Intrusion detection in networked control systems: from system knowledge to network security
“Networked control system” (NCS) is an umbrella term encompassing a broad variety of infrastructures such as industrial control systems (ICSs) and building automation systems (BASs). Nowadays, all these infrastructures play an important role in several aspects of our daily life, from managing essential services such as energy and water (e.g., critical infrastructures) to monitoring the increasingly smart environments that surround us (e.g., the Internet of Things).
Over the years, NCS technology has progressively switched to IT digital networks and integrated to the Internet. This fact has changed the way operators manage and control their infrastructures and has introduced several security threats. Skilled crackers (also known as black-hat hackers) can remotely access NCSs and change infrastructure behavior potentially endangering human lives (e.g., causing a malfunction of a nuclear power plant). For this reason, NCS stakeholders have been facing the challenge of protecting their infrastructures against cyber-attacks and, especially, targeted attacks, namely those attacks carried out by resourceful and motivated organizations (e.g., Stuxnet). A common practice for protecting NCSs includes the use of standard IT security solutions and techniques. However, most of the times, these solutions do not fit such different environments. Furthermore, any security solution applied to NCSs should never interfere with infrastructure operations. This is particularly important when it comes to NCSs that monitor critical infrastructures and thus, sensitive physical processes (e.g., energy production). Finally, most of today's NCS security solutions still fail to convey accurate information to the operators and do not allow them to quickly and undoubtedly identify potentially dangerous situations. In fact, this would require more sophisticated techniques capable of understanding the surrounding environment and conclusively discern between malicious activities and valid operations.
For all these reasons, this thesis tackles the challenge of developing more incisive and effective security solutions for NCSs. We focus on intrusion detection to passively monitor and evaluate infrastructure operations without causing any interference and we aim attention at the acquisition of knowledge about the monitored infrastructures to improve the process of detection as well as the feedback to the operators. In what follows, we present a novel approach to NCS security based on the integration between system knowledge acquisition and network intrusion detection. Our work starts by identifying and evaluating valuable sources of information to gain knowledge about the monitored systems. Then, we show how this knowledge contributes to improving intrusion detection systems (IDSs). Finally, we leverage a specific kind of intrusion detection, namely specification-based intrusion detection, to strengthen the bond between system knowledge and network security. We achieve this by automating the deployment of specification-based IDSs that autonomously use information gathered from NCS network traffic and analyze NCS-related available documentation to describe infrastructure expected behavior. Tests and evaluations performed on real infrastructures support the proposed approach and confirm the advantages of including information about NCS properties and components within the employed security solutions.
Starting-time: 16.30h in Building Waaier - Prof.dr. G. Berkhoff-zaal
