Day 2

Gaps on intrusion detection in converging IT/OT systems

Session complexity:
Critical infrastructures are used to deliver vital functions to society, such as drink water, or energy generation and distribution. Most of these critical infrastructures make use of Operational Technology (OT), consisting of hardware and software to actuate and monitor physical processes, events and assets . Historically speaking most of the OT functioned in isolation (air-gapped). However, due to recent technological advancements we see a convergence of Information Technology (IT) networks with OT networks.

Due to this convergence, critical infrastructures are becoming more susceptible to cyberattacks. While the IT domain is primarily focusing on Confidentiality, Integrity, and Availability, the OT domain is more concerned with Safety, Reliability, Availability, and Maintainability. Given the importance for economy and society to protect critical infrastructures against cyber-attacks, there is a clear need for appropriate OT intrusion detection methods. In this talk, we first present a mapping of publicly available Industrial Control Systems (ICS) datasets for security research to the ICS Purdue Reference Architecture. Our examination of the available state-of-the-art has revealed various gaps such as the absence of complex cyber-attack strategies in the publicly available datasets, or the insufficiency of data on the different layers of the Purdue Model. Thus, practical methods to achieve full visibility on anomalous behavior in the OT environment, and effectively detect a multi-stage adversary, are missing. To this end, it is essential to have high-quality network and sensor data, something that so far has been lacking.

Our first research findings indicate that the combination of these data types enables multi-stage attack detection at an earlier stage than detection based on sensor values only. In addition, it enables the detection of sensor spoofing carried out by an attacker. By monitoring both network traffic and sensor values in an integrated fashion, it is possible to reduce the overall false positives and track an adversary across different layers of the Purdue model. Finally, our research highlights the need to prioritize the collection of high-quality data of both network and sensor data to enhance cyber-attack detection in the OT environment. Overall, this integrated approach has the potential to greatly enhance the resilience of critical infrastructure against multi-stage cyber-attacks.

Speakers in this session