Current cyber-defense trends in industrial control systems
Introduction
Critical Infrastructures like nuclear plants of power grids have their production cycle managed by industrial control systems, such as SCADA (Supervisory Control and Data Acquisition) systems. These industrial networks comprise a wide range of devices such as sensors, PLCs (Programmable Logic Controllers), or RTUs (Remote Terminal Units), that ultimately gather real-time data about the production chain and accordingly issue control commands to regulate the entire process remotely.
Traditionally, SCADA systems and industrial networks have been working in an isolated way during decades, since all the aforementioned devices used to run proprietary communication protocols in a closed environment. However, they are nowadays being interconnected to external networks (e.g., Internet) for the outsourcing of services and the storage of data. Amongst the reasons of this tendency are the decrease in costs and the standardization of hardware and software used in industrial control systems (ICS). Namely, industrial communication protocols working with Ethernet and TCP/IP, such as Ethernet/IP, Ethernet POWERLINK, CANopen, PROFINET, Modbus/TCP or HART/IP; and also fieldbus protocols (e.g., HART, wirelessHART, etherCAP, IO-Link). Additionally, there are other protocols designed for the management and control of all industrial equipment, such as the CIP or OPC UA. As a result of this evolution, the complexity of communication infrastructures in ICS is dramatically increasing. However, this is just the beginning: new paradigms like IoT (Internet of Things) or Cloud computing are also being integrated into current industrial environments, giving shape to the so-called Industry 4.0 (Khan and Turowski, 2016). Under this concept, all industrial entities are able to collaborate with each other so as to take real-time decisions in a distributed way, enabling the deployment of innovative industrial services of all kinds.
Consequently, this modernization of the industry with the introduction of IT technologies is coupled with a substantial increase in security risks (Xu et al., 2014) based on new specific threats, operating under different threat modes (Cazorla et al., 2016) that have not been addressed before. As a result, an industrial system becomes complex and critical, besieged by multiple attack vectors that can be ultimately leveraged to perpetrate an Advanced Persistent Threat (APT) (Chen, Desmet, Huygens, 2014, Singh, Sharma, Moon, Moon, Park, 2016). This represents a sophisticated attack perpetrated by an expert adversary, and is characterized for its ability to go undetected within the victim network for a certain period of time. Due to the complexity of these attacks – which involve several steps – and the high amount of successful APT campaigns perpetrated by malicious actors (Lemay et al., 2018), it is crucial to understand what is the true scope and detection capabilities of the first line of defense; that is, existing Intrusion Detection Systems (IDS).
This article is an extended version of the conference paper (Rubio et al., 2017a). It explores the existing techniques and mechanisms that try to detect specific threat vectors within an industrial context, making emphasis on the special case of APTs but without losing sight of the future industrial paradigms. The remainder of this article is organized as follows: Section 2 highlights the threats to which control systems are exposed today. Taking into account this landscape, Section 3 addresses the search for defense techniques against APTs, specially intrusion detection systems. Solutions from both the industry and academia are presented in Sections 4 and 5, respectively. Finally, Section 6 discusses the application of these mechanisms in practice, and the conclusions drawn are presented in Section 7.
Section snippets
Cybersecurity threats
After several years of being subject to a multitude of threats (Symantec, 2012), today’s industry is still at risk. According to the annual reports of ICS-CERT (ICS-CERT, 2016), IBM® X-Force® Research (IBM® X-Force® Research, 2016), and Sikich (2016), the number of threats has tended to rise annually in the manufacturing industry, either because of unforeseen occurrences or through planned actions. Irrespective of the causes, the consequences affect the normal performance of control and
Defense techniques
Due to the variety of attack vectors that an APT exposes, multiple security solutions must be combined at different levels. In this sense, Intrusion Detection Systems (IDS) pose the first line of defense, as they detect unauthorized access to the network or one of its systems, monitoring its resources and the traffic generated in search of behaviors that violate the security policy established in the production process.
There are many methods for performing intrusion detection. One possibility
Industrial IDS products
At present, there are various commercial solutions whose goal is to provide protection mechanisms that can deter the attacks caused by APT actors. Such protection mechanisms not only include the detection mechanisms described in Section 3, but also other solutions such as enhancing user awareness, separating the industrial network into various protected zones, and analyzing the configuration of the system. Most of these solutions are passive (i.e. do not affect the operation of the system),
Academic research
As it is crucial to protect industrial control infrastructures against all kind of attacks, including advanced persistent threats, the academia has paid special attention to the development of intrusion detection systems for this particular context. In these systems, all the defense mechanisms described in Section 3 have been integrated to some extent, trying to cover all the elements of an industrial control network: field devices, the interactions between the control network and field
Intrusion detection and existing threats
In an industrial control ecosystem, and due to the diversity of devices and protocols, there is no single ‘silver bullet’ that can address all potential threats described in Section 2. Yet it might be possible to combine various solutions to provide an adequate level of protection against all kinds of attacks, including APTs. The state of the art described in previous sections has shown that it is possible to detect threats against the availability of the system by detecting malicious network
Conclusions
There have been significant progress in the development of intrusion detection techniques for industrial ecosystems in the last years. Not only there are commercially available products that integrate advanced solutions such as honeypot systems and information correlation systems, but also there are novel detection mechanisms and architectures developed in the academia. There are still various areas that need of further research, such as the applicability and integration of proactive defense
Declarations of interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
This work has been funded by the Spanish Ministry of Economy, Industry and Competitiveness through the SADCIP (RTC-2016-4847-8) and SMOG (TIN2016-79095-C2-1-R) projects. The work of the first author had been partially financed by the Spanish Ministry of Education under the FPU program (FPU15/03213).
Juan Enrique is a PhD student at the University of Malaga, who receives funds from the Spanish Ministry of Education under the FPU program. He obtained the Bachelor's degree in Computer Science in 2014 and the Master's Degree in Computer Science in 2016, both with distinction by the same University. He has been a collaborator in the Department of Computer Science since 2013, and his research activities are focused on the protection of critical infrastructures and the analysis of cybersecurity
References (105)
- et al.
A security analysis for wireless sensor mesh networks in highly critical systems
IEEE Trans. Syst. Man Cybern. Part C Appl. Rev.
(2010) - AlertEnterprise. Sentry CyberSCADA. http://www.alertenterprise.com/products-EnterpriseSentryCybersecuritySCADA.php...
- AlgoSec. AlgoSec Security Policy Management Solution. https://www.algosec.com/ [Online; Accessed May 2018];...
- et al.
Detection of attacks based on known vulnerabilities in industrial networked systems
J. Inf. Secur. Appl.
(2017) - et al.
Orpheus: Enforcing Cyber-Physical Execution Semantics to Defend Against Data-Oriented Attacks
Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC’17)
(2017) - Halo Digital. Halo Vision. https://www.halo-digital.com/ [Online; Accessed May 2018];...
- et al.
Timing-based Anomaly Detection in SCADA Networks
Proceedings of the 12th International Conference on Critical Information Infrastructures Security (CRITIS’17)
(2017) - et al.
Monitoring security of networked control systems: It’s the physics
IEEE Secur. Privacy
(2014) - et al.
Structural controllability of multi-agent networks: Robustness against simultaneous failures
Automatica
(2013) - et al.
Security and privacy challenges in industrial internet of things
Proceedings of the 52nd Annual Design Automation Conference
(2015)
Cyber-attack detection for industrial control system monitoring with support vector machine based on communication profile
Proceedings of the IEEE European Symposium on Security and Privacy Workshops (EuroS PW’17)
Integrated Protection of Industrial Control Systems from Cyber-attacks: the ATENA Approach
Int. J. Crit. Infrast. Protect.
Cyber-physical systems for wide-area situational awareness
Proceedings of the Cyber-Physical Systems: Foundations, Principles and Applications
Analysis of requirements for critical control systems
Int. J. Crit. Infrast. Protect. Protection (IJCIP)
Critical infrastructure protection: Requirements and challenges for the 21st century
Int. J. Crit. Infrast. Protect. Protection (IJCIP)
Towards a CDS-based Intrusion Detection Deployment Scheme for Securing Industrial Wireless Sensor Networks
Proceedings of the 11th International Conference on Availability, Reliability and Security (ARES)
Article: Intrusion detection and prevention system: Issues and challenges
Int. J. Comput. Appl.
Network anomaly detection: methods, systems and tools
IEEE Commun. Surv. Tutor.
Technical Analysis of Advanced Threat Tactics Targeting Critical Information Infrastructure
Technical Report
Specification mining for intrusion detection in networked control systems
Proceedings of the 25th USENIX Security Symposium
Awareness and reaction strategies for critical infrastructure protection
Comput. Electr. Eng.
Cyber stealth attacks in critical information infrastructures
IEEE Syst. J.
A study on advanced persistent threats
Proceedings of the IFIP International Conference on Communications and Multimedia Security
Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol
Proceedings of the Workshop on Cyber-Physical Systems Security and PrivaCy (CPS’17)
Detecting PLC control corruption via on-device runtime verification
Proceedings of the Resilience Week (RWS)
State-aware anomaly detection for industrial control systems
Proceedings of the Security Track at the ACM Symposium on Applied Computing (SAC’18)
HAMIDS: Hierarchical monitoring intrusion detection system for industrial control systems
Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy (CPS-SPC’16)
Accurate modeling of MODBUS/TCP for intrusion detection in {SCADA} systems
Int. J. Crit. Infrast. Protect. Protect.
Taxonomy of anomaly based intrusion detection system: a review
Int. J. Sci. Res. Publ.
Intelligent electronic devices with collaborative intrusion detection systems
IEEE Trans. Smart Grid
Cited by (85)
Statistical knowledge and game-theoretic integrated model for cross-layer impact assessment in industrial cyber-physical systems
2024, Advanced Engineering InformaticsSoftware-Defined Networking approaches for intrusion response in Industrial Control Systems: A survey
2023, International Journal of Critical Infrastructure ProtectionA novel bi-anomaly-based intrusion detection system approach for industry 4.0
2023, Future Generation Computer SystemsDigital twin-enabled automated anomaly detection and bottleneck identification in complex manufacturing systems using a multi-agent approach
2023, Journal of Manufacturing Systems
Juan Enrique is a PhD student at the University of Malaga, who receives funds from the Spanish Ministry of Education under the FPU program. He obtained the Bachelor's degree in Computer Science in 2014 and the Master's Degree in Computer Science in 2016, both with distinction by the same University. He has been a collaborator in the Department of Computer Science since 2013, and his research activities are focused on the protection of critical infrastructures and the analysis of cybersecurity threats that arise with the paradigm of Industry 4.0 and the concept of Industrial Internet of Things.
Cristina Alcaraz is an assistant professor in the Computer Science Department at the University of Malaga and received her Ph.D. in computer science from the same University in 2011. She was a guest researcher at NIST (20112012) and a visiting postdoctoral researcher at Royal Holloway (20122014) under a Marie-Curie fellowship. She is involved in European and national research projects, focusing on topics related to the security of SCADA and cyber-physical systems, Industry 4.0, and smart grids.
Rodrigo Roman is an assistant professor at the University of Malaga (Spain), where he obtained his Ph.D. and M.Sc. degrees in Computer Engineering and Computer Science, respectively, in 2008 and 2003. Previously, he worked for the Institute of Infocomm Research (I2R) in Singapore in the areas of sensor network security and cloud security. Pursuing to make security simple and usable, his research is focused on the development of protection mechanisms for the Internet of Things and related paradigms.
Javier Lopez is Full Professor in the Computer Science Department at the University of Malaga, and Head of NICS Lab research group. His research activities are mainly focused on information security, future Internet security, and critical infrastructure protection, and has lead several international research projects in those areas. Prof. Lopez is Co-Editor in Chief of IJIS journal and editorial board member of other international journals.