Towards Practical Integrity Monitoring of Industrial Control Systems

Venice (Italy), 17-20 January 2017

Link to presentation slides

Abstract of this paper:
“Intrusion detection” and “misuse detection” take a whole different meaning when applied to Industrial Control Systems (ICS). This is because next to the system-based attacks (DDoS, buffer overflows etc), ICS operators are particularly afraid of process-based attacks. These are attacks in which the value of system variables is manipulated putting at stake integrity of the physical system, with catastrophes as possible consequences. Most systems for the detection of process-based attacks require a definition of a model of the system, which as we argue below, makes them very impractical for field deployment. Here, we take a different approach and we show that it is possible to use learning to discover concrete relationships between different process variables. We argue that process-based attacks would likely alter these relationships and thus be detected by our monitoring system. We have validated our approach on two data sets containing data coming from real utilities in the water and the gas domain. Our initial experiments suggest that it is possible to apply our approach while guaranteeing good detection capabilities and few false positives per day.