Intrusion and anomaly detection for the next-generation of industrial automation and control systems
Introduction
The latest generation of Industrial Automation and Control Systems (IACS), combining Industrial IoT (IIoT) and Supervisory Control and Data Acquisition (SCADA) environments, poses several challenges. According to a survey of two hundred automation executives in 2015 [1], the adoption of IIoT, primarily driven by the optimization of operational efficiency and productivity, faces cybersecurity as the biggest challenge. Similarly, in another study [2] more than two hundred industrial companies refer cybersecurity as a high priority. The importance of security across several Industry 4.0 enablers, including but not limited to Big Data, Artificial Intelligence and Open-Source Software, is also referred in another survey [3].
The attack surface of IACS has grown significantly over the past years. Major incidents, from Stuxnet [4] to Industroyer [5], keep showing their vulnerabilities, including the lack of security of SCADA communication protocols as one of the most criticized issues. Whereas this scenario is now changing, with several SCADA protocols being redesigned, it remains a problem, as legacy protocols are still widely used.
Using an energy smart grid as a reference scenario, this paper describes an Intrusion and Anomaly Detection System (IADS) specifically designed to tackle the architectural and security challenges of the next-generation of IACS. Namely, this paper presents a comprehensive strategy for monitoring both industrial network traffic and managed physical processes, as well as a way of integrating several heterogeneous components into a unified detection framework capable of monitoring the cybersecurity state of a SCADA system in near real-time.
The contributions of this paper are threefold. First, we provide an extensive literature review on SCADA anomaly detection, focused on the last four years. Second, we describe a complete framework for performing Intrusion and anomaly detection on IACS environments. Third, we present an evaluation of the platform by showcasing several anomaly detection scenarios based on supervised machine learning classification.
The remainder of this document is structured as follows. Section 2 provides a review of literature on the Intrusion and Anomaly detection topic, including machine learning approaches, event processing techniques and larger, integrated frameworks. Section 3 describes the proposed IADS framework. Section 4 presents several use cases for evaluating the functionally and performance of the framework, and finally, Section 5 concludes the paper and discusses future work.
Section snippets
Related work
There are several open challenges threatening SCADA-based Industrial and Automation controls systems (IACS).
First of all, there are dozens of standards, guidelines and best practices recommendations [6]. This creates a fragmentation issue and a challenge to implement them consistently across the entire heterogeneous SCADA ecosystem, from energy related systems (e.g. Smart Grids) to Manufacturing Execution Systems (MES).
The variety of different SCADA communication protocols demands a huge
Proposed IADS framework
In this section, we discuss the design of an intrusion and anomaly detection framework capable of coping with the next generation of IIoT-centric IACS systems, which are expected to be highly distributed and capillary (as it is the case for smart grids, for example). This evolution is expected to bring new security challenges, namely: larger attack surfaces, often coupled with insecure communications protocols; likely insecure components in the long term, due to long life-cycles; and increased
Evaluation
This section describes several scenarios, the implementation and tools used for evaluating the proposed IADS — with a special focus on the event processing and anomaly detection layers.
First, we present the reference industrial testbed which provided support for our experiments. Next, we describe the evaluation use case that we used to assess the performance of several supervised ML algorithms (using our platform). Finally, we evaluate the event messaging layer, discussing different
Conclusions
Over recent years, most IACS-related security developments have been focused on SCADA protocols and their vulnerabilities, an approach that has spawned a multitude of SCADA security-related components and solutions. Apart from this, the majority of the research and industry efforts seems to have been narrowed to theoretical or specific problems.
Taking a somehow different path, the framework hereby presented enables the integration of different techniques and algorithms, rather than being a
CRediT authorship contribution statement
Luis Rosa: Conceptualization, Methodology, Software, investigation, Writing - original draft, Writing - review & editing. Tiago Cruz: Conceptualization, Methodology, Writing - review & editing, Supervision. Miguel Borges de Freitas: Conceptualization, Software, Writing - review & editing. Pedro Quitério: Conceptualization, Writing - review & editing. João Henriques: Conceptualization, Writing - review & editing. Filipe Caldeira: Conceptualization, Writing - review & editing. Edmundo Monteiro:
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgement
This work was supported by the ATENA H2020 EU Project (H2020-DS-2015-1 Project 700581).
Luis Rosa received the M.Sc. degree in informatics engineering from the Higher School of Technology and Management, Polytechnic Institute of Coimbra, Coimbra, Portugal, in 2013. He is currently working towards the Ph.D. degree in informatics engineering at the University of Coimbra. He is a Junior Researcher at the Centre for Informatics and Systems, University of Coimbra, where he participates in several research projects in those fields. His research interests include security, event
References (91)
- et al.
A survey of security in SCADA networks: Current issues and future challenges
IEEE Access
(2019) - et al.
Deep-learning-based network intrusion detection for SCADA systems
- et al.
Neurocomputing a survey on security control and attack detection for industrial cyber-physical systems
Neurocomputing
(2018) - et al.
Assessing and augmenting SCADA cyber security: A survey of techniques
Comput. Secur.
(2017) - et al.
Malware detection in mobile environments based on autoencoders and api-images
J. Parallel Distrib. Comput.
(2020) - et al.
Survey on anomaly detection using data mining techniques
Procedia Comput. Sci.
(2015) - et al.
Multi-level adaptive coupled method for industrial control networks safety based on machine learning
(2019) - et al.
Packet-data anomaly detection in PMU-based state estimator using convolutional neural network
Int. J. Electr. Power Energy Syst.
(2019) - et al.
Detection of malicious and low throughput data exfiltration over the dns protocol
Comput. Secur.
(2019) The internet of things and the new industrial revolution
(2015)
The state of industrial cybersecurity 2019
A survey on information and communication technologies for industry 4.0: state of the art, taxonomies, perspectives, and challenges
IEEE Commun. Surv. Tutor.
To Kill a Centrifuge: A Technical Analysis of What Stuxnet’S Creators Tried to Achieve
Win32/Industroyer, a New Threat for Industrial Control SystemsWhite paper
A comprehensive security analysis of a scada protocol: From osint to mitigation
IEEE Access
Cybersecurity in the electricity sector
Towards large-scale, heterogeneous anomaly detection systems in industrial networks: A survey of current trends
Secur. Commun. Netw.
Enhancing suricata intrusion detection system for cyber security in scada networks
Comparison of the intrusion detection system rules in relation with the scada systems
Evolving the security paradigm for industrial iot environments
Comparison of new anomaly detection technique for wind turbine condition monitoring using gearbox scada data
Energies
Omni SCADA intrusion detection using deep learning algorithms
Modbus application protocol specification v1.1b
A dnp3 protocol primer
Opc unified architecture (ua)
Anomaly-based intrusion detection in industrial data with SVM and random forests
Traffic modeling by recurrent neural networks for intrusion detection in industrial control systems
Attack detection in water distribution systems using machine learning
The battle of the attack detection algorithms: Disclosing cyber attacks on water distribution networks
J. Water Resour. Plan. Manag.
HML-IDS : A hybrid-multilevel anomaly prediction approach for intrusion detection in SCADA systems
IEEE Access
Cyber-typhon : An online multi-task anomaly detection framework
Applications of anomaly detection using deep learning on time series data
Detecting cyber attacks in industrial control systems using convolutional neural networks
A dataset to support research in the design of secure water treatment systems
An enhanced optimization based algorithm for intrusion detection in SCADA network
Comput. Secur.
Machine learning-based defense against process-aware attacks on industrial control systems
Machine learning in cybersecurity : A review
From intrusion detection to attacker attribution: A comprehensive survey of unsupervised methods
IEEE Commun. Surv. Tutor.
Big data analytics for network anomaly detection from netflow data
Mining PMU data streams to improve electric power system resilience
Cited by (0)
Luis Rosa received the M.Sc. degree in informatics engineering from the Higher School of Technology and Management, Polytechnic Institute of Coimbra, Coimbra, Portugal, in 2013. He is currently working towards the Ph.D. degree in informatics engineering at the University of Coimbra. He is a Junior Researcher at the Centre for Informatics and Systems, University of Coimbra, where he participates in several research projects in those fields. His research interests include security, event management, and critical infrastructure protection.
Tiago Cruz received the Ph.D. degree in informatics engineering from the University of Coimbra, Coimbra, Portugal, in 2012. He has been an Assistant Professor in the Department of Informatics Engineering, University of Coimbra, since December 2013. His research interests include areas such as management systems for communications infrastructures and services, critical infrastructure security, broadband access network device and service management, Internet of Things, software-defined networking, and network function virtualization (among others). He is the author of more than 40 publications, including chapters in books, journal articles, and conference papers. Dr. Cruz is a member of the IEEE Communications Society.
Miguel Borges de Freitas received the M.Sc. degree in Chemical Engineering from the Technical University of Lisbon in 2016 and the M.Sc. degree in Informatics Engineering from the University of Coimbra in 2018. He is currently a Junior Researcher at the Center for Informatics and Systems, University of Coimbra. His research interests target Software Defined Networking, Network Function Virtualization, cybersecurity and critical infrastructure protection. He is also a collaborator for some open-source projects.
Pedro Quitério received the M.Sc. degree in Informatics Engineering from the University of Coimbra, in 2018, where he is currently a Researcher with the Center for Informatics and Systems. His research interests include web development, data visualization, event management and critical infrastructure protection.
João Henriques is a Ph.D. candidate in Science and Information Technology at the University of Coimbra (UC) and Assistant Professor at the Department of Informatics Engineering at the Polytechnic Institute of Viseu (IPV). His research interests at the Center for Informatics and Systems (CISUC) at UC includes forensic and audit compliance for critical infrastructures protection. He also remains as Software Engineer in the private sector.
Filipe Caldeira is an Adjunct Professor at the Polytechnic Institute of Viseu, Portugal. He is a researcher at the CISeD research centre of the Polytechnic Institute of Viseu and at the Centre for Informatics and Systems of the University of Coimbra. His main research interests include ICT security, namely, trust and reputation systems, Smart Cities and Critical Infrastructure Protection. His research papers were published in various international conferences, journals and book chapters. He has been recently involved in some international and national research projects.
Edmundo Monteiro is currently a Full Professor with the University of Coimbra, Portugal. He has more than 30 years of research experience in the field of computer communications, wireless networks, quality of service and experience, network and service management, and computer and network security. He participated in many Portuguese, European, and international research projects and initiatives. His publication list includes over 200 publications in journals, books, and international refereed conferences. He has co-authored nine international patents. He is a member of the Editorial Board of the Springer Wireless Networks Journal and is involved in the organization of many national and international conferences and workshops. He is a Senior Member of the IEEE Communications Society and the ACM Special Interest Group on Communications. He is also a Portuguese Representative in IFIP TC6 (Communication Systems).
Paulo Simões received the Doctoral degree in informatics engineering from the University of Coimbra, Coimbra, Portugal, in 2002. He is an Associate Professor in the Department of Informatics Engineering, University of Coimbra, where he regularly leads technology transfer projects for industry partners such as telecommunications operators and energy utilities. His research interests include network and infrastructure management, security, critical infrastructure protection, and virtualization of networking and computing resources. He has more than 150 publications in refereed journals and conferences. Dr. Simões is a senior member of the IEEE Communications Society.