research-article

The Nuts and Bolts of Deploying Process-Level IDS in Industrial Control Systems

Authors:

Magnus Almgren,

Robert Gustafsson,

Andreas LindhéAuthors Info & Claims

ICSS '18: Proceedings of the 4th Annual Industrial Control System Security Workshop

Pages 17 - 24

https://doi.org/10.1145/3295453.3295456

Published: 04 December 2018 Publication History

Abstract

Much research effort has recently been devoted to securing Industrial Control Systems (ICS) in response to the increasing number of adverse incidents targeting nation-wide critical infrastructures. Leveraging the static and regular nature of the behavior of control systems, various data-driven methods that monitor the process-level network have been proposed as a defensive measure. Although these methods have been evaluated through offline analysis of ICS-related datasets, in absence of documented live experiments in real environments, a complete and global understanding of the applicability and efficiency of process-level monitoring is still lacking.

In this work, we describe our experience of running a fully fledged intrusion detection system in an operational paper factory for 75 days. We discuss the nuts and bolts of running such systems in real environments and underline several practical challenges in meeting ICS-specific requirements. This work essentially aims at bridging the gap between ICS intrusion detection research and practice, and empirically validating the increasingly adopted data-driven approach to process-level monitoring.

References

[1]

Marshall Abrams and Joe Weiss. 2008. Malicious Control System Cyber Security Attack Case Study---Maroochy Water Services, Australia. McLean, VA: The MITRE Corporation (2008).

[2]

Wissam Aoudi, Mikel Iturbe, and Magnus Almgren. 2018. Truth Will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). ACM, New York, NY, USA.

Digital Library

[3]

Alvaro Cardenas, Saurabh Amin, Bruno Sinopoli, Annarita Giani, Adrian Perrig, Shankar Sastry, et al. 2009. Challenges for Securing Cyber Physical Systems. In Workshop on Future Directions in Cyber-Physical Systems Security, Vol. 5.

[4]

Alvaro A. Cárdenas, Saurabh Amin, Zong-Syun Lin, Yu-Lun Huang, Chi-Yen Huang, and Shankar Sastry. 2011. Attacks Against Process Control Systems: Risk Assessment, Detection, and Response. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS '11). ACM, New York, NY, USA, 355--366.

Digital Library

[5]

James Downs and Ernest Vogel. 1993. A Plant-Wide Industrial Process Control Problem. Computers & Chemical Engineering 17 (1993), 245--255.

[6]

Nicolas Falliere, Liam O Murchu, and Eric Chien. 2011. W32. Stuxnet Dossier. White paper, Symantec Corp., Security Response 5, 6 (2011), 29. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

[7]

Cheng Feng, Tingting Li, and Deeph Chana. 2017. Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks. In 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 261--272.

[8]

Dina Hadžiosmanović, Robin Sommer, Emmanuele Zambon, and Pieter H. Hartel. 2014. Through the Eye of the PLC: Semantic Security Monitoring for Industrial Processes. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC '14). ACM, New York, NY, USA, 126--135.

Digital Library

[9]

Aditya Mathur and Nils Ole Tippenhauer. 2016. SWaT: A Water Treatment Testbed for Research and Training on ICS Security. In Cyber-physical Systems for Smart Water Networks (CySWater), 2016 International Workshop on. IEEE, 31--36.

[10]

Modbus Protocol 2012. MODBUS Application Protocol Specification V1.1b3. http://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf

[11]

Modbus Variant 2006. MODBUS Messaging on TCP/IP Implementation Guide V1.0b. http://modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf

[12]

Patric Nader, Paul Honeine, and Pierre Beauseroy. 2014. Lp-Norms in One-Class Classification for Intrusion Detection in SCADA Systems. IEEE Trans. Industrial Informatics 10, 4 (2014), 2308--2317.

[13]

Shengyi Pan, Thomas Morris, and Uttam Adhikari. 2015. Developing a Hybrid Intrusion Detection System Using Data Mining for Power Systems. IEEE Transactions on Smart Grid 6, 6 (Nov 2015), 3104--3113.

[14]

Vern Paxson. 1999. Bro: A System for Detecting Network Intruders in Real-Time. Computer networks 31, 23-24 (1999), 2435--2463.

Digital Library

[15]

Lee Robert, Michael Assante, and Tim Conway. 2014. German Steel Mill Cyber Attack. SANS Industrial Control Systems 30 (2014), 62. https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf

[16]

Lee Robert, Michael Assante, and Tim Conway. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. Electricity Information Sharing and Analysis Center & SANS Industrial Control Systems (March 2016). https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

[17]

Martin Roesch. 1999. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX Conference on System Administration (LISA '99). USENIX Association, Berkeley, CA, USA, 229--238. http://dl.acm.org/citation.cfm?id=1039834.1039864

Digital Library

[18]

Lewis Rossman. 1999. The EPANET Programmer's Toolkit for Analysis of Water Distribution Systems. In WRPMD'99: Preparing for the 21st Century. 1--10.

[19]

David I. Urbina, Jairo A. Giraldo, Alvaro A. Cardenas, Nils Ole Tippenhauer, Junia Valente, Mustafa Faisal, Justin Ruths, Richard Candell, and Henrik Sandberg. 2016. Limiting the Impact of Stealthy Attacks on Industrial Control Systems. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 1092--1105.

Digital Library

[20]

David I Urbina, David I Urbina, Jairo Giraldo, Alvaro A Cardenas, Junia Valente, Mustafa Faisal, Nils Ole Tippenhauer, Justin Ruths, Richard Candell, and Henrik Sandberg. 2016. Survey and New Directions for Physics-Based Attack Detection in Control Systems. US Department of Commerce, National Institute of Standards and Technology.

[21]

Ray D Zimmerman, Carlos E Murillo-Sánchez, and Deqiang Gan. 1997. MAT-POWER: A MATLAB Power System Simulation Package. Manual, Power Systems Engineering Research Center, Ithaca NY 1 (1997).

[22]

Dan Zuras, Mike Cowlishaw, Alex Aiken, Matthew Applegate, David Bailey, Steve Bass, Dileep Bhandarkar, Mahesh Bhat, David Bindel, Sylvie Boldo, et al. 2008. IEEE Standard for Floating-Point Arithmetic. IEEE Std 754-2008 (2008), 1--70.

Cited By

Mirzai ACoban AAlmgren MAoudi WBertilsson TPolakis Jvan der Kouwe E(2023)Scheduling to the Rescue; Improving ML-Based Intrusion Detection for IoTProceedings of the 16th European Workshop on System Security10.1145/3578357.3589460(44-50)Online publication date: 8-May-2023
https://dl.acm.org/doi/10.1145/3578357.3589460
Agbo CMehrpouyan H(2023)Resilience of Industrial Control Systems Using Signal Temporal Logic And Autotuning Mechanism2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361314(0284-0293)Online publication date: 14-Nov-2023
https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361314
Lara AMayor VEstepa REstepa ADíaz-Verdejo J(2023)Smart home anomaly-based IDS: Architecture proposal and case studyInternet of Things10.1016/j.iot.2023.10077322(100773)Online publication date: Jul-2023
https://doi.org/10.1016/j.iot.2023.100773
Show More Cited By

Recommendations

Cross-domain alert correlation methodology for industrial control systems
Abstract
Alert correlation is a set of techniques that process alerts raised by intrusion detection systems to eliminate redundant alerts, reduce the number of false positives, and reconstruct attack scenarios. Since Industrial Control Systems (...
Towards the protection of industrial control systems: conclusions of a vulnerability analysis of profinet IO
DIMVA'13: Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

The trend of introducing common information and communication technologies into automation control systems induces besides many benefits new security risks to industrial plants and critical infrastructures. The increasing use of Internet protocols in ...
Detecting cyberattacks in industrial control systems using online learning algorithms
Abstract
Industrial control systems are critical to the operation of industrial facilities, especially for critical infrastructures, such as refineries, power grids, and transportation systems. Similar to other information systems, a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICSS '18: Proceedings of the 4th Annual Industrial Control System Security Workshop

December 2018

43 pages

ISBN:9781450362207

DOI:10.1145/3295453

Program Chairs:
Sajal Bhatia
Sacred Heart University
,
Alvaro Cardenas
University of Texas at Dallas
,
Ernest Foo
Queensland University of Technology, Australia
,
Marina Krotofil
FireEye, Inc.
,
Sye Loong Keoh
University of Glasgow
,
Thomas Locher
ABB
,
Daisuke Mashima
Advanced Digital Science Center in Singapore
,
Tommy Morris
University of Alabama in Huntsville
,
John Mulder
Sandia National Laboratories
,
Stephen McLaughlin
Samsung Research America
,
Igor Nai Fovino
Institute for the Protection and Security of the Citizen, Joint Research Centre
,
Julian Rrushi
Oakland University
,
Bradley Schatz
Schatz Forensic
,
Jared Smith
Oak Ridge National Laboratory
,
Saman Zonouz
Rutgers University
,
Tim Zimmerman
NIST

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICSS '18

ICSS '18: 4th Annual Industrial Control System Security Workshop

December 4, 2018

PR, San Juan, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
259
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)2

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mirzai ACoban AAlmgren MAoudi WBertilsson TPolakis Jvan der Kouwe E(2023)Scheduling to the Rescue; Improving ML-Based Intrusion Detection for IoTProceedings of the 16th European Workshop on System Security10.1145/3578357.3589460(44-50)Online publication date: 8-May-2023
https://dl.acm.org/doi/10.1145/3578357.3589460
Agbo CMehrpouyan H(2023)Resilience of Industrial Control Systems Using Signal Temporal Logic And Autotuning Mechanism2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361314(0284-0293)Online publication date: 14-Nov-2023
https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361314
Lara AMayor VEstepa REstepa ADíaz-Verdejo J(2023)Smart home anomaly-based IDS: Architecture proposal and case studyInternet of Things10.1016/j.iot.2023.10077322(100773)Online publication date: Jul-2023
https://doi.org/10.1016/j.iot.2023.100773
Aoudi WAlmgren M(2021)A Framework for Determining Robust Context-Aware Attack-Detection Thresholds for Cyber-Physical SystemsProceedings of the 2021 Australasian Computer Science Week Multiconference10.1145/3437378.3437393(1-6)Online publication date: 1-Feb-2021
https://dl.acm.org/doi/10.1145/3437378.3437393
Aoudi WNowdehi NAlmgren MOlovsson THung CHong JBechini ASong E(2021)SpectraProceedings of the 36th Annual ACM Symposium on Applied Computing10.1145/3412841.3442032(1588-1597)Online publication date: 22-Mar-2021
https://dl.acm.org/doi/10.1145/3412841.3442032
Conti MDonadel DTurrin F(2021)A Survey on Industrial Control System Testbeds and Datasets for Security ResearchIEEE Communications Surveys & Tutorials10.1109/COMST.2021.309436023:4(2248-2294)Online publication date: Dec-2022
https://doi.org/10.1109/COMST.2021.3094360
Aoudi WHellqvist AOverland AAlmgren M(2019)A Probe into Process-Level Attack Detection in Industrial Environments from a Side-Channel PerspectiveProceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop10.1145/3372318.3372320(1-10)Online publication date: 10-Dec-2019
https://dl.acm.org/doi/10.1145/3372318.3372320
Aoudi WIturbe MAlmgren MLie DMannan MBackes MWang X(2018)Truth Will OutProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243781(817-831)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243781

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents