Method for Assessment of Security-Relevant Settings in Anomaly-Based Intrusion Detection for Industrial Control Systems

Robert E. Gillen, Stephen L. Scott

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

3 Scopus citations

Abstract

Ensuring the integrity of Ethernet-based networks is a challenging and constantly evolving domain. This problem is exacerbated for those operational technology (OT) networks supporting industrial control systems (ICS) since much of that equipment was originally designed to be on a network that was isolated and generally considered free of malefactors. Increasing pressure to bridge these systems with traditional information technology (IT) networks has introduced a bevy of new threats. In response, both academia and industry have responded with security solutions tailored to ICS environments. Deploying these protection systems often involves several configuration choices. While some of these choices are clear (e.g., block/enable protocol X) others are far more subjective (e.g. alert threshold == 3.43). Further complicating the situation, while often similar to IT networks, OT networks have unique challenges and characteristics that make the task of protecting them simultaneously more difficult and straight forward.Extant solutions for quantifying the relative security of intrusion detection systems fail to effectively support the operators of said systems with understanding the impact of various configuration changes. Further, they assume that the attacks are static and not subject to manipulation or alteration in the face of defenses. In this paper, we present a threat-based method for quantifying the relative impact of various security settings for intrusion detection systems (IDSs) within ICS environments. This method provides operational staff with a clear understanding of the relative impact of their settings and assumes that the attacks levied against them are dynamic. The model is described in detail, we apply the model to a synthetic data set, and discuss the inferences that can be made and what types of decisions they could be used to support.

Original languageEnglish
Title of host publicationProceedings - 2020 IEEE Conference on Industrial Cyberphysical Systems, ICPS 2020
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages156-161
Number of pages6
ISBN (Electronic)9781728163895
DOIs
StatePublished - Jun 10 2020
Event3rd IEEE Conference on Industrial Cyberphysical Systems, ICPS 2020 - Virtual, Tampere, Finland
Duration: Jun 10 2020Jun 12 2020

Publication series

NameProceedings - 2020 IEEE Conference on Industrial Cyberphysical Systems, ICPS 2020

Conference

Conference3rd IEEE Conference on Industrial Cyberphysical Systems, ICPS 2020
Country/TerritoryFinland
CityVirtual, Tampere
Period06/10/2006/12/20

Funding

This manuscript has been co-authored by UT-Battelle, LLC under Contract No. DE-AC05-00OR22725 with the US DOE. The United States Government retains and the publisher, by accepting the article for publication, acknowledges that the United States Government retains a non-exclusive, paid-up, irrevocable, world-wide license to publish or reproduce the published form of this manuscript, or allow others to do so, for United States Government purposes. The DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan). ACKNOWLEDGMENTS Thank you, J. Carter, C. Craig, L. Anderson, M. Rice, R. Bridges, M. Iannacone and reviewers whose support and comments helped to ensure this document was both accurate and intelligible. This material is based on research sponsored by the Laboratory Directed Research and Development Program of Oak Ridge National Laboratory, managed by UT-Battelle, LLC, for the U. S. Department of Energy.

FundersFunder number
U. S. Department of Energy
U.S. Department of Energy
Oak Ridge National Laboratory
UT-BattelleDE-AC05-00OR22725

    Keywords

    • assessment
    • industrial control systems
    • intrusion detection systems
    • risk quantification

    Fingerprint

    Dive into the research topics of 'Method for Assessment of Security-Relevant Settings in Anomaly-Based Intrusion Detection for Industrial Control Systems'. Together they form a unique fingerprint.

    Cite this