The increase in the use of ICT in critical infrastructures has meant that dependence on automation and control systems has brought new risk in an increasingly digital age. The increase in digitisation and interconnectivity has meant that cyber-attacks have the potential to bring operations to a halt from a remote location with devastating consequences. In response to this, in our previous work to date, we have looked into the use of behavioural observation techniques to provide critical infrastructure support through pattern detection, in order to identify threats to the system. In this paper, a continuation of our research is presented including the use of mathematical classifications to analyse the critical infrastructure data, which has been constructed through simulation. In our approach, we develop a pattern of behaviour for the simulation and identify changes in patterns, which are the result of an attack on the system.