What is Anomaly Detection?
Anomaly detection is a detection method in which systems are monitored for deviations from normal behaviour, rather than only recognising known threats or patterns.
In OT networks, anomaly detection is essential for spotting unknown or Zero-day attacks, configuration errors or unusual operations at an early stage.
π§ How does anomaly detection work?
- A baselining phase learns what βnormal behaviourβ looks like:
- Normal network topology
- Communication patterns between devices (e.g. PLC β HMI)
- Frequency and timing of commands
- Real-time monitoring compares current data against the expected pattern
- Deviations (anomalies) are flagged as potentially suspicious:
- Unknown devices
- New or unusual commands
- Increased traffic or unexpected timing
- Alerts are analysed by security teams or SOAR playbooks
Anomaly detection is essential in environments where signature-based detection (such as IDS) falls short.
π Use of anomaly detection in OT environments
- Detecting new connections to a PLC outside working hours
- Anomalous protocol traffic such as OPC UA requests on unusual ports
- User activity on an Engineering Station outside the normal shift
- Sudden changes in data polling frequency between SCADA and field devices
- Misconfigurations that disrupt normal traffic (e.g. duplicate IPs)
Many modern OT monitoring tools such as Claroty, Nozomi and Tenable.ot use anomaly detection as a core capability.
π Anomaly detection vs. signature detection
| Aspect | Anomaly detection | Signature detection |
|---|---|---|
| Detects new threats | Yes β unknown behaviour is detected | No β only known patterns |
| Requires training/baselining? | Yes | No |
| False positives | Potentially higher initially | Lower, but with narrower detection coverage |
| Use in OT | Highly suitable for dynamic OT environments | Limited without OT-specific signatures |
π Security considerations
- Combine with SIEM, EDR, Threat Intelligence and MITRE ATT&CK for ICS
- Tune carefully to minimise false positives
- Use particularly at the network layer where Firewall and IDS do not look deep enough
- Ideally part of a Defense in Depth strategy
- Supports compliance with IEC 62443, NIS2 and Cybersecurity guidelines
In OT, βnormalβ varies considerably from one installation to another β local calibration is essential.
π In summary
Anomaly detection is a powerful way to identify unknown, deviant or malicious activity in OT networks. It strengthens resilience against modern threats and helps detect incidents before they cause impact.