OT Security Protocol Attack and Anomaly Detection

As the convergence of Information Technology (IT) infrastructures with Industrial Control Systems (ICS)progresses, ensuring the security of Operational Technology (OT) has grown vastly important, with vulnerabilitiesarising from insufficient encryption and authentication in protocols like Modbus/Transmission Control Protocol(TCP). This paper introduces a flexible real-time simulation framework designed for Operational Technology (OT)threat detection, integrating protocol-specific traffic parsing with anomaly detection driven by machine learning.Through the use of algebraic modelling, extraction of statistical features, and examination of temporal behaviourin a multistage detection pipeline, and by employing both supervised and unsupervised models like Random Forestand Autoencoders, the system is able to efficiently detect threats. By using a preprocessing layer custom-tailoredto normalize Modbus/TCP inputs, we are able to improve detection precision and scalability. By using toolslike Docker, Flask and PyShark, the framework allows for flexible traffic replay and surveillance. Using publicICS datasets like the Secure Water Treatment Dataset (SWaT) and the Battle of Attack Detection AlgorithmsDataset (BATADAL), the framework simulates both realistic attack scenarios and normal operations, boostingdetection accuracy by up to 18% compared to rule based methods and the tree-based models demon- strate superiorperformance with 99-100% F1 scores and sub-millisecond inference times, confirming their exceptional suitabilityfor real-time OT anomaly de- tection. A real-time Flask-SocketIO dashboard facilitates live system monitoring andvisualization, demonstrating the system’s robustness in dynamic ICS contexts and underscoring its readiness forOperational Technology (OT) security solution prototyping