A Process-Oriented Intrusion Detection Method for Industrial Control Systems

We have developed a process-oriented method for intrusion detection for use on Industrial Control System (ICS) networks. Network traffic from an ICS has a much lower volume than that from a typical IT enterprise network, and the traffic is much more regular (periodic) and predictable. Most intrusion detection systems for ICSs require additional capabilities. ICS network traffic is relatively predictable and regular and anomaly-based intrusion detection methods have been shown in the literature to work reasonably well. We use anomaly-based methods as one line of defense. We propose to strengthen ICS intrusion detection methods by adding two process-oriented alerting methods. Unlike most anomaly detection methods, these two methods are not configured solely by a network engineer based on inspection of network traffic. We utilize Critical Process Variables, which are defined by the plant operators themselves. The advantage is that the plant operators have the best knowledge of the critical assets of their system. Limiting values of the Critical Process Variables are defined collaboratively by the plant operator and the network security engineer. A network sensor then alerts a Human Analyst when Critical Process Variables values exceed the defined ranges. We also introduce a third method, which employs Process Network Parameter Metrics, which are also defined collaboratively with the plant operator. Process Network Parameter Metrics are pre-defined measurements from network traffic that may indicate that either process components are missing or there is additional traffic present that the process should not normally produce. After initial discussions with the plant operator, the network security engineer designs network models and metrics with appropriate alerting functions in the network sensor. Alerts from Process Network Parameter Metrics may not indicate a critical security incident as Critical Process Variables would, but they may provide an important warning that suspicious behavior is present.