Elsevier

Computers & Security

Volume 87, November 2019, 101561
Computers & Security

Current cyber-defense trends in industrial control systems

https://doi.org/10.1016/j.cose.2019.06.015Get rights and content

Abstract

Advanced Persistent Threats (APTs) have become a serious hazard for any critical infrastructure, as a single solution to protect all industrial assets from these complex attacks does not exist. It is then essential to understand what are the defense mechanisms that can be used as a first line of defense. For this purpose, this article will firstly study the spectrum of attack vectors that APTs can use against existing and novel elements of an industrial ecosystem. Afterwards, this article will provide an analysis of the evolution and applicability of Intrusion Detection Systems (IDS) that have been proposed in both the industry and academia.

Introduction

Critical Infrastructures like nuclear plants of power grids have their production cycle managed by industrial control systems, such as SCADA (Supervisory Control and Data Acquisition) systems. These industrial networks comprise a wide range of devices such as sensors, PLCs (Programmable Logic Controllers), or RTUs (Remote Terminal Units), that ultimately gather real-time data about the production chain and accordingly issue control commands to regulate the entire process remotely.

Traditionally, SCADA systems and industrial networks have been working in an isolated way during decades, since all the aforementioned devices used to run proprietary communication protocols in a closed environment. However, they are nowadays being interconnected to external networks (e.g., Internet) for the outsourcing of services and the storage of data. Amongst the reasons of this tendency are the decrease in costs and the standardization of hardware and software used in industrial control systems (ICS). Namely, industrial communication protocols working with Ethernet and TCP/IP, such as Ethernet/IP, Ethernet POWERLINK, CANopen, PROFINET, Modbus/TCP or HART/IP; and also fieldbus protocols (e.g., HART, wirelessHART, etherCAP, IO-Link). Additionally, there are other protocols designed for the management and control of all industrial equipment, such as the CIP or OPC UA. As a result of this evolution, the complexity of communication infrastructures in ICS is dramatically increasing. However, this is just the beginning: new paradigms like IoT (Internet of Things) or Cloud computing are also being integrated into current industrial environments, giving shape to the so-called Industry 4.0 (Khan and Turowski, 2016). Under this concept, all industrial entities are able to collaborate with each other so as to take real-time decisions in a distributed way, enabling the deployment of innovative industrial services of all kinds.

Consequently, this modernization of the industry with the introduction of IT technologies is coupled with a substantial increase in security risks (Xu et al., 2014) based on new specific threats, operating under different threat modes (Cazorla et al., 2016) that have not been addressed before. As a result, an industrial system becomes complex and critical, besieged by multiple attack vectors that can be ultimately leveraged to perpetrate an Advanced Persistent Threat (APT) (Chen, Desmet, Huygens, 2014, Singh, Sharma, Moon, Moon, Park, 2016). This represents a sophisticated attack perpetrated by an expert adversary, and is characterized for its ability to go undetected within the victim network for a certain period of time. Due to the complexity of these attacks – which involve several steps – and the high amount of successful APT campaigns perpetrated by malicious actors (Lemay et al., 2018), it is crucial to understand what is the true scope and detection capabilities of the first line of defense; that is, existing Intrusion Detection Systems (IDS).

This article is an extended version of the conference paper (Rubio et al., 2017a). It explores the existing techniques and mechanisms that try to detect specific threat vectors within an industrial context, making emphasis on the special case of APTs but without losing sight of the future industrial paradigms. The remainder of this article is organized as follows: Section 2 highlights the threats to which control systems are exposed today. Taking into account this landscape, Section 3 addresses the search for defense techniques against APTs, specially intrusion detection systems. Solutions from both the industry and academia are presented in Sections 4 and 5, respectively. Finally, Section 6 discusses the application of these mechanisms in practice, and the conclusions drawn are presented in Section 7.

Section snippets

Cybersecurity threats

After several years of being subject to a multitude of threats (Symantec, 2012), today’s industry is still at risk. According to the annual reports of ICS-CERT (ICS-CERT, 2016), IBM® X-Force® Research (IBM® X-Force® Research, 2016), and Sikich (2016), the number of threats has tended to rise annually in the manufacturing industry, either because of unforeseen occurrences or through planned actions. Irrespective of the causes, the consequences affect the normal performance of control and

Defense techniques

Due to the variety of attack vectors that an APT exposes, multiple security solutions must be combined at different levels. In this sense, Intrusion Detection Systems (IDS) pose the first line of defense, as they detect unauthorized access to the network or one of its systems, monitoring its resources and the traffic generated in search of behaviors that violate the security policy established in the production process.

There are many methods for performing intrusion detection. One possibility

Industrial IDS products

At present, there are various commercial solutions whose goal is to provide protection mechanisms that can deter the attacks caused by APT actors. Such protection mechanisms not only include the detection mechanisms described in Section 3, but also other solutions such as enhancing user awareness, separating the industrial network into various protected zones, and analyzing the configuration of the system. Most of these solutions are passive (i.e. do not affect the operation of the system),

Academic research

As it is crucial to protect industrial control infrastructures against all kind of attacks, including advanced persistent threats, the academia has paid special attention to the development of intrusion detection systems for this particular context. In these systems, all the defense mechanisms described in Section 3 have been integrated to some extent, trying to cover all the elements of an industrial control network: field devices, the interactions between the control network and field

Intrusion detection and existing threats

In an industrial control ecosystem, and due to the diversity of devices and protocols, there is no single ‘silver bullet’ that can address all potential threats described in Section 2. Yet it might be possible to combine various solutions to provide an adequate level of protection against all kinds of attacks, including APTs. The state of the art described in previous sections has shown that it is possible to detect threats against the availability of the system by detecting malicious network

Conclusions

There have been significant progress in the development of intrusion detection techniques for industrial ecosystems in the last years. Not only there are commercially available products that integrate advanced solutions such as honeypot systems and information correlation systems, but also there are novel detection mechanisms and architectures developed in the academia. There are still various areas that need of further research, such as the applicability and integration of proactive defense

Declarations of interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

This work has been funded by the Spanish Ministry of Economy, Industry and Competitiveness through the SADCIP (RTC-2016-4847-8) and SMOG (TIN2016-79095-C2-1-R) projects. The work of the first author had been partially financed by the Spanish Ministry of Education under the FPU program (FPU15/03213).

Juan Enrique is a PhD student at the University of Malaga, who receives funds from the Spanish Ministry of Education under the FPU program. He obtained the Bachelor's degree in Computer Science in 2014 and the Master's Degree in Computer Science in 2016, both with distinction by the same University. He has been a collaborator in the Department of Computer Science since 2013, and his research activities are focused on the protection of critical infrastructures and the analysis of cybersecurity

References (105)

  • A. Terai et al.

    Cyber-attack detection for industrial control system monitoring with support vector machine based on communication profile

    Proceedings of the IEEE European Symposium on Security and Privacy Workshops (EuroS PW’17)

    (2017)
  • WurldTech (GE). OPShield. https://www.ge.com/digital/cyber-security [Online; Accessed May 2018];...
  • F. Adamsky et al.

    Integrated Protection of Industrial Control Systems from Cyber-attacks: the ATENA Approach

    Int. J. Crit. Infrast. Protect.

    (2018)
  • Advenica. Security Solutions for Critical Infrastructures. https://advenica.com/ [Online; Accessed May 2018];...
  • C. Alcaraz et al.

    Cyber-physical systems for wide-area situational awareness

    Proceedings of the Cyber-Physical Systems: Foundations, Principles and Applications

    (2017)
  • C. Alcaraz et al.

    Analysis of requirements for critical control systems

    Int. J. Crit. Infrast. Protect. Protection (IJCIP)

    (2012)
  • C. Alcaraz et al.

    Critical infrastructure protection: Requirements and challenges for the 21st century

    Int. J. Crit. Infrast. Protect. Protection (IJCIP)

    (2015)
  • Amenaza Technologies LTD. SecurITree. https://www.amenaza.com [Online; Accessed May 2018];...
  • Attivo Networks. BOTsink. https://attivonetworks.com/product/attivo-botsink/ [Online; Accessed May 2018];...
  • BAE Systems. Data Loss Prevention. https://www.baesystems.com/en/product/data-loss-prevention [Online; Accessed May...
  • L. Bayou et al.

    Towards a CDS-based Intrusion Detection Deployment Scheme for Securing Industrial Wireless Sensor Networks

    Proceedings of the 11th International Conference on Availability, Reliability and Security (ARES)

    (2016)
  • B.M. Beigh et al.

    Article: Intrusion detection and prevention system: Issues and challenges

    Int. J. Comput. Appl.

    (2013)
  • M.H. Bhuyan et al.

    Network anomaly detection: methods, systems and tools

    IEEE Commun. Surv. Tutor.

    (2014)
  • B. Blumbergs

    Technical Analysis of Advanced Threat Tactics Targeting Critical Information Infrastructure

    Technical Report

    (2014)
  • M. Caselli et al.

    Specification mining for intrusion detection in networked control systems

    Proceedings of the 25th USENIX Security Symposium

    (2016)
  • L. Cazorla et al.

    Awareness and reaction strategies for critical infrastructure protection

    Comput. Electr. Eng.

    (2015)
  • L. Cazorla et al.

    Cyber stealth attacks in critical information infrastructures

    IEEE Syst. J.

    (2016)
  • P. Chen et al.

    A study on advanced persistent threats

    Proceedings of the IFIP International Conference on Communications and Multimedia Security

    (2014)
  • CISCO Systems. CISCO: Protecting ICS with Industrial Signatures. https://tools.cisco.com/security/center/ [Online;...
  • Control-See. UCME-OPC. http://www.controlsee.com/u-c-me-opc/ [Online; Accessed May 2018];...
  • Corero. Corero network security. https://www.corero.com [Online;Accessed May 2018];...
  • Cubix. Tippingpoint intrusion prevention system (IPS)....
  • CyberArk. Privileged Account Security Solution. https://www.cyberark.com/products/ [Online; Accessed May 2018];...
  • Cyberbit. SCADAShield. https://www.cyberbit.net/solutions/ics-scada-security-continuity/ [Online; Accessed May 2018];...
  • CyberX. XSense. https://cyberx-labs.com/en/xsense/ [Online; Accessed May 2018];...
  • DarkTrace. Enterprise Immune System. https://www.darktrace.com/technology/#enterprise-immune-system [Online; Accessed...
  • H. Esquivel-Vargas et al.

    Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol

    Proceedings of the Workshop on Cyber-Physical Systems Security and PrivaCy (CPS’17)

    (2017)
  • FortiNet. FortiGate Enterprise Firewall. https://www.fortinet.com/products/next-generation-firewall.html [Online;...
  • Fox IT. Fox Data Diode. https://www.fox-it.com/datadiode/ [Online; Accessed May 2018];...
  • L. Garcia et al.

    Detecting PLC control corruption via on-device runtime verification

    Proceedings of the Resilience Week (RWS)

    (2016)
  • H.R. Ghaeini et al.

    State-aware anomaly detection for industrial control systems

    Proceedings of the Security Track at the ACM Symposium on Applied Computing (SAC’18)

    (2018)
  • H.R. Ghaeini et al.

    HAMIDS: Hierarchical monitoring intrusion detection system for industrial control systems

    Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy (CPS-SPC’16)

    (2016)
  • N. Goldenberg et al.

    Accurate modeling of MODBUS/TCP for intrusion detection in {SCADA} systems

    Int. J. Crit. Infrast. Protect. Protect.

    (2013)
  • M. Gyanchandani et al.

    Taxonomy of anomaly based intrusion detection system: a review

    Int. J. Sci. Res. Publ.

    (2012)
  • Harman. Harman Shield. https://services.harman.com/solutions/automotive-cybersecurity [Online; Accessed May 2018];...
  • H. Kagermann, J. Helbig, A. Hellinger, W. Wahlster, Recommendations for implementing the strategic initiative industrie...
  • J. Hong et al.

    Intelligent electronic devices with collaborative intrusion detection systems

    IEEE Trans. Smart Grid

    (2017)
  • IBM®X-Force® Research. Cyber Security Intelligence Index: A survey of the cyber security landscape for financial...
  • ICS-CERT. Overview of Cyber Vulnerabilities. http://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities...
  • ICS2. ICS2 On-Guard. http://ics2.com/product-solution/ [Online; Accessed May 2018];...
  • Cited by (85)

    View all citing articles on Scopus

    Juan Enrique is a PhD student at the University of Malaga, who receives funds from the Spanish Ministry of Education under the FPU program. He obtained the Bachelor's degree in Computer Science in 2014 and the Master's Degree in Computer Science in 2016, both with distinction by the same University. He has been a collaborator in the Department of Computer Science since 2013, and his research activities are focused on the protection of critical infrastructures and the analysis of cybersecurity threats that arise with the paradigm of Industry 4.0 and the concept of Industrial Internet of Things.

    Cristina Alcaraz is an assistant professor in the Computer Science Department at the University of Malaga and received her Ph.D. in computer science from the same University in 2011. She was a guest researcher at NIST (20112012) and a visiting postdoctoral researcher at Royal Holloway (20122014) under a Marie-Curie fellowship. She is involved in European and national research projects, focusing on topics related to the security of SCADA and cyber-physical systems, Industry 4.0, and smart grids.

    Rodrigo Roman is an assistant professor at the University of Malaga (Spain), where he obtained his Ph.D. and M.Sc. degrees in Computer Engineering and Computer Science, respectively, in 2008 and 2003. Previously, he worked for the Institute of Infocomm Research (I2R) in Singapore in the areas of sensor network security and cloud security. Pursuing to make security simple and usable, his research is focused on the development of protection mechanisms for the Internet of Things and related paradigms.

    Javier Lopez is Full Professor in the Computer Science Department at the University of Malaga, and Head of NICS Lab research group. His research activities are mainly focused on information security, future Internet security, and critical infrastructure protection, and has lead several international research projects in those areas. Prof. Lopez is Co-Editor in Chief of IJIS journal and editorial board member of other international journals.

    View full text