Skip to main content

Advertisement

Springer Nature Link
Log in

Artificial intelligence, cyber-threats and Industry 4.0: challenges and opportunities

  • Published:
Artificial Intelligence Review Aims and scope Submit manuscript

Abstract

This survey paper discusses opportunities and threats of using artificial intelligence (AI) technology in the manufacturing sector with consideration for offensive and defensive uses of such technology. It starts with an introduction of Industry 4.0 concept and an understanding of AI use in this context. Then provides elements of security principles and detection techniques applied to operational technology (OT) which forms the main attack surface of manufacturing systems. As some intrusion detection systems (IDS) already involve some AI-based techniques, we focus on existing machine-learning and data-mining based techniques in use for intrusion detection. This article presents the major strengths and weaknesses of the main techniques in use. We also discuss an assessment of their relevance for application to OT, from the manufacturer point of view. Another part of the paper introduces the essential drivers and principles of Industry 4.0, providing insights on the advent of AI in manufacturing systems as well as an understanding of the new set of challenges it implies. AI-based techniques for production monitoring, optimisation and control are proposed with insights on several application cases. The related technical, operational and security challenges are discussed and an understanding of the impact of such transition on current security practices is then provided in more details. The final part of the report further develops a vision of security challenges for Industry 4.0. It addresses aspects of orchestration of distributed detection techniques, introduces an approach to adversarial/robust AI development and concludes with human–machine behaviour monitoring requirements.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

Abbreviations

AD:

Anomaly detection

AI:

Artificial intelligence

ANN:

Artificial neural Networks

APT:

Advanced persistent threat

CMfg:

Cloud manufacturing

CERT:

Computer emergency response team

CPS:

Cyber-physical system

DM:

Data mining

DR:

Detection rate

DOS:

Denial of service

DDoS:

Distributed denial of service

EDR:

Endpoint detection and response

FAR:

False alarm rate

FoF:

Factory of the future

GA:

Genetic algorithm

HIDS:

Host-based intrusion detection system

HMM:

Hidden Markov models (HMM)

I4.0:

Industry 4.0

ICS:

Industrial Control System

IDS:

Intrusion Detection System

IoT:

Internet of Things

IIoT:

Industrial Internet of Things

KDD:

Knowledge discovery in data bases

M2M:

Machine to machine communication

MAC:

Media access control

MD:

Misuse detection

ML:

Machine learning

NIDS:

Network intrusion detection system

OT:

Operational technology

P-BEST:

Production based expert system toolset

PCAP:

Application programming interface (API)

R2L:

Remote to local (attack)

SIEM:

Security incident and event management

SIS:

Safety instrumented systems

R&T:

Research and technology

STAT:

State transition analysis technique

SVM:

Support vector machines

U2R:

User to remote (attack)

References

  • Adadi A, Berrada M (2018) Peeking inside the black-box: a survey on explainable artificial intelligence (XAI). IEEE Access 6:52138–52160

    Google Scholar 

  • Aickelin U, Greensmith J, Kim J, Bentley PJ, Twycross J Tedesco (2007) Immune system approaches to intrusion detection—a review. Nat Comput 413–466

  • Althubiti SA, Jones EM, Roy K (2018) LSTM for anomaly-based network intrusion detection. In: 2018 28th International telecommunication networks and applications conference (ITNAC), pp 1–3

  • Alzantot M, Sharma Y, Chakraborty S, Zhang H, Hsieh C-J, Srivastava M (2018) Genattack: practical black-box attacks with gradient-free optimization

  • Amor NB, Benferhat S, Elouedi Z (2004) Naive bayes vs decision trees in intrusion detection systems. In: Proceedings of the 2004 ACM symposium on applied computing, SAC’04. ACM, New York, pp 420–424

  • Anderson R, Fuloria S (2010) Who controls the off switch? In: 1st IEEE international conference on smart grid communications. IEEE, Los Alamitos, pp 96–101

  • Anderson D, Frivold T, Valdes A (1995) Next-generation intrusion detection expert system (NIDES) a summary

  • Anderson HS, Woodbridge J, Filar B (2016) DeepDGA: adversarially-tuned domain generation and detection. In: Proceedings of the 2016 ACM workshop on artificial intelligence and security. ACM, New York, pp 13–21

  • ANSSI ICS Working Group (2014) Managing cybersecurity of industrial control systems

  • Autodesk (2015) Autodesk and airbus show the future of aerospace design and manufacture in pioneering generatively designed 3d printed partition. Accessed 3 June 2019

  • Axelsson S (2000) Intrusion detection systems: a survey and taxonomy. Technical report

  • Bahnsen AC, Torroledo I, Camacho D, Villegas S (2018) DeepPhish: simulating malicious AI. In: Proceedings of the 2018 APWG symposium on electronic crime research (eCrime’18), pp 1–8

  • Balu A, Lore KG, Young G, Krishnamurthy A, Sarkar S (2016) A deep 3d convolutional neural network based design for manufacturability framework

  • Baryannis G, Validi S, Dani S, Antoniou G (2018) Supply chain risk management and artificial intelligence: state of the art and future research directions. Int J Prod Res 57(7):2179–2202. https://doi.org/10.1080/00207543.2018.1530476

    Article  Google Scholar 

  • Bechtsis D, Tsolakis N, Vlachos D, Srai JS (2018) Intelligent autonomous vehicles in digital supply chains: a framework for integrating innovations towards sustainable value networks. J Clean Prod 181:60–71

    Google Scholar 

  • Biggio B, Roli F (2018) Wild patterns: ten years after the rise of adversarial machine learning. Pattern Recognit 84:317–331

    Google Scholar 

  • Bilge L, Kirda E, Kruegel C, Balduzzi M (2011) Exposure: finding malicious domains using passive DNS analysis

  • Bilge L, Balzarotti D, Robertson W, Kirda E, Kruegel C (2012) Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In: ACSAC, 28th annual computer security applications conference, December 3–7. Orlando, Florida, USA, Orlando, UNITED STATES

  • Breiman L (1996) Bagging predictors. Mach Learn 24(2):123–140

    MATH  Google Scholar 

  • Breiman L (2001) Random forests. Mach Learn 45(1):5–32

    MATH  Google Scholar 

  • Brundage M, Avin S, Clark J, Toner H, Eckersley P, Garfinkel B, Dafoe A, Scharre P, Zeitzoff T, Filar B, Anderson H, Roff H, Allen GC, Steinhardt J, Flynn C, ÓhÉigeartaigh S, Beard S, Belfield H, Farquhar S, Lyle C (2018) The malicious use of artificial intelligence: forecasting, prevention, and mitigation

  • Buczak AL, Guven E (2016) A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun Surv Tutor 18(2):1153–1176

    Google Scholar 

  • Çaliş B, Bulkan S (2013) A research survey: review of AI solution strategies of job shop scheduling problem. J Intell Manuf 26(5):961–973. https://doi.org/10.1007/s10845-013-0837-8

  • Choi S, Jung K, Noh SD (2015) Virtual reality applications in manufacturing industries: past research, present findings, and future directions. Concurr Eng 23(1):40–63

    Google Scholar 

  • Chung K, Kalbarczyk ZT, Iyer RK (2019) Availability attacks on computing systems through alteration of environmental control: smart malware approach. In: Proceedings of the 10th ACM/IEEE international conference on cyber-physical systems. ACM, New York, pp 1–12

  • Cohen G (1989) Using AI techniques to optimize manufacturing shop-floor operations. Eng Appl Artif Intell 2(3):238–246

  • Creech G (2014) Developing a high-accuracy cross platform host-based intrusion detection system capable of reliably detecting zero-day attacks

  • Creech G, Hu J (2013) Generation of a new ids test dataset: time to retire the KDD collection, pp 4487–4492

  • Creech G, Hu J (2014) A semantic approach to host-based intrusion detection systems using contiguousand discontiguous system call patterns. IEEE Trans Comput 63:807–819, 04

    MathSciNet  MATH  Google Scholar 

  • Culp C, Haberl J, Norford L, Brothers PW, Hall JD (1990) The impact of AI technology within the HVAC industry. ASHRAE J (Am Soc Heat Refrig Air-Conditioning Eng) (USA) 32(12):12–22

  • Cunningham P, Delany SJ (2007) k-nearest neighbour classifiers: 2nd edition. https://arxiv.org/2004.04523

  • Czimmermann T, Ciuti G, Milazzo M, Chiurazzi M, Roccella S, Oddo CM, Dario P (2020) Visual-based defect detection and classification approaches for industrial applications—a survey. Sensors

  • Debar H, Didier S, Becker M (1992) A neural network component for an intrusion detection system

  • Deutsches Institut für Normung eV (2016) Reference architecture model industrie 4.0 (RAMI4.0)

  • Dharmapurikar S, Lockwood JW (2006) Fast and scalable pattern matching for network intrusion detection systems. IEEE J Sel A Commun 24(10):1781–1792

    Google Scholar 

  • Domb M, Bonchek-Dokow E, Leshem G (2016) Lightweight adaptive random-forest for IoT rule generation and execution. J Inf Secur Appl

  • Donlon M (2016) Machine learning in hvac controls. http://automatedbuildings.com/news/jun16/articles/computrols/160525111606computrols.html. Accessed 3 June 2019

  • Eisenstein PA (2017) European car plants halted by WannaCry ransomware attack. https://www.nbcnews.com/business/autos/european-car-plants-halted-wannacry-ransomware-attack-n759496. Accessed 10 May 2020

  • Emanuilov I (2017) Autonomous systems in aviation: between product liability and innovation

  • Ertoz L, Eilertson E, Lazarevic A, Tan P, Srivava J, Kumar V, Dokas P (2004) Minds—minnesota intrusion detection system. In: Next generation data mining. MIT Press, Boston

  • European commission—digital transformation monitor “Germany: Industry 4.0” (2017). https://ec.europa.eu/growth/tools-databases/dem/monitor/sites/default/files/DTM_Industrie%204.0.pdf

  • European Commission (2009) European machinery directive. Accessed 3 June 2019

  • Factories of the Future PPP (2020). Strategic multi-annual roadmap. https://www.effra.eu/sites/default/files/factories_of_the_future_2020_roadmap.pdf

  • Freund Y, Schapire RE (1997) A decision-theoretic generalization of on-line learning and an application to boosting. J Comput Syst Sci 55(1):119–139

    MathSciNet  MATH  Google Scholar 

  • Fuente J, Saludes S (2000) Fault detection and isolation in a non-linear plant via neural networks, pp 463–468

  • Fuller A, Fan Z, Day C, Barlow C (2019) Digital twin: enabling technologies, challenges and open research. arXiv e-prints

  • Gacek S (2012) CNC machine group scheduling methods in a multitasking system. In: Proceedings of Carpathian logistics congress 2012, Jesenik, Czech Republic

  • Gao D, Reiter MK, Song D (2006) Behavioral distance measurement using hidden Markov models. In: Proceedings of the 9th international conference on recent advances in intrusion detection, RAID’06. Springer, Berlin, pp 19–40

  • Gau J, Evans R (2016) DeepMind AI reduces google data centre cooling bill by 40 percent

  • Gharibian F, Ghorbani A (2007) Comparative study of supervised machine learning techniques for intrusion detection, pp 350–358

  • Gonzalez FA (2003) A study of artificial immune systems applied to anomaly detection. PhD thesis. AAI3092441

  • Goodfellow IJ, Pouget-Abadie J, Mirza M, Xu B, Warde-Farley D, Ozair S, Courville A, Bengio Y (2014) Generative adversarial nets. In: Proceedings of the 27th international conference on neural information processing systems, NIPS’14, vol 2. MIT Press, Cambridge, pp 2672–2680

  • Granzer W, Praus F, Kastner W (2010) Security in building automation systems. IEEE Trans Ind Electron 57:3622–3630

    Google Scholar 

  • Grapentin A, Plauth M, Polze A (2017) MemSpaces: Evaluating the tuple space paradigm in the context of memory-centric architectures. In: 2017 Fifth international symposium on computing and networking (CANDAR), pp 284–290

  • Grewal G, Areibi S, Westrik M, Abuowaimer Z, Zhao B (2017) A machine learning framework for FPGA placement (abstract only). In: Proceedings of the 2017 ACM/SIGDA international symposium on field-programmable gate arrays, FPGA’17. ACM, New York, pp 286–286

  • Hinton G, Sejnowski T (1999) Unsupervised learning: foundations of neural computation. MIT Press, Cambridge

    Google Scholar 

  • Hitaj B, Gasti P, Ateniese G, Perez-Cruz F (2017) Passgan: a deep learning approach

  • Hu W, Tan Y (2017) Generating adversarial malware examples for black-box attacks based on GAN

  • Hu W, Liao Y, Vemuri VR (2003) Robust support vector machines for anomaly detection in computer security. In: Proceedings of the 2003 international conference on machine learning and applications—ICMLA 2003, June 23–24, 2003, Los Angeles, California, USA, pp 168–174

  • Hu W, Hu W, Maybank S (2008) Adaboost-based algorithm for network intrusion detection. Trans Syst Man Cybern Part B 38(2):577–583

  • Humayed A, Lin J, Li F, Luo B (2017) Cyber-physical systems security—a survey. IEEE Internet Things J 4(6):1802–1831

    Google Scholar 

  • Hutchins EM, Cloppert MJ, Amin RM (2011) Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead Issues Inf Warf Secur Res 1(1): 80

  • Ilgun K, Kemmerer RA, Porras PA (1995) State transition analysis: a rule-based intrusion detection approach. IEEE Trans Softw Eng 21(3):181–199

    Google Scholar 

  • Jemili F, Zaghdoud M, Ahmed MB (2007) A framework for an adaptive intrusion detection system using Bayesian network, pp 66–70

  • Jensen F, Nielsen TD (2007) Bayesian networks and decision graphs, 2nd edn. Springer Publishing Company, Incorporated, Berlin

    MATH  Google Scholar 

  • Ji W, Wang L (2017) Big data analytics based fault prediction for shop floor scheduling. J Manuf Syst 43(Part 1):187–194

  • Kalajdzic K, Jegourel C, Bartocci E, Legay A, Smolka S, Grosu R (2015) Model checking as control: feedback control for statistical model checking of cyber-physical systems

  • Kaloudi N, Li J (2020) The AI-based cyber threat landscape: a survey. ACM Comput Surv 53(1), Article 20

  • Karami A, Guerrero-Zapata M (2015) A fuzzy anomaly detection system based on hybrid PSO-Kmeans algorithm in content-centric networks. Neurocomputing 149:1253–1269, 02

    Google Scholar 

  • Kirat D, Jang J, Stoecklin M (2018) Deeplocker—concealing targeted attacks with AI locksmithing. In: Proceedings of the black hat USA conference

  • Knowles W, Prince D, Hutchison D, Diss JP, Jones K (2015) A survey of cyber security management in industrial control systems. Int J Crit Infrastruct Prot 9

  • Kolias C, Kambourakis G, Maragoudakis M (2011) Swarm intelligence in intrusion detection: a survey. Comput Secur 30(8):625–642

    Google Scholar 

  • Korvesis P (2017) Machine learning for predictive maintenance in aviation. Artificial intelligence[cs.AI]

  • Kumar K (2017) Intrusion detection and prevention system in enhancing security of cloud environment. 6:2278–1323

  • Kumar S, Spafford EH (1994) A pattern matching model for misuse intrusion detection. Technical report, Purdue University

  • Laura B, Davoli L, Medioli A, Marchini PL, Ferrari G (2019) Toward industry 4.0 with IoT: optimizing business processes in an evolving manufacturing factory

  • Lee W, Stolfo SJ (2020) A framework for constructing features and models for intrusion detection systems. Association for Computing Machinery, New York, pp 227–261. https://doi.org/10.1145/382912.382914

  • Lee J-H, Lee J-H, Sohn SG, Ryu JH, Chung Tai-Myoung M (2008) Effective value of decision tree with KDD 99 intrusion detection datasets for intrusion detection system. In: 2008 10th International conference on advanced communication technology, vol 2, pp 1170–1175

  • Lee J, Davari H, Singh J, Pandhare V (2018) Industrial artificial intelligence for industry 4.0-based manufacturing systems

  • Li J (2018) Cyber security meets artificial intelligence: a survey. Front Inf Technol Electron Eng 1462–1474

  • Li B, Hou B, Yu W, Lu X, Yang C (2017) Applications of artificial intelligence in intelligent manufacturing: a review. Front Inf Technol Electron Eng 18(1):86–96. https://doi.org/10.1631/FITEE.1601885

  • Lightman S, Abrams M, Hahn A, Stouffer K, Pillitteri V (2015) Guide to industrial control systems (ICS) security

  • Lim Y, Ramasamy S, Gardi A, Kistan T, Sabatini R (2017) Cognitive human–machine interfaces and interactions for unmanned aircraft. J Intell Robotic Syst 10

  • Lin S-W, Miller B, Durand J, Bleakley G, Chigani A, Martin R, Murphy B, Crawford M (2019) The industrial internet of things volume g1: reference architecture. 6

  • Lippmann RP, Fried DJ, Graf I, Haines JW, Kendall K, Mcclung DM, Weber D, Webster SE, Wyschogrod D, Cunningham RK, Zissman MA (2000) Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation

  • Lippmann R, Haines JW, Fried DJ, Korba J, Das K (2000) The 1999 DARPA off-line intrusion detection evaluation. Comput Netw 34(4):579–595

    Google Scholar 

  • Lowe’s Company Incorporated (2016) Lowe’s introduces LoweBot—the next generation robot to enhance the home improvement shopping experience in the bay area

  • Lu Y, Xu X (2019) Cloud-based manufacturing equipment and big data analytics to enable on-demand manufacturing services. Robotics Comput Integr Manuf 57:92–102

  • Ludovic ME (1998) Gassata, a genetic algorithm as an alternative tool for security audit trails analysis. In: Proceedings of the first international work-shop on the recent advances in intrusion detection

  • Lunt TF, Jagannathan R (1988) A prototype real-time intrusion-detection expert system. In: Proceedings of the 1988 IEEE conference on security and privacy, SP’88. IEEE Computer Society, Washington, DC, pp 59–66

  • Luo J, Bridges S (2000) Mining fuzzy association rules and fuzzy frequency episodes for intrusion detection. Int J Intell Syst 15:687–703, 08

    MATH  Google Scholar 

  • Luo Y, Xiao Y, Cheng L, Peng G, Yao DD (2020) Deep learning-based anomaly detection in cyber-physical systems: progress and opportunities. arXiv:2003.13213

  • Makkar S, Devi G, Solanki V (2020) Applications of machine learning techniques in supply chain optimization

  • Malatras A, Skouloudi C, Koukounas A (2019) Industry 4.0 cybersecurity: challenges & recommendations

  • Mantere M, Sailio M, Noponen S (2014) A module for anomaly detection in ICS networks. In: Proceedings of the 3rd international conference on high confidence networked systems, HiCoNS’14. Association for Computing Machinery, New York, pp 49–56

  • Mao S, Wang B, Tang Y, Qian F (2019) Opportunities and challenges of artificial intelligence for green manufacturing in the process industry. Engineering 5(6):2019

    Google Scholar 

  • Mazini M, Shirazi B, Mahdavi I (2018) Anomaly network-based intrusion detection system using a reliable hybrid artificial bee colony and AdaBoost algorithms. J King Saud Univ Comput Inf Sci

  • Moon I, Lee GM, Park J, Kiritsis D, von Cieminski G (2018) Advances in production management systems. Production management for data-driven, intelligent, collaborative, and sustainable manufacturing. In: IFIP WG 5.7 international conference, APMS proceedings. Part I, Seoul, Korea, p 2018

  • Morris T, Gao W (2014) Industrial control system traffic data sets for intrusion detection research. Int Conf Crit Infrast Prot 441:65–78

  • Mosli R, Wright M, Yuan B, Pan Y (2019) They might not be giants: crafting black-box adversarial examples with fewer queries using particle swarm optimization

  • Mukkamala S, Sung AH, Abraham A (2005) Intrusion detection using an ensemble of intelligent paradigms. J Netw Comput Appl 28(2):167–182

    Google Scholar 

  • Nguyen TT, Reddi VJ (2019) Deep reinforcement learning for cyber security. CoRR. arXiv:1906.05799

  • Nicholas L, Ooi SY, Pang Y-H, Hwang SO, Tan S-Y (2018) Study of long short-term memory in flow-based network intrusion detection system. J Intell Fuzzy Syst 35:5947–5957

    Google Scholar 

  • Offshore Engineering (2017) Rosneft, maersk hit by petya cyber attack. https://www.oedigital.com/news/446237-rosneft-maersk-hit-by-petya-cyber-attack. Accessed 10 May 2020

  • Otto B, Steinbuß S, International Data Spaces Association (2019) Reference architecture model. Anna-Louisa-Karsch-Str. 210178 Berlin, Germany

  • Pagnoni A, Visconti A (2004) NAIS: intrusion detection via native immune system. In: Proceedings of the 10th international conference on cybernetics and information technologies, systems and applications. Hsing-Wei Chu et al

  • Papernot N, McDaniel P, Goodfellow I, Jha S, Celik ZB, Swami A (2017) Practical black-box attacks against machine learning. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security, ASIA CCS’17. ACM, New York, pp 506–519

  • Park HS, Phuong DX, Kumar S (2019) AI based injection molding process for consistent product quality. Procedia Manuf 28:102–106

    Google Scholar 

  • Petro D, Morris B (2017) Weaponizing machine learning: humanity was overrated anyway. In: Proceedings of DEF CON 25

  • Phelan N (2016) Designing with machine learning

  • Pinker E (2018) Reporting accuracy of rare event classifiers. NPJ Digit Med 1(1):1–2

  • Polikar R (2009) Ensemble learning. Scholarpedia 4(4):2776

    Google Scholar 

  • Porras PA, Neumann PG (1997) EMERALD: event monitoring enabling responses to anomalous live disturbances. In: 1997 National information systems security conference

  • Qiu S, Liu Q, Zhou S, Wu C (2019) Review of artificial intelligence adversarial attack and defense technologies. Appl Sci 9:909

    Google Scholar 

  • Rabiner LR, Juang BH (1986) An introduction to hidden Markov models. IEEE ASSp Magazine

  • Resende PAA, Drummond AC (2018) A survey of random forest based methods for intrusion detection systems. ACM Comput Surv 51(3):48:1–48:36

    Google Scholar 

  • Roesch M (1999) Snort: lightweight intrusion detection for networks. In: Proceedings of LISA’99: 13th systems administration conference, volume 99 of Lisa

  • Robert Friedman Jerome Hastie, Trevor Tibshirani (2009) Data Mining, Inference, and Prediction, The Elements of Statistical Learning

  • Russell S, Norvig P (2009) Artificial intelligence: a modern approach, 3rd edn. Prentice Hall Press, Upper Saddle River

    MATH  Google Scholar 

  • Saint-Gobain (2017) Press release—cyber-attack update. https://www.saint-gobain.com/sites/sgcom.master/files/03-07-2017_cp_va.pdf. Accessed 10 May 2020

  • Samuel AL (1959) Some studies in machine learning using the game of checkers. IBM J Res Dev 3(3):210–229

    MathSciNet  Google Scholar 

  • Santofimia-Romero M-J, del Toro-García X, López-López J-C (2011) Artificial intelligence techniques for smart grid applications

  • Schneible J, Lu A (2017) Anomaly detection on the edge, pp 678–682

  • Schneier B (2018) Artificial intelligence and the attack/defense balance. IEEE Secur Priv 2 16(2):96. https://doi.org/10.1109/MSP.2018.1870857

  • Sculley D, Holt G, Golovin D, Davydov E, Phillips T, Ebner D, Chaudhary V, Young M, Crespo J-F, Dennison D (2015) Hidden technical debt in machine learning systems. In: Proceedings of the 28th international conference on neural information processing systems, NIPS’15, vol 2. MIT Press, Cambridge, pp 2503–2511

  • Sebring MM, Shellhouse E, Hanna MF, Whitehurst RA (1988) Expert systems in intrusion detection: a case study

  • Seymour J, Tully P (2016) Weaponizing data science for social engineering: automated E2E spear phishing on twitter. Proc Black Hat USA 37(2016):1–39

    Google Scholar 

  • Sharafaldin I, Lashkari AH, Ghorbani A (2018) Toward generating a new intrusion detection dataset and intrusion traffic characterization, pp 108–116

  • Sharif M, Bhagavatula S, Bauer L, Reiter MK (2016) Accessorize to a crime: real and stealthy attacks on state-of-the-art face recognition. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, CCS’16. ACM, New York, pp 1528–1540

  • Sheen S, Rajesh R (2008) Network intrusion detection using feature selection and decision tree classifier, pp 1–4

  • Shin C, Park S (2010) A machine learning approach to yield management in semiconductor manufacturing. Int J Prod Res 38(17):4261–4271

    Google Scholar 

  • Siddiqi A (2019) Adversarial security attacks and perturbations on machine learning and deep learning methods. CoRR. arXiv:1907.07291

  • Sindhu SSS, Geetha S, Kannan A (2012) Decision tree based light weight intrusion detection using a wrapper approach. Expert Syst Appl 39(1):129–141

    Google Scholar 

  • Śliwiński M, Piesik E, Piesi J (2018) Integrated functional safety and cyber security analysis. IFAC-PapersOnLine 51(24):1263–1270. 10th IFAC symposium on fault detection, supervision and safety for technical processes SAFEPROCESS 2018

  • Smaha SE (1988) Haystack: an intrusion detection system

  • Stefanova Z, Ramachandran K (2017) Network attribute selection, classification and accuracy (NASCA) procedure for intrusion detection systems. In: Proceedings of the 2007 IEEE international symposium on technologies for homeland security

  • Stevens T (2020) Knowledge in the grey zone: AI and cybersecurity. Digital War 1:164–170. https://doi.org/10.1057/s42984-020-00007-w

  • Stolfo SJ (1999) KDD cup 1999 data data set. Accessed 3 June 2019

  • Stouffer K, Lightman S, Pillitteri V, Abrams M, Hahn A (2015) Guide to industrial control systems (ICS) security

  • Sun B, Li X, Wan B, Wang C, Zhou X, Chen X (2016) Definitions of predictability for cyber physical systems. J Syst Archit 63:48–60

    Google Scholar 

  • Sung AH, Mukkamala S (2003) Identifying important features for intrusion detection using support vector machines and neural networks. In: Proceedings of the 2003 symposium on applications and the internet, SAINT’03. IEEE Computer Society, Washington, DC, p 209

  • System architectures for industrie 4.0 applications—derivation of a generic architecture proposal. Production Engineering, Research and Development, Issue 3-4 (2019)

  • Szychter A, Ameur H, Kung A, Daussin H (2018) The impact of artificial intelligence on security: a dual perspective. C&ESAR

  • Tavallaee M, Stakhanova N, Ghorbani A (2010) Toward credible evaluation of anomaly-based intrusion-detection methods. IEEE Trans Syst Man Cybern Part C Appl Rev 40:516–524

    Google Scholar 

  • Tedeschi S, Emmanouilidis C, Mehnen J, Roy R (2019) A design approach to IoT endpoint security for production machinery monitoring. Sensors 19(2355):2019

    Google Scholar 

  • Thakkar A, Lohiya R (2020) Role of swarm and evolutionary algorithms for intrusion detection system: a survey. Swarm Evol Comput 53:100631

    Google Scholar 

  • Thapar V (2019) GE brings AI into preventive maintenance to reduce jet engine failure by one-third

  • Trieu K, Yang Y (2018) Artificial intelligence-based password brute force attacks

  • Truong TC, Diep QB, Zelinka I (2020) Artificial intelligence in the cyber domain: offense and defense. Symmetry 12(3):410

    Google Scholar 

  • Turchin A (2015) A map: AGI failures modes and levels

  • Turchin A, Denkenberger D (2020) Classification of global catastrophic risks connected with artificial intelligence. AI Soc 35(1):147–163

  • Valdes A, Skinner K (2000) Recent advances in intrusion detection. Adaptive, model-based monitoring for cyber attack detection. Springer, Berlin

    Google Scholar 

  • Wang L (2019) From intelligence science to intelligent manufacturing. Engineering 5(4):615–618

    Google Scholar 

  • Warrender C, Forrest S, Pearlmutter B (1999) Detecting intrusions using system calls: alternative data models. In: IEEE symposium on security and privacy. IEEE Computer Society, pp 133–145

  • Williams TJ (1994) The Purdue enterprise reference architecture. Comput Ind 24(2–3):141–158

    Google Scholar 

  • Xiao H (2017) Adversarial and secure machine learning

  • Xiao H, Biggio B, Nelson B, Xiao H, Eckert C, Roli F (2015) Support vector machines under adversarial label contamination. Neurocomputing 160(C):53–62

    Google Scholar 

  • Xu X (2012) From cloud computing to cloud manufacturing. Robotics Comput Integr Manuf 28(1):75–86

  • Xue D, Sun J, Norrie DH (2001) An intelligent optimal production scheduling approach using constraint-based search and agent-based collaboration. Comp Ind 46(2):209–231. https://doi.org/10.1016/S0166-3615(01)00118-X

  • Yampolskiy RV (2016) Taxonomy of pathways to dangerous artificial intelligence. In: Proceedings of the workshops at the 30th AAAI conference on artificial intelligence

  • Yampolskiy RV, Spellchecker MS (2016) Artificial intelligence safety and cybersecurity: a timeline of AI failures. https://arxiv.org/abs/1610.07997

  • Yan J, He H, Zhong X, Tang Y (2017) Q-learning-based vulnerability analysis of smart grid against sequential topology attacks. IEEE Trans Inf Forensics and Secur 12(1):2017

    Google Scholar 

  • Yao J, Zhao SL, Saxton L (2005) A study on fuzzy intrusion detection, vol 5812

  • Yao M (2017) 4 unique challenges of industrial artificial intelligence

  • Yao Y, Viswanath B, Cryan J, Zheng H, Zhao BY (2017) Automated crowdturfing attacks and defenses in online review systems. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. Association for Computing Machinery, New York, pp 1143–1158. https://doi.org/10.1145/3133956.3133990

  • Ye N, Zhang Y, Borror CM (2004) Robustness of the Markov-chain model for cyber-attack detection. In: IEEE transactions on reliability, vol 53, pp 116–123

  • Yegnanarayana B (2009) Artificial neural networks. PHI Learning

  • Yeo LH, Che X, Lakkaraju S (2017) Understanding modern intrusion detection systems: a survey

  • Yeung D-Y, Ding Y (2003) Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognit 36(1):229–243

    MATH  Google Scholar 

  • Yin M, Yao D, Luo J, Liu X, Ma J (2013) Network backbone anomaly detection using double random forests based on non-extensive entropy feature extraction. In: Ninth international conference on natural computation, ICNC 2013, Shenyang, China, July 23–25, 2013, pp 80–84

  • Zaataria ES, Mareia M, Lia W, Usmanb Z (2019) Cobot programming for collaborative industrial tasks: an overview. Robotics Auton Syst

  • Zaharia M, Xin RS, Wendell P, Das T, Armbrust M, Dave A, Meng X, Rosen J, Venkataraman S, Franklin MJ, Ghodsi A, Gonzalez J, Shenker S, Stoica I (2016) Apache spark: a unified engine for big data processing. Commun ACM 59(11):56–65

    Google Scholar 

  • Zaman S, Karray F (2009) Features selection for intrusion detection systems based on support vector machines. In: Proceedings of the 6th IEEE conference on consumer communications and networking conference, CCNC’09. IEEE Press, Piscataway, pp 1066–1073

  • Zhang H, Wang M (2009) Search for the smallest random forest. Stat interface 2:381. https://doi.org/10.4310/SII.2009.v2.n3.a11.

    Article  MathSciNet  MATH  Google Scholar 

  • Zhang J, Zulkernine M (2005) Network intrusion detection using random forests

  • Zhang R, Chen X, Lu J, Wen S, Nepal S, Xiang Y (2018) Using AI to hack IA: a new stealthy spyware against voice assistance functions in smart phones

  • Zhou Z-H (2012) Ensemble methods: foundations and algorithms, 1st edn. Chapman and Hall/CRC, London

    Google Scholar 

  • Zhu Y, Yan J, Sun YL, He H (2014) Revealing cascading failure vulnerability in power grids using risk-graph. IEEE Trans Parallel Distrib Syst 25(12):3274–3284

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Airbus Cybersecurity, Élancourt, France

    Adrien Bécue

  2. ISEP/GECAD, Porto, Portugal

    Isabel Praça

  3. INESC TEC, Porto, Portugal

    João Gama

Authors
  1. Adrien Bécue
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Isabel Praça
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. João Gama
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Adrien Bécue.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: Nature, types and sources of data for ML-based IDS

1.1 Appendix A.1: Data types for ML/DM applied to IDS

As we highlighted the importance of data quality and quantity to DM/ML techniques, it is important to highlight the diverse nature of data which can be used for intrusion detection. A first distinction is between Packet level data and Netflow data. Packet level data: the packets transmitted through network infrastructures can be captured by a specific Application Programming Interface (API) called pcap. IDS and other network security equipment use Libpcap and WinPCap as packet capture libraries of Unix and Windows respectively. The Ethernet frame contains an Ethernet header such as media access control [MAC] address, and up to 1500 bytes [maximum transmission unit (MTU)] of payload which contains the IP packet made of IP header and IP payload where the data content lies. The features captured from pcap interface vary depending on the protocols carried in the packet. IP addresses are captured in the IP header.

NetFlow Data: NetFlow was originally a router feature by Cisco, enabling to collect IP Network traffic as it enters or leaves the network equipment. In its version 5, NetFlow is defined as a unidirectional sequence of packets that share the exact same seven packet attributes: ingress interface, source IP address, destination IP address, IP protocol, source port, destination port, and IP type of service. NetFlow data include a compressed and preprocessed version of the actual network packets.

Kernel level data: the kernel is the core of a computer’s operating system. It handles requests from applications, sends instructions to central processing unit, allocates computing resource, and man-ages memory and peripherals. Kernel level data can be analyzed to provide evidence of attacks on the endpoint. The analysis would be specific to the type of operating system monitored. Kernel behavior analysis can be performed based on expert rules, statistical approaches or DM/ML techniques. It could rely on endpoint detection and response (EDR) agents or Host IDS (HIDS). An interesting field of investigation is the correlation is the correlation of alerts raised by network level and kernel level IDS.

1.2 Appendix A.2: Public data sets for IDS training and testing

ML/DM methods require vast amounts of data, in most cases labeled, in any case representative from real network traffic and free of use. Data collection is a painful step. Network data are usually subject to confidentiality and privacy issues. This is particularly the case of OT networks which usual-ly bear company or utility confidential data. A comparison of performance in intrusion detection between two projects is only valid if they use the same data set. For those reasons, public data sets have been collected and shared across the research community.

  • DARPA 1998 (Lippmann et al. 2000): this data set was created by the Lincoln Laboratory from Massachusetts Institute of Technology in 1998 to support an offline evaluation of IDS on network traffic and audit logs collect-ed on a simulation network.

  • DARPA 1999 (Lippmann et al. 2000): also created by the Lincoln Laboratory, this data set contained three weeks of training data among which only the second week contained a selected subset of attacks from the 1998 evaluation in addition to several new attacks. In 1999, intrusion detection systems were tested as part of an off-line evaluation, a real time evaluation or both.

  • KDD 1999 (Stolfo 1999): the NSL-KDD corrects a number of discrepancies found in KDD 1999. It has been used for The Third International Knowledge Discovery and Data Mining Tools Competition, which was held in conjunction with KDD-99.

  • CICIDS2017 (Sharafaldin et al. 2018): probably the most up to date public data set for NIDS training and testing. It contains benign and the most up-to-date common attacks. It also includes the results of the network traffic analysis using a network traffic flow generator with labeled flows based on the time stamp, source and destination IPs, source and destination ports, protocols and attack. The implemented attacks include Brute Force FTP, Brute Force SSH, DoS, Heartbleed , Web Attack, Infiltration, Botnet and DDoS within 5 days of traffic.

  • ADFA data sets (2013–2014): the ADFA data sets provide kernel level data for HIDS training and testing. The ADFA Linux Dataset (ADFA-LD) (Creech and Hu 2014, 2013) provides a contemporary Linux dataset while ADFA Windows Dataset (ADFA-WD) (Creech 2014) provides representative windows kernel data. A Stealth Attacks Ad-dendum (ADFA-WD:SAA) (Creech 2014) contains stealth attack traces for evaluation in conjunction with the AD-FA-WD (Creech 2014).

  • MODBUS data sets (2014) (Morris and Gao 2014): 4 data sets were developed by Thomas Morris and Wei Gao in a project entitled “Industrial Control System Traffic Data Sets for Intrusion Detection Research”. They include network traffic, process control and process measurement features from two laboratory-scale SCADA systems. They were generated from network flow records captured with a serial port data logger in a laboratory environment. They contain transactions from a gas pipeline system and a water storage tank system. A set of 28 attacks were grouped into four categories: reconnaissance, response injection, command injection and denial-of-service attacks. Although MODBUS is a particular SCADA protocol, the authors claim their data sets are relevant to a wide variety of SCADA systems and would apply to other than pipeline or water storage ICS.

The DARPA, KDD and CICIDS2017 data sets contain network level and kernel level data representative of IT networks and appropriate for training and testing of generic NIDS. They may contain useful data for OT IDS but would not to address the very specificities of such environments. They are how-ever useful to assess IDS performance as they are widely used and thus form a potential reference for comparison of performances. The ADFA data set is dedicated to HIDS training and testing. It is useful to work on detection of industrial endpoint

  • The CIDDS-001 (Coburg Intrusion Detection Data Set), disclosed by Markus Ring et al. in [8], contains about four weeks of network traffic from two different environments, an emulated small business environment (OpenStack) and an External Server that captured real and up-to-date traffic from the internet. The OpenStack environment includes several clients and typical servers like an E-Mail server or a Web server. The dataset contains labeled flow-based data that can be used to evaluate anomaly-based network intrusion detection systems considering normal activity as well as DoS, Brute Force, Ping Scans and Port Scan attacks. The collection of data provided by the CIDDS-001 dataset is represented in an Netflow format. Netflow is a feature of CISCO routers that allows the collection of IP network traffic as it enters or exits an interface.

Appendix B: Open source OT IDS solutions

There are three major open source NIDS currently available for ICS/SCADA: Snort Suricata and Bro.

  • Snort is the oldest and most famous NIDS. It is a signature-based NIDS owned by SourceFire. It is widely used by any type of organizations (large companies, SMEs, research labs, governmental organ-izations). In addition, this solution is supported by a huge community of users and developers. When the interest to ICS/SCADA appeared, Snort was an obvious choice for attempting to adapt an IT-related IDS to ICS/SCADA needs. It remains the most studied NIDS, including in the ICS/SCADA domain and Snort comes with a large set of SCADA-oriented rules.

    The work performed by Digital Bond since 2009 on SCADA IDS is probably the most cited. It deals with ready-to-use rules for Snort and Suricata. Thus, if one wants to create his/her own solution, it is quite simple to build a system able to detect malicious packets.

  • Suricata Developed by the OISF (Open Information Security Foundation), Suricata is a signature-based IDS, competitor of Snort. The main advantage of Suricata is the easy integration of Snort rules. Suricata is multi-threaded, Snort is not. It is not necessarily an advantage. Suricata is more scalable but may require more resources even if a study states that Suricata does its job, at least, as good as Snort. However, the level of maturity is lower and the Suricata community is less important than the Snort ones. Suricata is trickier to use than Snort as well. It is worth mentioning that the French national cyber security agency (ANSSI) officially supports Suricata as an IDS adapted to critical infra-structures. The Suricata project is quite dynamic: a version is released every 2 or 3 months.

  • Bro Presented in 1999 by V. Parxson, Bro is not restricted to any particular detection approach and does not rely on traditional signatures. Then Bro’s detection principle is completely different from Snort. As a consequence, it may be more efficient than Snort on some types of intrusion. Addition-ally, it embeds a capacity of network flow analysis (including performance measurements). Howev-er, Bro is less used than Snort, probably because it does not have any graphical user interface and has to be fully configured in command line mode. Furthermore, it only runs on Linux, FreeBSD and Mac OS X operating systems. Despite these limitations, it remains widely used by academics.

1.1 Appendix B.1: Synthesis on Open source IDS solutions

Snort benefits from a large support by the community. It is integrated with many other systems (e.g., rule providers, SIEM) and add-ons make it adaptable to many usages (IT and OT). Suricata—the Snort challenger—is scalable but requires extensive computing resources. Bro is an IDS mostly used by academics and would require a lot of effort to make it usable in an operational environment.

Appendix C: Vendor OT IDS solutions

Many commercial solutions use one or several frameworks coming from the above mentioned open source tools. Still the effectiveness of IDS solutions highly relies on the capacity of a company to write relevant rules, and to analyze customer architecture and needs. The analysis of vendor solu-tions below results from an assessment carried out by Airbus Defence and Space Cybersecurity based on an analysis of product documentation and vendor questionnaires.

1.1 Appendix C.1: Signature-based IDS

Most signature-based IDS are originally designed for IT security. The following three products have been short listed for their applicability to ICS/SCADA environments. Many other IDS exist on the market which however do not equally match the specific requirements of OT environments.

  • Cisco IPS, Firepower, is a signature-based and agent-less solution that embeds SCADA-related rulesets. The IPS uses deep packet inspection (DPI) to detect attacks. The detection process starts by normalizing received packets and goes on parallel inspection at various levels (e.g., IP headers, TCP payloads). Signatures are built from vulnerability bulletins, provided an exploit is known. More than 35,000 vulnerability-focused rules are available. As an IPS, Firepower manages a prevention policy and especially one dedicated to industrial protocols (e.g., Modbus, ICCP).

  • Fortinet propose an IPS solution embedded in their firewall offer, FortiGate. There is a specific range adapted to industrial environments, meaning appliances are designed to resist to tempera-ture constraints (very low, very high, variations), vibrations, etc. Additionally Fortinet propose a range of security solutions such as switches, web analyzers and central managers for industry-focused cyber security. FortiGate IPS is a signature-based IPS. It supports BACnet, DLMS/COSEM, DNP3, EtherCAT, ICCP, IEC-60870.5.104, Modbus/TCP, OPC, PROFINET. A combination of Fortinet and Nozomi solutions extends this list and provides anomaly detection capacity.

  • Leidos Industrial Defender ASM is a US solution, owned by Leidos. It is a cyber security solution that in-cludes asset discovery and management, compliance monitoring, reporting and security event mon-itoring. The solution relies on a three-tier architecture with a manager (ASM), local appliances (ASA) and a signature-based NIDS. In terms of protocols, the NIDS supports Modbus, TCP, DNP3, Profibus, ODVA Ethernet/IP, and ICCP, and generate alarms that are sent to the ASM for logging and diagnosis. The amount of available rules makes it very likely that the NIDS is an overlay of an existing NIDS (such as Snort). However, Leidos mentions that they create specific rules from the ICS typical at-tacks. Even if the solution is very promising with its exhaustive approach, it is very linked with the US government which may be a reason to be rejected for monitoring of critical infrastructures in Europe.

1.2 Appendix C.2: Anomaly-based IDS

Because state of the art ICS are so predictable in their behavior and employ specific and simple protocols, most existing OT IDS rely on anomaly detection. The following are examples selected among the most well-known anomaly-based industrial security products.

  • Claroty is an Israeli company founded in 2016, with a headquarter based in the US and a research and development staff based on Israel. The Claroty company proposes a set of components fully dedi-cated to cyber security of industrial networks. Among their OT security platform, the Enterprise Management component collects events from the monitoring virtual appliance to build dashboards and send alert data to external systems such as SIEMs, log managers and ticket request systems. The network anomaly-based detection (deterministic and behavioural models) is performed in a passive mode with DPI, using a span port (no agents) or connecting to sensors on serial networks. Both seri-al and Ethernet networks can be monitored. Raised events are linked to assets (e.g., PLCs, HMIs) modelled in the Claroty’s knowledge base. Along with the network intrusion detection, Claroty provides a change monitoring from commands observed from the network. A large range of IT and OT protocols are supported. Focusing on industrial protocols: Modbus, Siemens S7/S7-Plus, Siemens P2, EtherNet/IP + CIP, PCCC/CPSv4, GE SRTP, VNet/IP, Emerson Ovation DCS protocols, Emerson Del-taV DCS protocols, Melsec/Melsoft, FTE, ABB 800xA DCS protocols, MMS (including ABB extension), Sattbus, OPC DA/AE/UA, IEC104, DNP3, Profinet-DCP, and Bacnet.

  • Indegy Founded in 2014, Indegy is an Israeli company. Indegy provides an ICS Cyber Security Platform that detects changes to controller logic, configuration, firmware and state. The anomaly-based Indegy IDS includes a DPI (Deep Packet Inspection) engine that focuses on control-layer events. All supported protocols are not publicly available: Modbus and DNP3 are mentioned only. Even if not detailed, the approach is based on the technical asset discovery (devices, configuration and state) and addresses multi-site contexts. Sensors are deployed on sites, and the analysis is made on a sin-gle point by a centralized analyzer.

  • SecurityMatters is a Dutch company founded in 2009 that develops the SilentDefense solution, a hybrid IDS. This solution provides automatic asset and network flows discovery. This information is used by the anomaly-based engine. The SilentDefense DPI engine comes with more than 800 rules. It detects cyber attacks and network misconfiguration. The solution supports many ICS and IT proto-cols. Focusing on industrial protocols (excluding proprietary protocols): BACnet, DNP3, EtherNet/IP + CIP, Foundation Fieldbus HSE, IEC 60870-5-101/104, ICCP TASE.2, IEC 61850 (MMS, GOOSE, SV), IEEE C37.118 (Synchrophasor), Modbus/TCP, OPC-DA, OPC-AE, PROFINET (RPC, RTC, RTA, DCP and PTCP). The SilentDefense architecture is based on sensors connected to the SPAN/mirroring port of network switches, and a Command Center that performs a central analysis, provides visualizations and connects to external systems such as a SIEM.

  • Sentryo is a French company founded in 2014. ICS CyberVision is the solution developed by Sentryo. It includes asset inventory and network analysis through a DPI engine. Sentryo CyberVision supports a wide range of industrial protocols and the main IT protocols. Focusing on industrial pro-tocols: Modbus, OPC-DA/UA, IEC 61850, EtherNet/IP + CIP, PROFINET and Siemens S7. Sentryo per-formed a PoC on a railway infrastructure use case with a railway-related manufacturer, specifically on signalling and control-command. They added support on specific protocols from this manufactur-er and implemented some threat scenarios (no details provided on these scenarios).

1.3 Appendix C.3: Hybrid IDS

The following IDS products typically mix signature-based and anomaly-based approach in an attempt to gather the advantages of both detection techniques.

Cyberbit Founded in 2015, Cyberbit is an Israeli company, editor of the SCADAShield and EDR solutions. The offering is very close to the one from Claroty: intrusion detection, change monitoring, asset discovery and SIEM interface. Detection capabilities include deep packet inspection (DPI) which results are used in the investigation phase. The EDR detection engine is not very well detailed. Cyberbit mentions an automated blacklisting and white-listing capability to detect abnormal situations.

Cypres This French solution comes from a research project funded by the EU, led by FPC Ingénierie and with Netceler, two SMEs specialized in industrial automation, software development and cyber security. This non-intrusive solution is dedicated to ICS/SCADA networks. Intrusions are detected by rule-based IDS probes. Cypres probes can also detect non legitimate machines and protocols. Rules are contextualized, meaning they take the system state and ongoing operations into consideration. Contexts are acquired through a learning process. Another type of rules is based on a heuristic engine that checks anomalies of processes, depending on the replicability of the process controls. The project is still ongoing. Since this solution has been deployed in the frame of proof of concept (PoC) only, it probably lacks of maturity. However, no PoC has been performed on the rail-way domain so far.

Nozomi Nozomi is a Swiss company founded in 2013, with headquarters in the USA. Nozomi is the editor of the SCADAGuardian solution. This solution includes a network IDS, a process anomaly detection system and a cyber risk evaluation system. The IDS relies on a signature-based DPI engine. The solution is design to address multi-site security monitoring and includes a Central Management Console (CMC) to aggregate from multiple sites and centralize the cyber security awareness. The solution supports many ICS and IT protocols. Focusing on industrial protocols: Aspentech Cim/IO, BAC-Net, Beckhoff ADS, BSAP IP, CEI 79-5/2-3, COT P, DNP3, Enron Modbus, EtherCAT, EtherNet/IP - CIP, Foundation Fieldbus, Generic MMS, GOOSE, Honeywell, IEC 60870-5-7 (IEC 62351-3 + IEC 62351-5), IEC 60870-5-104, IEC-61850 (MMS, GOOSE, SV), IEC DLMS/COSEM, ICCP, Modbus/TCP, MQTT, OPC, PI-Connect, Profinet/DCP, Profinet/I-O CM, Profinet/ RT, Sercos III, Siemens S7, Vnet/IP. Nozomi provides a SDK that enables a customer to extend support for new protocols. SCADAShield comes in more than 10 appliance versions (physical or virtual). It is worth mentioning that the technical documentation publicly available on SCADAShield is very detailed and clear, which is usually not the case for its competitors.

Radiflow Radiflow is an Israeli company founded in 2009. The solution developed by Radiflow for SCADA networks is iSID. The iSID solution embeds an anomaly-based detection engine. The change monitoring process relies on the knowledge of the existing assets along with used protocols and sessions. To get this knowledge, an asset topology discovery capacity has been implemented. The learning process makes the iSID solution able to detect any change in the network topology such as new sessions. A DPI system relying on a set of rules analyses the network traffic to detect any policy violations. The list of supported protocols is not publicly available. Some papers and datasheets mention: Modbus, DNP3, IEC-104 and 61850. The iSID solution also manages vulnerabilities by both active and passive scans. Then their signature-based Cyber Attack module uses this information to detect any vulnerability exploitation by an attacker. Incident response is managed through an inter-face with the Radiflow security gateway: iSID is able to push policy modifications into the Radiflow security gateway.

1.4 Appendix C.4: Synthesis

The table below summarizes the characteristics of IDS solutions described in the previous sections. No solutions have been evaluated in a testbed. That is why there is no information about their performance and reliability. The performance metrics provided by the vendors are not considered relevant for an objective comparison. Detection rates and false positive rates highly depend on the data sets used for evaluation and the training method (in the case of ML-based detection) or the human experts involved in rule edition (in the case of misuse detection). To date there is not any agreed international standard for assessment of detection performance. Existing certification frameworks for IDS focus on assessing the protective functions. While such as technical assessment would surely be of interest, it would require significant resources and the cooperation of product vendors.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bécue, A., Praça, I. & Gama, J. Artificial intelligence, cyber-threats and Industry 4.0: challenges and opportunities. Artif Intell Rev 54, 3849–3886 (2021). https://doi.org/10.1007/s10462-020-09942-2

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10462-020-09942-2

Keywords