You have probably heard about Stuxnet. This was a well-known instance of a cyber-physical attack in 2010 with the goal of derailing the uranium enrichment process at an Iran’s nuclear plant.
This is a perfect example of a security breach in cyberspace which adversely affected the physical world.
Dear reader, this phenomenon is not new. You will surely hear more and more about such attacks in the future, inducing severe consequences to our environment and even threatening human lives.
Now, you might ask why? Well, how could it be different? Our society has developed a strong dependence on information systems through their integration to a variety of engineering fields ranging from aerospace, automobile, industrial process control, to energy, health-care, manufacturing and transportation.
This interconnection between cyberspace and physical space offers tremendous possibilities to hackers and adversaries to do nation-wide critical infrastructure damage.
So to answer the original question, yes, we should care about CPS security.
Because of the importance of this subject, it would be very interesting to consider which role Intrusion Detection Systems (IDS) can play in this context. Thus, my objectives are threefold in this writing:
First of all, let’s state some background information and understand the key concepts of the article.
As critical infrastructure of our society and economy, the electric power grid is in constant evolution. Since the early 21st century, numerous efforts have been undertaken to integrate this energy system with communications technologies. This phenomenon is what is frequently referred to as the smart grid.
The North American Electrical Reliability Corporation (NERC) defines the Smart Grid (SG) as “the integration and application of real-time monitoring, advanced sensing, communications, analytics, and control, enabling the dynamic flow of both energy and information to accommodate existing and new forms of supply, delivery, and use in a secure, reliable, and efficient electric power system, from generation source to end-user.” In this context, it would be more appropriate to qualify this integration of information technology with power systems as a smarter grid because the traditional power grid already contained some form of intelligence as represented by the Supervisory Control and Data Acquisition Systems (SCADA).
This integration of communications technology with the energy system will not only enable new opportunities, but will also create a variety of unfamiliar vulnerabilities deriving from cyber intrusion and corruption, potentially with the physically destructive consequences. The weakest link property applies also in this context with regards to the scale and complexity of this infrastructure. Therefore, it will be very challenging to find the appropriate means to protect such an environment where threat models are diverse and adversarial settings are unpredictable.
A traditional Industrial Control System (ICS) is generally a complex distributed system including diverse controls, indication, and associated tele-metering equipments at the substation, and all of the complementary devices (Remote Terminal Unit, RTU) at the field level. This system can be applied in any domain where industrial processes need to be controlled.
I will refer a lot to electrical power grids, more specifically to the smart grid, which is an integration of a traditional power network with modern Information Communication Technology (ICT). But, the same arguments can be applied to any complex ICS connected to the IT infrastructure/Internet.
The goal of this integration is to build a system that is capable of self-healing and self-organizing. The structure of such a system is very static in terms of how data and controls flow through the system. Moreover, the communication protocols used are simple and most of the time they are proprietary to the operators of the systems.
The key factors that drive such systems include:
With successive waves of integration and innovation to achieve the aforementioned objectives, smart grids and ICS not only increasingly attract considerable research attention but are also becoming the target of cyber threats. Furthermore, the recent trend in standardization of software and hardware used in ICS potentially facilitates ICS-oriented attacks. These attacks can disrupt and damage critical infrastructural operations, contaminate the ecological environment, cause major economic losses and even more dangerously, claim human lives.
As Bruce Schneier used to say “prevention is best combined with detection and response.” Therefore, the deployment of an IDS is still a useful add-on intelligence component to existing ICS in order to leverage their component infrastructure and technologies. However, the nature of an ICS with its specific constraints does not allow security experts to simply transpose IDS technologies used to secure conventional IT enterprise to this environment. Therefore, the industrial and academic control security community has started to build IDSs specifically for ICS.
If you do not know what the main differences between ICSs, such as SCADA, and IT systems with respect to security are, take a look at following points:
|Category||Industrial Control Systems||Conventional IT Systems|
|Availability||24x7x365 (continuous)||Delays are acceptable|
|Risk Management||Human safety is paramount||Data confidentiality and integrity are paramount|
|Time-Critical||Delays are unacceptable||Delays are acceptable|
|Change Management||Highly managed and complex||Regularly scheduled|
|Physical Security||Remote/unmanned secure||Secure (server rooms, etc.)|
|Component Lifetime||20–30 years||3–5 years|
|Software Patches||Rare, unscheduled||Regularly scheduled|
|Outsourcing||Operations are often outsourced but not diverse to various providers||Common, widely used|
|Managed Support||Single vendor||Diversified vendors|
Let me start with the classification framework, using my own way to evaluate IDS, which I have used to categorize the five systems I have surveyed.
Intrusion detection systems can be categorized according to the following characteristics:
a) Host Log Monitoring
In the early days, IDS were batch-oriented systems, periodically searching accumulated systems as well as audit and application logs for signs of suspicious activity. Many modern systems continue to use host logs as a source of raw events.
b) Promiscuous Network Monitoring
Network connectivity is the primary source that triggers abuse on many systems. Therefore, many IDS focus on this source of events to monitor all traffic between hosts. As a result, IDS can capture all communication between a network attacker and the victim system.
a) Signature Detection
Signature Detection attempts to model abnormal behavior and any occurrence which clearly indicates system abuse. In this class, several techniques can be used:
b) Anomaly Detection
Anomaly Detection attempts to model normal behavior. Any events which violate this model are considered to be suspicious. In this class, several techniques can be used:
The systems evaluated are: PATAG , PRMM , SRI , SDRI , and SGDISD .
See the references at the end of the article if you want to dig further.
Some IDS schemes (PATAG, PRMM) use some sort of mathematical and Graph theoretical elements to build models upon which they apply some abstract reasoning to deduce intrusions facts. These approaches use probabilistic methods in their strategies. From a practical sense, it is not obvious to see how these systems can be implemented.
SRI, SDRI, and SGDISD take a more practical avenue and apply data mining, machine learning, or algorithmically oriented techniques to detect intrusions. This is the reason why in the categorization column, captured mechanism, we do not know how data is captured for analysis purpose. Nevertheless, all others systems extract their data from network traffic captured from the wire or received from another component in their architecture to do their analysis. We can assume that some form of promiscuous capturing mechanism will be used to capture data.
Only one system, SGDIDS, supports active response. This means that this system can prevent attacks when its detection modules encounter one. Furthermore, its distributed structure facilitates the protection of multiple assets in a smart grid environment. Deployed in inline-mode of operation, these different modules of SGDIDS exchange normal and control data through a mesh-wise wireless network. As a consequence of this operational setting the detection modules themselves can be the target of cyber attacks, an immediate weakness of this system.
The SRI system, the first approach considered in this survey, is the only scheme that has been implemented using commercial tools (the open source software Snort in this case) to conduct experiments. All other systems use simulated test beds instead, such as MATLAB or GRID simulation with well-known datasets prepared by the security community to explore their detection approaches and verify their efficiency.
As Zhu and Sastry have noticed, there are drawbacks associated with IDS systems regarding the datasets used for constructing attack traffic and/or simulated background traffic for verification purposes. They still observe that datasets, like MIT Lincoln Labs DARPA datasets and KDD Cup dataset which are derived from these datasets, won’t be precisely apt and reliable for ICS-specific IDS.These observations also apply to the systems examined. Most experiments presented use data that are not even simulated ICS network traffic. Thus, we can understand that any claim they made related to false positive rate cannot be not reliable.
It is worth noting, the SRID scheme does not have the drawback of current IDS which are vulnerable to targeted malware intrusion. SGDIDS, following the hierarchical and distributed structure, attempts to secure all devices at different network levels (HAN, NAN, WAN). However, with a view that is too high-level and constrained resources, it can be impossible to handle some attacks that are deeply targeting specific critical control components.
Lastly but not least, SIR is the only system concentrating on abnormal communication flows between devices using the Modbus/TCP protocol,the only hybrid system combining signature based (pattern matching) and anomaly-based techniques (Protocol verification) to detect attacks. However, as the authors of SRID stated, this kind of system can miss certain attacks when invalid states appear under the valid threshold of its IDS rules.
As the nature of Industrial Control Systems and network infrastructure is completely different from conventional IT enterprise networks, different approaches are required to cope with the particularities of industrial networks.
We have presented several techniques to perform intrusion detection systems. These range from specification-based approaches where most systems try to detect protocol violation like in the Modbus/TCP protocol to false data injection techniques, which are the most commonly adopted approaches when it comes to attack detection, based on state estimation. These are very important in the context of power system monitoring. However, probabilistic approaches using a more mathematical framework to evaluate system state also find their place in system design for detecting vulnerabilities and associated attacks.
Although several experts predict the end of IDS and rely exclusively on SIEM-like systems to collect, normalize and correlate security events in order to detect attacks, I think that the IDS field, specifically for ICS, is a rich area for research with several existing challenges that need to be addressed.
Among others, the following areas can be considered as promising niches of investigation:
 Yong Wang et al, SRID: State Relation Based Intrusion Detection for False Data Injection Attacks in SCADA, Computer Security - ESORICS 2014, Lecture Notes in Computer Science Volume 8713, 2014, pp 401-418
 Kristian Beckers et al, Determining the Probability of Smart Grid Attacks by Combining Attack Tree and Attack Graph Analysis, Smart Grid Security, Lecture Notes in Computer Science 2014, pp 30-47, 06 Aug 2014
 Mousavian, S. et al, A Probabilistic Risk Mitigation Model for Cyber-Attacks to PMU Networks, Power Systems, IEEE Transactions on (Volume:30 , Issue: 1 )
 Yichi Zhang et al, Distributed Intrusion Detection System in a Multi-Layer Network Architecture of Smart Grids, Smart Grid, and IEEE Transactions on (Volume: 2, Issue: 4)
 Steven Cheung, Bruno Dutertre, Martin Fong, Ulf Lindqvist, Keith Skinner, Alfonso Valdes, Using Model-based Intrusion Detection for SCADA Networks, SCADA Security Scientific Symposium, 2007.