Attack Scenarios in Industrial Environments and How to Detect Them: A Roadmap

Abstract:

Cyberattacks on industrial companies have increased in the last years. The Industrial Internet of Things increases production efficiency at the cost of an enlarged attack surface. Physi-cal separation of productive networks has fallen prey to the paradigm of interconnectivity, present-ed by the Industrial Internet of Things. This leads to an increased demand for industrial intrusion detection solutions. There are, however, challenges in implementing industrial intrusion detection. There are hardly any data sets publicly available that can be used to evaluate intrusion detection algorithms. The biggest threat for industrial applications arises from state-sponsored and crim-inal groups. Often, formerly unknown exploits are employed by these attackers, so-called 0-day exploits. They cannot be discovered with signature-based intrusion detection. Thus, statistical or machine learning based anomaly detection lends itself readily. These methods especially, howev-er, need a large amount of labelled training data. In this work, an exemplary industrial use case with real-world industrial hardware is presented. Siemens S7 Programmable Logic Controllers are used to control a real-world-based control application using the OPC UA protocol: a pump, filling and emptying water tanks. This scenario is used to generate application specific network data. Furthermore, attacks are introduced into this data set. This is done in three ways. First, the normal process is monitored and captured. Common attacks are then synthetically introduced into this data set. Second, malicious behaviour is implemented on the Programmable Logic Controller program and executed live; the traffic is captured as well. Third, malicious behaviour is imple-mented on the Programmable Logic Controller while keeping the same output behaviour as in normal operation. An attacker could exploit an application but forge valid sensor output so that no anomaly is detected. Sensors are employed, capturing temperature, sound, and flow of water to create data that can be correlated to the network data and used to still detect the attack. All data is labelled, containing the ground truth, meaning all attacks are known and no unknown attacks occur. This makes them perfect for training of anomaly detection algorithms. The data is published to enable security researchers to evaluate intrusion detection solutions. Furthermore, analysis of a part of the data is presented, together with a discussion about the applicability for intrusion detection. Finally, a resume about expected future attacks on industrial environments is provided.


AUTHORS

Photo of Simon Duque Antón

German Research Center for Artificial Intelligence Kaiserslautern,
Germany

Simon Duque Antón is a Researcher and PhD Candidate at the German Research Center for Artificial Intelligence (DFKI) working in the Intelligent Networks research group. He received his diploma in the field of Computer Science with a specialization in embedded systems in 2015. His main research interests are machine learning and its application to the field of industrial IT-security. He also lectures about Information Security at the University of Kaiserslautern.

Photo of Michael Gundall

German Research Center for Artificial Intelligence Kaiserslautern,
Germany

Michael Gundall is a Researcher and PhD Candidate at the German Research Center for Artificial Intelligence (DFKI) working in the Intelligent Networks research group. In 2017, he received his M.Sc. degree in the field of Electrical and Computer Engineering with a specialization in automation and control. His current research interests are in the area of industrial communication systems and the virtualization of automation systems.

Photo of Professor Hans Dieter Schotten

German Research Center for Artificial Intelligence Intelligent Networks Research Group Kaiserslautern,
Germany

and
University of Kaiserslautern Division of Wireless Communications and Radio Positioning Kaiserslautern,
Germany

Hans Dieter Schotten is Full Professor and Director of the Chair for Wireless Communication and Navigation of the University of Kaiserslautern. He is also a Scientific Director and member of the management board of the German Research Center for Artificial Intelligence (DFKI) where he heads the Department for Intelligent Networks. Before joining academia, he held industry positions in Ericsson and Qualcomm. Since 2018, he has been the Chairman of the German Information Technology Society ITG and a member of the supervisory board of the German VDE. His research interests are in mobile and industrial communications, network security, and AI. Hans Dieter Schotten received his Diploma and PhD in Electrical Engineering from the RWTH Aachen University in 1990 and 1997, respectively.

Journal of Information Warfare

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

Quick Links

View the latest issue of JIW.

Latest Edition

Purchase a subscription to JIW.

Subscribe

Keywords

A

AI
APT

C

C2
C2S
CDX
CIA
CIP
CPS

D

DNS
DoD
DoS

I

IA
ICS

M

S

SOA

X

XRY

Quill Logo

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

SUBSCRIBE NOW

Get in touch

Registered Agent and Mailing Address

  • Journal of Information Warfare
  •  ArmisteadTEC
  • Dr Leigh Armistead, President
  • 1624 Wakefield Drive
  • Virginia Beach, VA 23455

 757.510.4574

 JIW@ArmisteadTec.com