Intrusion and anomaly detection for the next-generation of industrial automation and control systems

https://doi.org/10.1016/j.future.2021.01.033Get rights and content

Highlights

  • Review of the more recent anomaly detection techniques for SCADA system.

  • A next-generation Intrusion and Anomaly Detection System for IACS.

  • An extensive evaluation with a large-scale testbed and various ML techniques.

Abstract

The next-generation of Industrial Automation and Control Systems (IACS) and Supervisory Control and Data Acquisition (SCADA) systems pose numerous challenges in terms of cybersecurity monitoring. We have been witnessing the convergence of OT/IT networks, combined with massively distributed metering and control scenarios such as smart grids. Larger and geographically widespread attack surfaces, and inherently more data to analyse, will become the norm.

Despite several advances in recent years, domain-specific security tools have been facing the challenges of trying to catch up with all the existing security flaws from the past, while also accounting for the specific needs of the next-generation of IACS. Moreover, the aggregation of multiple techniques and sources of information into a comprehensive approach has not been explored in depth. Such a holistic perspective is paramount since it enables a global and enhanced analysis enabled by the usage, combination and aggregation of the outputs from multiple sources and techniques.

This paper starts by providing a review of the more recent anomaly detection techniques for SCADA systems, focused on both theoretical machine learning approaches and complete frameworks. Afterwards, it proposes a complete framework for an Intrusion and Anomaly Detection System (IADS) composed of specific detection probes, an event processing layer and a core anomaly detection component, amongst others. Finally, the paper presents an evaluation of the framework within a large-scale hybrid testbed, and a comparison of different anomaly detection scenarios based on various machine learning techniques.

Introduction

The latest generation of Industrial Automation and Control Systems (IACS), combining Industrial IoT (IIoT) and Supervisory Control and Data Acquisition (SCADA) environments, poses several challenges. According to a survey of two hundred automation executives in 2015 [1], the adoption of IIoT, primarily driven by the optimization of operational efficiency and productivity, faces cybersecurity as the biggest challenge. Similarly, in another study [2] more than two hundred industrial companies refer cybersecurity as a high priority. The importance of security across several Industry 4.0 enablers, including but not limited to Big Data, Artificial Intelligence and Open-Source Software, is also referred in another survey [3].

The attack surface of IACS has grown significantly over the past years. Major incidents, from Stuxnet [4] to Industroyer [5], keep showing their vulnerabilities, including the lack of security of SCADA communication protocols as one of the most criticized issues. Whereas this scenario is now changing, with several SCADA protocols being redesigned, it remains a problem, as legacy protocols are still widely used.

Using an energy smart grid as a reference scenario, this paper describes an Intrusion and Anomaly Detection System (IADS) specifically designed to tackle the architectural and security challenges of the next-generation of IACS. Namely, this paper presents a comprehensive strategy for monitoring both industrial network traffic and managed physical processes, as well as a way of integrating several heterogeneous components into a unified detection framework capable of monitoring the cybersecurity state of a SCADA system in near real-time.

The contributions of this paper are threefold. First, we provide an extensive literature review on SCADA anomaly detection, focused on the last four years. Second, we describe a complete framework for performing Intrusion and anomaly detection on IACS environments. Third, we present an evaluation of the platform by showcasing several anomaly detection scenarios based on supervised machine learning classification.

The remainder of this document is structured as follows. Section 2 provides a review of literature on the Intrusion and Anomaly detection topic, including machine learning approaches, event processing techniques and larger, integrated frameworks. Section 3 describes the proposed IADS framework. Section 4 presents several use cases for evaluating the functionally and performance of the framework, and finally, Section 5 concludes the paper and discusses future work.

Section snippets

Related work

There are several open challenges threatening SCADA-based Industrial and Automation controls systems (IACS).

First of all, there are dozens of standards, guidelines and best practices recommendations [6]. This creates a fragmentation issue and a challenge to implement them consistently across the entire heterogeneous SCADA ecosystem, from energy related systems (e.g. Smart Grids) to Manufacturing Execution Systems (MES).

The variety of different SCADA communication protocols demands a huge

Proposed IADS framework

In this section, we discuss the design of an intrusion and anomaly detection framework capable of coping with the next generation of IIoT-centric IACS systems, which are expected to be highly distributed and capillary (as it is the case for smart grids, for example). This evolution is expected to bring new security challenges, namely: larger attack surfaces, often coupled with insecure communications protocols; likely insecure components in the long term, due to long life-cycles; and increased

Evaluation

This section describes several scenarios, the implementation and tools used for evaluating the proposed IADS — with a special focus on the event processing and anomaly detection layers.

First, we present the reference industrial testbed which provided support for our experiments. Next, we describe the evaluation use case that we used to assess the performance of several supervised ML algorithms (using our platform). Finally, we evaluate the event messaging layer, discussing different

Conclusions

Over recent years, most IACS-related security developments have been focused on SCADA protocols and their vulnerabilities, an approach that has spawned a multitude of SCADA security-related components and solutions. Apart from this, the majority of the research and industry efforts seems to have been narrowed to theoretical or specific problems.

Taking a somehow different path, the framework hereby presented enables the integration of different techniques and algorithms, rather than being a

CRediT authorship contribution statement

Luis Rosa: Conceptualization, Methodology, Software, investigation, Writing - original draft, Writing - review & editing. Tiago Cruz: Conceptualization, Methodology, Writing - review & editing, Supervision. Miguel Borges de Freitas: Conceptualization, Software, Writing - review & editing. Pedro Quitério: Conceptualization, Writing - review & editing. João Henriques: Conceptualization, Writing - review & editing. Filipe Caldeira: Conceptualization, Writing - review & editing. Edmundo Monteiro:

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgement

This work was supported by the ATENA H2020 EU Project (H2020-DS-2015-1 Project 700581).

Luis Rosa received the M.Sc. degree in informatics engineering from the Higher School of Technology and Management, Polytechnic Institute of Coimbra, Coimbra, Portugal, in 2013. He is currently working towards the Ph.D. degree in informatics engineering at the University of Coimbra. He is a Junior Researcher at the Centre for Informatics and Systems, University of Coimbra, where he participates in several research projects in those fields. His research interests include security, event

References (91)

  • MenzeT.

    The state of industrial cybersecurity 2019

    (2019)
  • AcetoG. et al.

    A survey on information and communication technologies for industry 4.0: state of the art, taxonomies, perspectives, and challenges

    IEEE Commun. Surv. Tutor.

    (2019)
  • LangnerR.

    To Kill a Centrifuge: A Technical Analysis of What Stuxnet’S Creators Tried to Achieve

    (2013)
  • CherepanovA.

    Win32/Industroyer, a New Threat for Industrial Control SystemsWhite paper

    (2017)
  • RosaL. et al.

    A comprehensive security analysis of a scada protocol: From osint to mitigation

    IEEE Access

    (2019)
  • LeszczynaR.

    Cybersecurity in the electricity sector

    (2019)
  • IturbeM. et al.

    Towards large-scale, heterogeneous anomaly detection systems in industrial networks: A survey of current trends

    Secur. Commun. Netw.

    (2017)
  • WongK. et al.

    Enhancing suricata intrusion detection system for cyber security in scada networks

  • R. Udd, M. Asplund, S. Nadjm-Tehrani, M. Kazemtabrizi, M. Ekstedt, Exploiting bro for intrusion detection in a scada...
  • J.Vávra et al.

    Comparison of the intrusion detection system rules in relation with the scada systems

  • H. Lin, A. Slagell, C.Di. Martino, Z. Kalbarczyk, R.K. Iyer, Adapting bro into scada: building a specification-based...
  • RosaL. et al.

    Evolving the security paradigm for industrial iot environments

  • B. Phillips, E. Gamess, S. Krishnaprasad, An evaluation of machine learning-based anomaly detection in a scada system...
  • T. Morris, W. Gao, Industrial control system network traffic data sets to facilitate intrusion detection system...
  • McKinnonC. et al.

    Comparison of new anomaly detection technique for wind turbine condition monitoring using gearbox scada data

    Energies

    (2020)
  • GaoJ. et al.

    Omni SCADA intrusion detection using deep learning algorithms

    (2019)
  • Modbus application protocol specification v1.1b

    (2006)
  • A dnp3 protocol primer

    (2005)
  • Opc unified architecture (ua)

    (2020)
  • AntonS.D.D. et al.

    Anomaly-based intrusion detection in industrial data with SVM and random forests

    (2019)
  • SokolovA.N. et al.

    Traffic modeling by recurrent neural networks for intrusion detection in industrial control systems

  • RamotsoelaD.T. et al.

    Attack detection in water distribution systems using machine learning

  • TaorminaR. et al.

    The battle of the attack detection algorithms: Disclosing cyber attacks on water distribution networks

    J. Water Resour. Plan. Manag.

    (2018)
  • KhanI.A. et al.

    HML-IDS : A hybrid-multilevel anomaly prediction approach for intrusion detection in SCADA systems

    IEEE Access

    (2019)
  • DemertzisK. et al.

    Cyber-typhon : An online multi-task anomaly detection framework

    (2019)
  • NguyenV.Q. et al.

    Applications of anomaly detection using deep learning on time series data

  • KravchikM. et al.

    Detecting cyber attacks in industrial control systems using convolutional neural networks

  • GohJ. et al.

    A dataset to support research in the design of secure water treatment systems

  • ShitharthS. et al.

    An enhanced optimization based algorithm for intrusion detection in SCADA network

    Comput. Secur.

    (2017)
  • KelirisA. et al.

    Machine learning-based defense against process-aware attacks on industrial control systems

  • HandaA. et al.

    Machine learning in cybersecurity : A review

    (2019)
  • NisiotiA. et al.

    From intrusion detection to attacker attribution: A comprehensive survey of unsupervised methods

    IEEE Commun. Surv. Tutor.

    (2018)
  • TerziD.S. et al.

    Big data analytics for network anomaly detection from netflow data

  • Z. Dewa, L.A. Maglaras, Data Mining and Intrusion Detection Systems, 7, (2016),...
  • JiangJ. et al.

    Mining PMU data streams to improve electric power system resilience

    (2017)
  • Cited by (0)

    Luis Rosa received the M.Sc. degree in informatics engineering from the Higher School of Technology and Management, Polytechnic Institute of Coimbra, Coimbra, Portugal, in 2013. He is currently working towards the Ph.D. degree in informatics engineering at the University of Coimbra. He is a Junior Researcher at the Centre for Informatics and Systems, University of Coimbra, where he participates in several research projects in those fields. His research interests include security, event management, and critical infrastructure protection.

    Tiago Cruz received the Ph.D. degree in informatics engineering from the University of Coimbra, Coimbra, Portugal, in 2012. He has been an Assistant Professor in the Department of Informatics Engineering, University of Coimbra, since December 2013. His research interests include areas such as management systems for communications infrastructures and services, critical infrastructure security, broadband access network device and service management, Internet of Things, software-defined networking, and network function virtualization (among others). He is the author of more than 40 publications, including chapters in books, journal articles, and conference papers. Dr. Cruz is a member of the IEEE Communications Society.

    Miguel Borges de Freitas received the M.Sc. degree in Chemical Engineering from the Technical University of Lisbon in 2016 and the M.Sc. degree in Informatics Engineering from the University of Coimbra in 2018. He is currently a Junior Researcher at the Center for Informatics and Systems, University of Coimbra. His research interests target Software Defined Networking, Network Function Virtualization, cybersecurity and critical infrastructure protection. He is also a collaborator for some open-source projects.

    Pedro Quitério received the M.Sc. degree in Informatics Engineering from the University of Coimbra, in 2018, where he is currently a Researcher with the Center for Informatics and Systems. His research interests include web development, data visualization, event management and critical infrastructure protection.

    João Henriques is a Ph.D. candidate in Science and Information Technology at the University of Coimbra (UC) and Assistant Professor at the Department of Informatics Engineering at the Polytechnic Institute of Viseu (IPV). His research interests at the Center for Informatics and Systems (CISUC) at UC includes forensic and audit compliance for critical infrastructures protection. He also remains as Software Engineer in the private sector.

    Filipe Caldeira is an Adjunct Professor at the Polytechnic Institute of Viseu, Portugal. He is a researcher at the CISeD research centre of the Polytechnic Institute of Viseu and at the Centre for Informatics and Systems of the University of Coimbra. His main research interests include ICT security, namely, trust and reputation systems, Smart Cities and Critical Infrastructure Protection. His research papers were published in various international conferences, journals and book chapters. He has been recently involved in some international and national research projects.

    Edmundo Monteiro is currently a Full Professor with the University of Coimbra, Portugal. He has more than 30 years of research experience in the field of computer communications, wireless networks, quality of service and experience, network and service management, and computer and network security. He participated in many Portuguese, European, and international research projects and initiatives. His publication list includes over 200 publications in journals, books, and international refereed conferences. He has co-authored nine international patents. He is a member of the Editorial Board of the Springer Wireless Networks Journal and is involved in the organization of many national and international conferences and workshops. He is a Senior Member of the IEEE Communications Society and the ACM Special Interest Group on Communications. He is also a Portuguese Representative in IFIP TC6 (Communication Systems).

    Paulo Simões received the Doctoral degree in informatics engineering from the University of Coimbra, Coimbra, Portugal, in 2002. He is an Associate Professor in the Department of Informatics Engineering, University of Coimbra, where he regularly leads technology transfer projects for industry partners such as telecommunications operators and energy utilities. His research interests include network and infrastructure management, security, critical infrastructure protection, and virtualization of networking and computing resources. He has more than 150 publications in refereed journals and conferences. Dr. Simões is a senior member of the IEEE Communications Society.

    View full text