Skip to content
Paula Livingstone writing · projects · tools

Attestable Review: Working Notes

Literature Review: The Learned Perimeter

OT segregation is increasingly enforced by machine learning: the boundary monitor is a learned intrusion detector or anomaly scorer, and the state estimate is guarded by ML false-data-injection detectors. But a learned perimeter emits a score, not a basis, and can be walked across by adversarial design (Random Forest and J48 accuracy fell 16 and 20 points under attack). Moving the firewall to ML relocates the admissibility gap; it does not close it.

An earlier entry positioned this work against operational-technology security as a whole, and drew the line: perimeter defence asks whether a crossing is authorised, admissibility asks whether a value's basis suffices to act on, and the two are orthogonal. That argument was made against the classical perimeter, built from firewalls and segmentation. This entry follows the perimeter as it is being rebuilt out of machine learning, because the boundary monitor is increasingly a learned model, and it is worth showing that moving the perimeter to ML does not close the gap. It relocates it.

The perimeter is becoming a learned classifier

The dominant OT-security architecture segments a plant into Purdue levels and polices the conduits between them, and the instrument that inspects traffic at those conduits is, more and more, a machine learning intrusion-detection system. The field's own survey of the area is explicit that these methods split into detection at the network level, using packets crossing the boundary, and detection at the physical-process level, using data that represents the plant's behaviour (Umer et al., 2022). The same survey is candid about what these detectors deliver and what they do not: behaviour-based ML detection faces serious and unresolved problems, among them the detection of zero-day attacks and ensuring an acceptable rate of false alarms. So the learned perimeter is not a solved boundary; it is a probabilistic classifier with known failure modes standing where the firewall used to be.

The deep-learning branch of the same field sharpens the point. The comprehensive survey of deep anomaly detection in cyber-physical systems organises the methods by threat model, detection strategy, and, tellingly, by the anomaly score they emit, and it devotes a section to the deficiencies of the approaches themselves (Luo et al., 2021). That framing matters for this work: a learned boundary monitor does not return a basis for its verdict, it returns a score. A score is a distributional statement about how unlike the training data an input is, and the review has already argued at length, in the trustworthy-machine-learning and uncertainty entries, that such a score is not a warrant that a particular value is sound enough to act on. The learned perimeter inherits exactly the wrong-category problem.

The boundary that guards the estimate

There is a second learned boundary in OT worth naming, because it guards not the network but the plant's picture of itself. In power systems the control layer acts on a state estimate, and that estimate is defended against false data injection, increasingly by machine learning detectors rather than classical residual tests. The survey of these methods records why the shift happened: false-data-injection attacks can be crafted to bypass conventional bad-data detection, so learned detectors were adopted for their speed and accuracy in flagging manipulated sensor data (Sayghe et al., 2020). This is a boundary in the admissibility sense, a gate deciding whether an incoming value is fit to be believed, and it too is now a learned classifier standing between a sensor stream and an actuation decision. It is the same structure as the network perimeter, one layer deeper.

The learned perimeter can be crossed by design

The decisive result is that a learned boundary monitor is not merely imperfect, it is defeatable on purpose, and the OT literature has demonstrated it directly. Using a Jacobian-based saliency-map attack against supervised intrusion detectors trained on a real power-system dataset, the classification performance of two of the most widely used classifiers, Random Forest and J48, decreased by sixteen and twenty percentage points respectively when adversarial samples were present, diverting malicious data points past the detector as benign (Anthi et al., 2020). The authors are explicit about the consequence: such attacks can severely undermine or mislead the capabilities of the detector, which in an ICS could lead to delayed attack detection, infrastructure damage, and loss of life. This is the firewall analogy failing on its own terms. A classical firewall enforces a rule that means what it says; a learned perimeter enforces a decision boundary that an adversary can walk an input across while the monitor reports nothing wrong. The conveyed verdict, no anomaly, becomes indistinguishable to the receiver from a true one, which is the exact shape of the failure this work is built to refuse.

What this establishes for the positioning

Replacing the firewall with a model does not turn perimeter defence into admissibility. The learned perimeter still answers the perimeter's question, is this crossing anomalous, and it answers it with a score that can be miscalibrated, evaded, or simply wrong, without ever representing whether the value it waved through has a basis sufficient for the action about to be taken on it. If anything the ML perimeter makes the case for admissibility sharper, because it introduces a second place where a probabilistic output acquires the authority of a checkpoint verdict: the anomaly score is treated as clearance, and the receiver acts on the clearance. Admissibility is orthogonal to the learned perimeter for the same reason it was orthogonal to the firewall, and it sits downstream of both, asking the question neither the rule nor the classifier is built to ask.

References

Umer, M. A., Junejo, K. N., Jilani, M. T. and Mathur, A. P. (2022). Machine Learning for Intrusion Detection in Industrial Control Systems: Applications, Challenges, and Recommendations. arXiv:2202.11917. arxiv.org/abs/2202.11917

Luo, Y., Xiao, Y., Cheng, L., Peng, G. and Yao, D. (2021). Deep Learning-Based Anomaly Detection in Cyber-Physical Systems: Progress and Opportunities. ACM Computing Surveys. arXiv:2003.13213. arxiv.org/abs/2003.13213

Sayghe, A., Hu, Y., Zografopoulos, I., Liu, X., Dutta, R. G., Jin, Y. and Konstantinou, C. (2020). A Survey of Machine Learning Methods for Detecting False Data Injection Attacks in Power Systems. IET Cyber-Physical Systems. arXiv:2008.06926. arxiv.org/abs/2008.06926

Anthi, E., Williams, L., Rhode, M., Burnap, P. and Wedgbury, A. (2020). Adversarial Attacks on Machine Learning Cybersecurity Defences in Industrial Control Systems. Journal of Information Security and Applications. arXiv:2004.05005. arxiv.org/abs/2004.05005