to provide a reliable success rate in SFDI attack detection and classification, showcasing its robustness and efficacy. Note to Practitioners—Cyber-physical systems (CPSs), a critical component of modern industries, are becoming increasingly susceptible to stealthy false data injection (SFDI) attacks. These attacks compromise system integrity by subtly manipulating control signals and feeding false sensor data, making them challenging to detect. Our research presents an innovative framework that uses deep reinforcement learning techniques to detect and classify these elusive attacks, achieving a classification accuracy of over 95%. The information on SFDI attack categories, ascertained by this method, lays the groundwork for the development of subsequent defence strategies. For professionals working in sectors reliant on CPSs, such as manufacturing, healthcare, and transportation, this framework offers a promising tool to enhance system security. Even in scenarios where the system has been partially compromised, our method continues to provide reliable detection and classification, underscoring its robustness and practical utility. The system remains effective despite full breach attempts on specific attack types, ensuring resilience against a broad range of SFDI attacks. In conclusion, our research offers a substantial advancement in protecting CPSs against cyber threats.

automation & control systems

Yi-Wei Ma,Yi-Hao Tu,Chih-Ting Shen

DOI: https://doi.org/10.1016/j.ijcip.2024.100662

IF: 3.683

2024-02-11

International Journal of Critical Infrastructure Protection

Abstract:Industrial Control Systems (ICS) security happens often, which makes it hard for many organizations to keep a balance between operational efficiency, system efficiency, and security. A major concern is how to protect information security and make sure that ICS keep working. This study thus presents a defense-based system with adaptive cyber resilience (DSACR). DSACR will optimize the configuration with respect to the three indices of operational efficiency, performance, and security. Whenever an assault event happens, DSACR offers protective solutions depending on the threat level to optimize the security and running costs of recovering ICS. In terms of safety and operation, DSACR is superior to other approaches by 3% and 11%, respectively, as shown by the results of the experiments.

engineering, multidisciplinary,computer science, information systems

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

Bruno Paes Leao,Jagannadh Vempati,Siddharth Bhela,Tobias Ahlgrim,Daniel Arnold

2024-05-31

Abstract:Modern industrial systems face a growing threat from sophisticated cyberattacks that can cause significant operational disruptions. This work presents a novel methodology for identification of the most critical cyberattacks that may disrupt the operation of such a system. Application of the proposed framework can enable the design and development of advanced cybersecurity solutions for a wide range of industrial applications. Attacks are assessed taking into direct consideration how they impact the system operation as measured by a defined Key Performance Indicator (KPI). A simulation model (SM), of the industrial process is employed for calculation of the KPI based on operating conditions. Such SM is augmented with a layer of information describing the communication network topology, connected devices, and potential actions an adversary can take based on each device or network link. Each possible action is associated with an abstract measure of effort, which is interpreted as a cost. It is assumed that the adversary has a corresponding budget that constrains the selection of the sequence of actions defining the progression of the attack. A dynamical system comprising a set of states associated with the cyberattack (cyber-states) and transition logic for updating their values is also proposed. The resulting augmented simulation model (ASM) is then employed in an artificial intelligence-based sequential decision-making optimization to yield the most critical cyberattack scenarios as measured by their impact on the defined KPI. The methodology is successfully tested based on an electrical power distribution system use case.

Systems and Control

Jinfang Jiang,Guangjie Han,Hongbo Zhu,Chuan Lin

DOI: https://doi.org/10.1109/tr.2022.3224732

IF: 5.883

2023-01-01

IEEE Transactions on Reliability

Abstract:Security assessment (SA) system is crucial to ensure the production safety of a smart factory with rapid development of artificial intelligence. In this article, we propose a novel SA framework. Different from the conventional static monitoring systems based on traditional sensing technologies, the proposed framework can automatically detect objects via visual sensing. We use a skeleton-based graph convolutional network to generate action vocabulary for the intermediate representations of action-to-action cooccurrence relations. These representations are encoded into the sequential interaction models to form the interaction representations. Integrating the states of molten steel levels as the reference labels, the sequential representations are fed into a recurrent neural network model with multilayer gated recurrent units (GRUs) to capture the key interactions leading to the accidents, in which an attention mechanism is used to reweight the actions and eliminate the invalid interactions. The predicted labels and the hidden states of the scenes are passing among multilayer GRUs. Finally, we optimize the global output to dynamically assess the security by calculating a joint objective function with a regularized cross-entropy loss. On the self-collected dataset from our partner Iron and Steel company and on-line video clips, the proposed framework performs better than the existing SA schemes.

Gabriela Ahmadi-Assalemi,Haider Al-Khateeb,Gregory Epiphaniou,Amar Aggoun

DOI: https://doi.org/10.1109/jiot.2022.3144127

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Industrial control systems (ICSs) are integral parts of smart cities and critical to modern societies. Despite indisputable opportunities introduced by disruptor technologies, they proliferate the cybersecurity threat landscape, which is increasingly more hostile. The quantum of sensors utilized by ICS aided by artificial intelligence (AI) enables data collection capabilities to facilitate automation, process streamlining, and cost reduction. However, apart from the operational use, the sensors generated data combined with AI can be innovatively utilized to model anomalous behavior as part of layered security to increase resilience to cyberattacks. We introduce a framework to profile anomalous behavior in ICS and derive a cyber-risk score. A novel super learner ensemble for one-class classification is developed, using overlapping rolling windows with stratified, $k$ -fold, $n$ -repeat cross-validation applied to each base learner followed by majority voting to derive the best learner. Our approach is demonstrated on a liquid distribution sensor data set. The experimental results reveal that the proposed technique achieves an overall $F1$ -score of 99.13%, an anomalous recall score of 99% detecting anomalies lasting only 17 s. The key strength of the framework is the low computational complexity and error rate. The framework is modular, generic, applicable to other ICS, and transferable to other smart city sectors.

Cheng Feng,Tingting Li,Zhanxing Zhu,Deeph Chana

DOI: https://doi.org/10.48550/arXiv.1709.06397

2017-09-19

Cryptography and Security

Abstract:Industrial control systems (ICS), which in many cases are components of critical national infrastructure, are increasingly being connected to other networks and the wider internet motivated by factors such as enhanced operational functionality and improved efficiency. However, set in this context, it is easy to see that the cyber attack surface of these systems is expanding, making it more important than ever that innovative solutions for securing ICS be developed and that the limitations of these solutions are well understood. The development of anomaly based intrusion detection techniques has provided capability for protecting ICS from the serious physical damage that cyber breaches are capable of delivering to them by monitoring sensor and control signals for abnormal activity. Recently, the use of so-called stealthy attacks has been demonstrated where the injection of false sensor measurements can be used to mimic normal control system signals, thereby defeating anomaly detectors whilst still delivering attack objectives. In this paper we define a deep learning-based framework which allows an attacker to conduct stealthy attacks with minimal a-priori knowledge of the target ICS. Specifically, we show that by intercepting the sensor and/or control signals in an ICS for a period of time, a malicious program is able to automatically learn to generate high-quality stealthy attacks which can achieve specific attack goals whilst bypassing a black box anomaly detector. Furthermore, we demonstrate the effectiveness of our framework for conducting stealthy attacks using two real-world ICS case studies. We contend that our results motivate greater attention on this area by the security community as we demonstrate that currently assumed barriers for the successful execution of such attacks are relaxed.

Qianmu Li,Yaozong Liu,Shunmei Meng,Hanrui Zhang,Haiyuan Shen,Huaqiu Long

DOI: https://doi.org/10.1186/s13638-020-01734-0

2020-06-03

EURASIP Journal on Wireless Communications and Networking

Abstract:Abstract The safety of the Industrial Internet Control Systems has been a hotspot in the information security. To meet the needs of communication, a large variety of proprietary protocols have emerged in the field of industrial control. The protocol field is often trusted in the implementation of industrial control terminal code. If attackers modify the data of these fields using the protocol defect, the operation of the program can be controlled and the entire system will be affected. To cope with such security threats, academia and industry generally adopt fuzz test methods. However, the current industrial control protocol fuzz test methods generally have low code coverage, where unified description models are missing and test cases are not targeted. A method of fuzzification processing combined with dynamic multi-modal sensor communication data is proposed. To track the program execution, the dynamic pollution analysis is used to search for the input fields that affect the execution of the conditional branch and capture the dependencies between the conditional branches to guide the grammar generation of test cases, which can increase the chances of executing deep code. The experimental results show that the proposed method improves the validity and code coverage of test cases to a certain extent and greatly increases the probability of anomaly detection in the protocol implementation.

telecommunications,engineering, electrical & electronic

Jinxin Xu,Yue Wang,Ruisi Li,Ziyue Wang,Qian Zhao

2024-06-30

Abstract:For one to guarantee higher-quality software development processes, risk management is essential. Furthermore, risks are those that could negatively impact an organization's operations or a project's progress. The appropriate prioritisation of software project risks is a crucial factor in ascertaining the software project's performance features and eventual success. They can be used harmoniously with the same training samples and have good complement and compatibility. We carried out in-depth tests on four benchmark datasets to confirm the efficacy of our CIA approach in closed-world and open-world scenarios, with and without defence. We also present a sequential augmentation parameter optimisation technique that captures the interdependencies of the latest deep learning state-of-the-art WF attack models. To achieve precise software risk assessment, the enhanced crow search algorithm (ECSA) is used to modify the ANFIS settings. Solutions that very slightly alter the local optimum and stay inside it are extracted using the ECSA. ANFIS variable when utilising the ANFIS technique. An experimental validation with NASA 93 dataset and 93 software project values was performed. This method's output presents a clear image of the software risk elements that are essential to achieving project performance. The results of our experiments show that, when compared to other current methods, our integrative fuzzy techniques may perform more accurately and effectively in the evaluation of software project risks.

Software Engineering,Machine Learning

Bin Lan,Shunzheng Yu

DOI: https://doi.org/10.1109/IJCNN54540.2023.10191873

2023-01-01

Abstract:Industrial control systems (ICSs) are widely used in various industries. These systems have become prime targets for cyber and physical attacks. The attacks, which have an impact on the physical processes of an ICS, often lead to system misbehaviors through data contamination. Recent research has shown that network-based detection methods cannot monitor the physical level activities well enough to mitigate hybrid cyber attacks and cannot entirely protect ICSs. To protect ICSs from such threats, we propose a Spatio-Temporal Autoencoder (STA) with a Dynamic Thresholding Mechanism. The STA learns the normal physical behaviors of the system by capturing deep spatio-temporal dependencies to form a unified representation of the system state. The unified representation is decoded to reconstruct the input features. Then, the dynamic threshold is used to detect and locate the anomalies. We validate the STA using data set from a real water treatment plant testbed, SWaT. Evaluation results indicate the superior performance of the STA compared with six state-of-the-art methods, achieving an average improvement of 5.8% in the F-Score.

Guangxia Lia,Yulong Shena,Peilin Zhaob,Xiao Lu,Jia Liu,Yangyang Liu,Steven C. H. Hoi

DOI: https://doi.org/10.48550/arXiv.1912.03589

IF: 5.414

2019-12-08

Machine Learning

Abstract:Industrial control systems are critical to the operation of industrial facilities, especially for critical infrastructures, such as refineries, power grids, and transportation systems. Similar to other information systems, a significant threat to industrial control systems is the attack from cyberspace---the offensive maneuvers launched by "anonymous" in the digital world that target computer-based assets with the goal of compromising a system's functions or probing for information. Owing to the importance of industrial control systems, and the possibly devastating consequences of being attacked, significant endeavors have been attempted to secure industrial control systems from cyberattacks. Among them are intrusion detection systems that serve as the first line of defense by monitoring and reporting potentially malicious activities. Classical machine-learning-based intrusion detection methods usually generate prediction models by learning modest-sized training samples all at once. Such approach is not always applicable to industrial control systems, as industrial control systems must process continuous control commands with limited computational resources in a nonstop way. To satisfy such requirements, we propose using online learning to learn prediction models from the controlling data stream. We introduce several state-of-the-art online learning algorithms categorically, and illustrate their efficacies on two typically used testbeds---power system and gas pipeline. Further, we explore a new cost-sensitive online learning algorithm to solve the class-imbalance problem that is pervasive in industrial intrusion detection systems. Our experimental results indicate that the proposed algorithm can achieve an overall improvement in the detection rate of cyberattacks in industrial control systems.