Last Line of Defense: A Novel IDS Approach Against Advanced Threats in Industrial Control Systems

Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10327)

Abstract

Industrial control systems are becoming increasingly interconnected, and with it their vulnerability to malicious actors. While intrusion detection systems are suited to detect network-based attacks, they remain unable to detect more sophisticated attacks against control systems, for example a compromise of the PLCs. This paper makes the case that the evolving landscape of threats such as the Stuxnet malware requires an alternative approach to intrusion detection in industrial control systems. We argue that effective control of such advanced threats needs to happen in the last link of the control network, hence building a last line of defense. A proof of concept of this new paradigm was implemented for the control system of a dredging vessel, and we describe main lessons learned and pose open research questions we find based on these experiences for ICS intrusion detection.

Keywords

Cyber physical security Intrusion detection Industrial control systems 
This is a preview of subscription content, log in to check access.

References

  1. 1.
    Hadziosmanovic, D.: The process matters: cyber security in industrial control systems. Ph.D. thesis, Universiteit Twente (2014)Google Scholar
  2. 2.
    Cárdenas, A.A., Amin, S., Sastry, S.: Research challenges for the security of control systems. In: Conference on Hot Topics in Security (2008)Google Scholar
  3. 3.
    Abrams, M., Weiss, J.: Malicious control system cyber security attack case study-maroochy water services, Australia, July 2008Google Scholar
  4. 4.
    Falliere, N., Murchu, L.O., Chien, E.: W32.stuxnet dossier. Technical report, Symantec, February 2011Google Scholar
  5. 5.
    McDonald, G., Murchu, L.O., Doherty, S., Chien, E.: Stuxnet 0.5: the missing link. Technical report, Symantec (2013)Google Scholar
  6. 6.
    Langner, R.: The Langner Group. Technical report, November 2013Google Scholar
  7. 7.
    Lee, R.M., Assante, M.J., Conway, T.: Technical report, SANS ICS (2014)Google Scholar
  8. 8.
    BSI. Die Lage der IT-Sicherheit in Deutschland 2014 (2014)Google Scholar
  9. 9.
    Radvanovsky, R., Brodsky, J.: Handbook of SCADA/Control Systems Security. CRC Press, Boca Raton (2013)CrossRefGoogle Scholar
  10. 10.
    Anderson, R.J.: Security Engineering. Wiley, Indianapolis (2008)Google Scholar
  11. 11.
    Goodin, D.: Stepson of stuxnet stalked kaspersky for months, tapped iran nuke talks. Februari 2017. arstechnica.com
  12. 12.
    Igure, V.M., Laughter, S.A., Williams, R.D.: Security issues in SCADA networks. Comput. Secur. 25(7), 498–506 (2006)CrossRefGoogle Scholar
  13. 13.
    Cardenas, A., Amin, S., Sinopoli, B., Giani, A., Perrig, A., Sastry, S.: Challenges for securing cyber physical systems. In: Workshop on Future Directions in Cyber-physical Systems Security, DHS, July 2009Google Scholar
  14. 14.
    Cheminod, M., Durante, L., Valenzano, A.: Review of security issues in industrial networks. IEEE Trans. Ind. Inf. 9(1), 277–293 (2013)CrossRefGoogle Scholar
  15. 15.
    Denning, D.: An intrusion-detection model. IEEE Trans. Softw. Eng. SE–13(2), 222–232 (1987)CrossRefGoogle Scholar
  16. 16.
    Cárdenas, A.A., Amin, S., Lin, Z.-S., Huang, Y.-L., Huang, C.-Y., Sastry, S.: Attacks against process control systems: risk assessment, detection, and response. In: Symposium on Information, Computer and Communications Security (2011)Google Scholar
  17. 17.
    Etalle, S., Gregory, C., Bolzoni, D., Zambon, E., Trivellato, D.: Monitoring industrial control systems to improve operations and security. Technical report, Security Matters (2013)Google Scholar
  18. 18.
    Etalle, S., Gregory, C., Bolzoni, D., Zambon, E.: Self configuring deep protocol network whitelisting. Technical report, Security Matters (2013)Google Scholar
  19. 19.
    Urbina, D.I., Giraldo, J.A., Cardenas, A.A., Tippenhauer, N.O., Valente, J., Faisal, M., Ruths, J., Candell, R., Sandberg, H.: Limiting the impact of stealthy attacks on industrial control systems. In: SIGSAC Conference on Computer and Communications Security (2016)Google Scholar
  20. 20.
    Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: semantic security monitoring for industrial processes. In: Annual Computer Security Applications Conference (2014)Google Scholar
  21. 21.
    Fovino, I.N., Carcano, A., Masera, M., Trombetta, A.: An experimental investigation of malware attacks on scada systems. Crit. Infrastruct. Protection 2(4), 139–145 (2009)CrossRefGoogle Scholar
  22. 22.
    Cardenas, A., Baras, J., Seamon, K.: A framework for the evaluation of intrusion detection systems. In: 2006 IEEE Symposium on Security and Privacy, pp. 15–77, May 2006Google Scholar
  23. 23.
    Cardenas, A., Amin, S., Sastry, S.: Secure control: towards survivable cyber-physical systems. In: Distributed Computing Systems Workshops, pp. 495–500, June 2008Google Scholar
  24. 24.
    Fovino, I.N., Carcano, A., Murel, T.D.L., Trombetta, A., Masera, M.: Modbus/dnp. 3 state-based intrusion detection system. In: International Conference on Advanced Information Networking and Applications (2010)Google Scholar
  25. 25.
    Carcano, A., Fovino, I.N., Masera, M., Trombetta, A.: State-based network intrusion detection systems for SCADA protocols: a proof of concept. In: Rome, E., Bloomfield, R. (eds.) CRITIS 2009. LNCS, vol. 6027, pp. 138–150. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14379-3_12 CrossRefGoogle Scholar
  26. 26.
    Carcano, A., Coletta, A., Guglielmi, M., Masera, M., Fovino, I.N., Trombetta, A.: A multidimensional critical state analysis for detecting intrusions in scada systems. Trans. Ind. Inf. 7, 179–186 (2011)CrossRefGoogle Scholar
  27. 27.
    Doerr, C., Hernandez, J.M.: A computational approach to multi-level analysis of network resilience. In: Third International Conference on Dependability, DEPEND (2010)Google Scholar
  28. 28.
    Doerr, C.: Challenge tracing and mitigation under partial information and uncertainty. In: Communications and Network Security (CNS) (2013)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Offshore and Dredging EngineeringDelft University of TechnologyDelftThe Netherlands
  2. 2.Cybersecurity GroupDelft University of TechnologyDelftThe Netherlands

Personalised recommendations