Technology title

Process skew: Fingerprinting the process for anomaly detection in industrial control systems

Technology overview

In an Industrial Control System (ICS), its complex network of sensors, actuators and controllers has raised security concerns. This invention proposes a technique, Process Skew, that uses small deviations in the ICS process (herein called a process fingerprint) for anomaly detection. The process fingerprint appears as noise in sensor measurements due to process fluctuations. Such a fingerprint is unique to a process due to the intrinsic operational constraints of the physical process and is hard to be forged. The proposed scheme was validated using data from a real-world water treatment testbed. The results show that a process can be effectively identified based on its fingerprint and that process anomalies can be detected with a very low false-positive rate.

Technology specifications

The proposed technique uses the small deviations in the process due to the deviations of the process (herein called process skews). The process skew is a noise that appears in sensor measurements due to the process fluctuations. Uniqueness in the skews is due to the specified operational constraints of the physical process.

To create a process skew based fingerprints it is challenging to extract process skew information from the sensor measurements. For a process due to inaccuracies in the process, it would have a skew from what it is designed for. An example is that of a water pipe used to fill a tank. Pipes and tanks of two different sizes would flow/store a different amount of water. Even if the pipes are of the same size, two different amounts of pumping force would result in a different amount of water flowing or being stored. The flow of water in a pipe and water storage in a tank are examples of the physical process.

At the design stage, these processes are designed to meet certain operational requirements. However, when these processes are running, they show small offsets from the designed parameters due to the physical inaccuracies in the process, for example, no two water pipes can be same diameter at a micro-scale due to manufacturing imperfections.

Sector

This invention is applicable to the critical infrastructures.  More specifically, our invention is applicable to water treatment and distribution systems, as well as oil and gas infrastructures, and the approach can be extended to electric grids.

Market opportunity

The global market for Industrial Control Systems (ICS) security is a substantial and growing market opportunity, valued at approximately USD 19.24 billion in 2025. This market is projected to expand significantly, with forecasts estimating it will reach a size of over USD 32 billion by 2030, growing at a compound annual growth rate (CAGR) of around 8-10%.

Applications

Key applications include building intrusion detection solutions for critical infrastructures like water treatment systems, electric grids etc.

Customer benefits

• Process-Centric Detection: Unlike competitors that rely on network traffic analysis, our approach creates a unique signature for each industrial process based on its physical and operational characteristics.
• Deep Operational Insight: By monitoring process-level data, we can detect anomalies and attacks that network-layer tools often miss, including stealthy manipulations of control logic.
• Enhanced Resilience: This method improves detection of zero-day attacks and insider threats, offering a more robust defense for critical infrastructure.

Technology readiness level

TRL 4

Ideal collaboration partner 

Ideal collaboration partners include:

• Critical Infrastructure Owners and Operators. These include water utilities, energy grid operators, and oil & gas companies that manage large-scale operational technology (OT) environments. Their involvement provides access to real-world systems for validation and ensures that our solutions address practical resilience challenges in sectors of national importance.
• OT Cybersecurity Vendors Seeking Advanced Capabilities. Many current ICS security products focus primarily on network-layer monitoring. Our technology offers a complementary approach by leveraging process-level data for anomaly detection and predictive resilience. Partnering with these vendors enables integration into existing platforms, creating differentiated offerings that go beyond traditional perimeter defenses.

These partnerships will not only accelerate technology readiness but also foster co-created standards, joint demonstrators, and pathways to commercialisation.

Collaboration mode

This technology is suitable for multiple collaboration modes, including R&D Collaboration, licensing and IP acquisition.