Abstract
Industrial Control Systems (ICS) manage critical infrastructures like powergrids and water treatment plants. Cyberattacks on ICSs can disrupt operations,causing severe economic, environmental, and safety issues. For example,undetected pollution in a water plant can put the lives of thousands at stake.ICS researchers have increasingly turned to honeypots -- decoy systems designedto attract attackers, study their behaviors, and eventually improve defensivemechanisms. However, existing ICS honeypots struggle to replicate the ICSphysical process, making them susceptible to detection. Accurately simulatingthe noise in ICS physical processes is challenging because different factorsproduce it, including sensor imperfections and external interferences. In this paper, we propose SimProcess, a novel framework to rank the fidelityof ICS simulations by evaluating how closely they resemble real-world and noisyphysical processes. It measures the simulation distance from a target system byestimating the noise distribution with machine learning models like RandomForest. Unlike existing solutions that require detailed mathematical models orare limited to simple systems, SimProcess operates with only a timeseries ofmeasurements from the real system, making it applicable to a broader range ofcomplex dynamic systems. We demonstrate the framework's effectiveness through acase study using real-world power grid data from the EPIC testbed. We comparethe performance of various simulation methods, including static and generativenoise techniques. Our model correctly classifies real samples with a recall ofup to 1.0. It also identifies Gaussian and Gaussian Mixture as the bestdistribution to simulate our power systems, together with a generative solutionprovided by an autoencoder, thereby helping developers to improve honeypotfidelity. Additionally, we make our code publicly available.