Standard specification-based intrusion detection for hierarchical industrial control systems

In this paper, we develop a specification-based, process-aware, Intrusion Detection System (IDS) for complex Industrial Control Systems (ICSs). Complex ICSs are distributed and hierarchical control systems built on top of local control loops which are the system's elementary building blocks. Process-aware attacks are sophisticated cyberattacks that aim to compromise the safety of the controlled physical process. Our approach aims to link safety specifications and security properties. Thus, we use international and industry standards specifications concerning local safety, global safety and networks of the industrial process, in order to obtain security properties. The obtained security properties are cybersecurity related requirements. They are translated into security patterns in order to be runtime monitored by our network IDS. This latter relies on a distributed monitoring framework, capturing network traffic between the local loops and the distributed control level, as well as between distributed control and supervisory control. We implemented and evaluated our IDS on a real ICS. We experimentally show that our IDS detects a large spectrum of attacks. We also show that our distributed IDS is scalable since its detection response time as a function of the number of monitored security patterns, is linear. A demonstrator comprising code extracts is made available.