Putting Together the Pieces: A Concept for Holistic Industrial Intrusion Detection

Simon Duque Antón, Hans Dieter Schotten

In: Proceedings of the 18th European Conference on Cyber Warfare and Security. European Conference on Cyber Warfare and Security (ECCWS-2019) July 4-5 Coimbar Portugal ACPI 7/2019.


The fourth industrial revolution, resulting in Industry 4.0, provides a variety of novel business cases. These business cases provide benefits with respect to cost, effort, customer satisfaction and production time. Progress in production can be monitored in real-time by the customer, maintenance can be performed in a remote fashion, time- and cost-efficient production of customer specific products is enabled. These business cases are founded on characteristics of digitisation, namely an increase in intercommunication and embedded computational capacities. Besides the advantages derived from the ever present communication properties, it increases the attack surface of a network as well. As industrial protocols and systems were not designed with security in mind, spectacular attacks on industrial systems occurred over the last years. Most industrial communication protocols do not provide means to ensure authentication or encryption. This means attackers with access to a network can read and write information. Originally not meant to be connected to public networks, the use cases of Industry 4.0 require interconnectivity, often through insecure public networks. This lead to an increasing interest in information security products for industrial applications. In this work, the concept for holistic intrusion detection methods in an industrial context is presented. It is based on different works considering several aspects of industrial environments and their capabilities to identify intrusions as an anomaly in network or process data. These capabilities are based on preceding experiments on real and synthetic data. In order to justify the concept, an overview of potential and actual attack vectors and attacks on industrial systems is provided. It is shown that different aspects of industrial facilities, e.g. office IT, shop floor OT, firewalled connections to customers and partners are analysed as well as the different layers of the automation pyramid require different methods to detect attacks. Additionally, the singular steps of an attack on industrial applications are characterised. Finally, a resulting concept for integration of these methods is proposed, providing the means to detect the different stages of an attack by different means


German Research Center for Artificial Intelligence
Deutsches Forschungszentrum für Künstliche Intelligenz