Taxonomy of IDSs
In this news alert SIS discusses the future of Intrusion Detection Systems (IDSs) for Industrial Control Systems (ICSs). You will gain an insight into today’s academic research, which will likely become tomorrow’s practice, helping you to secure your control system environment.
When it comes to designing an IDS two (2) main approaches exist: signature-based and anomaly based. Signature-based approaches inspect network traffics and look for explicit matching to a pre-defined pattern or ‘signature’. On the other hand anomaly based IDSs check for deviation from expected behaviour in the system.
Choosing the right strategy for designing and choosing IDS
Signature-based IDSs have been shown to detect typical attacks such as password cracking and DoS (denial of service) on a simulated IEC61850 environment as shown by Premaratne and colleagues (2010), yet theoretically they are not designed to detect zero-days, since by definition, there is no signature available for a zero-day attack. On the other hand anomaly-based IDSs seek to model the ICS operation by defining the normal behaviour of the system input/output and raising an alarm when the observed pattern is perceived to be anomalous. This approach yields great benefit since zero-days can be discovered.
While writing signatures can be difficult, to model the control system accurately, may also require great theoretical or empirical effort. The accuracy and performance of anomaly-based IDSs directly depends on the accuracy of this model. In the corporate world it is extremely difficult to model normal behaviour, but control system the behaviour is more or less limited and seems plausible, as noted by Cheminod et al (2013). An exemplar work has been done by Cárdenas et al (2011) which points to the benefits and challenges involved in developing an anomaly-based IDS for ICS.
Challenges and benefits for designing anomaly-based IDSs
- Accurate modelling of the control system: It is quite costly in terms of time and resources required to build a model. This model can also be specific to only a set of control systems and may not apply to all control systems. Thus making the IDS applicable to only certain industries.
- Handling of false positives: It is almost impossible to design an IDS with no false positives. It is the number of false positives generated by the IDS that may make practical use of the IDS infeasible from an operational perspective.
- Performance: While in-line security appliances may impact ICS performance, IDSs can be configured to passively monitor traffic using mirrored ports such that performance is not affected, thus making them more suitable for ICS environments.
What is the next step?
As part of the defence-in-depth strategy, incorporating IDS at the field level seems to be a fruitful strategy. Yet current research suggests that more work needs to be done in order for implementation and deployment of a practical IDS with the intention to detect zero-day attacks at the plant level.
Academics, researchers, vendors, and sponsors should work together in support for developing IDSs specific to control systems in order to increase the resiliency of ICS from advanced cyber threats. Meanwhile compensating controls are a great way to dealing with the insecurity of the legacy devices commonly found in control systems. A pragmatic approach to dealing with zero day attacks is to embed risk assessment as part of the overall security strategy of the ICS management and develop security response capabilities in order to increase the resiliency of the system.
References below provide further details on current research on intrusion detection systems for ICS.
Cárdenas A., Amin S., Lin Z., Huang Y., Huang C., & Sastry S (2011). Attacks against process control systems: risk assessment, detection, and response. In Proceedings of the 6th ACM Symposium Information, Computer. Communication Security, pp. 355-366.
Cheminod M., Durante L., & Valenzano A. (2013). Review of security issues in industrial networks. IEEE transactions on industrial informatics. 9(1), 277-292. doi: 10.1109/TII.2012.2198666
Premaratne U., Samarabandu J., Sidhu T., Beresh R., and Tan J.-C. (2010). An intrusion detection system for iec61850 automated substations. IEEE transactions on power delivery. 50(4) pp.2376-2383.