TY - GEN
T1 - Method for Assessment of Security-Relevant Settings in Anomaly-Based Intrusion Detection for Industrial Control Systems
AU - Gillen, Robert E.
AU - Scott, Stephen L.
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/6/10
Y1 - 2020/6/10
N2 - Ensuring the integrity of Ethernet-based networks is a challenging and constantly evolving domain. This problem is exacerbated for those operational technology (OT) networks supporting industrial control systems (ICS) since much of that equipment was originally designed to be on a network that was isolated and generally considered free of malefactors. Increasing pressure to bridge these systems with traditional information technology (IT) networks has introduced a bevy of new threats. In response, both academia and industry have responded with security solutions tailored to ICS environments. Deploying these protection systems often involves several configuration choices. While some of these choices are clear (e.g., block/enable protocol X) others are far more subjective (e.g. alert threshold == 3.43). Further complicating the situation, while often similar to IT networks, OT networks have unique challenges and characteristics that make the task of protecting them simultaneously more difficult and straight forward.Extant solutions for quantifying the relative security of intrusion detection systems fail to effectively support the operators of said systems with understanding the impact of various configuration changes. Further, they assume that the attacks are static and not subject to manipulation or alteration in the face of defenses. In this paper, we present a threat-based method for quantifying the relative impact of various security settings for intrusion detection systems (IDSs) within ICS environments. This method provides operational staff with a clear understanding of the relative impact of their settings and assumes that the attacks levied against them are dynamic. The model is described in detail, we apply the model to a synthetic data set, and discuss the inferences that can be made and what types of decisions they could be used to support.
AB - Ensuring the integrity of Ethernet-based networks is a challenging and constantly evolving domain. This problem is exacerbated for those operational technology (OT) networks supporting industrial control systems (ICS) since much of that equipment was originally designed to be on a network that was isolated and generally considered free of malefactors. Increasing pressure to bridge these systems with traditional information technology (IT) networks has introduced a bevy of new threats. In response, both academia and industry have responded with security solutions tailored to ICS environments. Deploying these protection systems often involves several configuration choices. While some of these choices are clear (e.g., block/enable protocol X) others are far more subjective (e.g. alert threshold == 3.43). Further complicating the situation, while often similar to IT networks, OT networks have unique challenges and characteristics that make the task of protecting them simultaneously more difficult and straight forward.Extant solutions for quantifying the relative security of intrusion detection systems fail to effectively support the operators of said systems with understanding the impact of various configuration changes. Further, they assume that the attacks are static and not subject to manipulation or alteration in the face of defenses. In this paper, we present a threat-based method for quantifying the relative impact of various security settings for intrusion detection systems (IDSs) within ICS environments. This method provides operational staff with a clear understanding of the relative impact of their settings and assumes that the attacks levied against them are dynamic. The model is described in detail, we apply the model to a synthetic data set, and discuss the inferences that can be made and what types of decisions they could be used to support.
KW - assessment
KW - industrial control systems
KW - intrusion detection systems
KW - risk quantification
UR - http://www.scopus.com/inward/record.url?scp=85096513864&partnerID=8YFLogxK
U2 - 10.1109/ICPS48405.2020.9274691
DO - 10.1109/ICPS48405.2020.9274691
M3 - Conference contribution
AN - SCOPUS:85096513864
T3 - Proceedings - 2020 IEEE Conference on Industrial Cyberphysical Systems, ICPS 2020
SP - 156
EP - 161
BT - Proceedings - 2020 IEEE Conference on Industrial Cyberphysical Systems, ICPS 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 3rd IEEE Conference on Industrial Cyberphysical Systems, ICPS 2020
Y2 - 10 June 2020 through 12 June 2020
ER -