Automated Identification of ICS Topology and Device Types via Protocol-Agnostic Passive Monitoring

Abstract

Industrial Control Systems (ICS) are increasingly targeted by sophisticated cyber threats, yet many deployments still lack accurate device documentation and comprehensive visibility across segmented environments. Legacy heterogeneity and strict uptime constraints limit traditional asset discovery and segmentation validation. This paper proposes a protocol-agnostic framework for automatically reconstructing ICS hierarchies and identifying device types from passively captured network traffic. The method first infers structural layers by analyzing Strongly Connected Components (SCC) and betweenness centrality in a directed communication graph. It then refines device classification by transforming network flows into byte-sequence images - combining raw bytes, Gramian Angular Fields (GAF), and Markov Transition Fields (MTF) - and clustering them based on communication behavior. A supervised encoder trained on known types guides a mimicry-based model, enabling scalable and label-efficient inference. Experiments on ICSSIM and SWaT validate accurate topology recovery and semi-supervised, label-efficient device-type clustering. Temporal views (GAF, MTF) improve stability over raw bytes alone, and the mimicry model is robust to label scarcity and operational noise, achieving mean Adjusted Rand Index (ARI) 0:954 ± 0:015, Normalized Mutual Information (NMI) 0:953 ± 0:012, and silhouette 0:837 ± 0:039 across folds and label splits. The framework delivers scalable, interpretable ICS visibility without active probing or protocol parsers, and the attacker-injection study shows adversarial paths highlighted without spurious cross-layer links, providing a practical foundation for behavior-aware anomaly/threat detection.