Efficient Intrusion Detection on Low-Performance Industrial IoT Edge Node Devices

Communication between sensors, actors and Programmable Logic Controllers (PLCs) in industrial systems moves from two-wire field buses to IP-based protocols such as Modbus/TCP. This increases the attack surface because the IP-based network is often reachable from everywhere within the company. Thus, centralized defenses, e.g. at the perimeter of the network do not offer sufficient protection. Rather, decentralized defenses, where each part of the network protects itself, are needed. Network Intrusion Detection Systems (IDSs) monitor the network and report suspicious activity. They usually run on a single host and are not able to capture all events in the network and they are associated with a great integration effort. To bridge this gap, we introduce a method for intrusion detection that combines distributed agents on Industrial Internet of Things (IIoT) edge devices with a centralized logging. In contrast to existing IDSs, the distributed approach is suitable for industrial low performance microcontrollers. We demonstrate a Proof of Concept (PoC) implementation on a MCU running FreeRTOS with LwIP and show the feasibility of our approach in an IIoT application.

[1]  Pengfei Liu,et al.  Physical Intrusion Detection for Industrial Control System , 2018, 2018 IEEE Conference on Communications and Network Security (CNS).

[2]  Sujeet Shenoi,et al.  Attack taxonomies for the Modbus protocols , 2008, Int. J. Crit. Infrastructure Prot..

[3]  Dominik Merli,et al.  CoRT: A Communication Robustness Testbed for Industrial Control System Components , 2019, ArXiv.

[4]  Frank Mueller,et al.  Intrusion Detection for CPS Real-Time Controllers , 2015 .

[5]  S. Sastry,et al.  SCADA-specific Intrusion Detection / Prevention Systems : A Survey and Taxonomy , 2010 .

[6]  Teruo Higashino,et al.  Edge-centric Computing: Vision and Challenges , 2015, CCRV.

[7]  Volker Roth,et al.  You Snooze, You Lose: Measuring PLC Cycle Times under Attacks , 2018, WOOT @ USENIX Security Symposium.

[8]  Robin Berthier,et al.  An Internet-wide view of ICS devices , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[9]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[10]  S. Shankar Sastry,et al.  Research Challenges for the Security of Control Systems , 2008, HotSec.

[11]  Udo Payer State-driven stack-based network intrusion detection system , 2003, Proceedings of the 7th International Conference on Telecommunications, 2003. ConTEL 2003..

[12]  Simin Nadjm-Tehrani,et al.  Timing-Based Anomaly Detection in SCADA Networks , 2017, CRITIS.

[13]  Marten van Dijk,et al.  Snapshotter: Lightweight intrusion detection and prevention system for industrial control systems , 2018, 2018 IEEE Industrial Cyber-Physical Systems (ICPS).

[14]  Georg Sigl,et al.  EyeSec: A Retrofittable Augmented Reality Tool for Troubleshooting Wireless Sensor Networks in the Field , 2019, EWSN.

[15]  Rafael Ramos Regis Barbosa,et al.  Anomaly Detection in SCADA Systems - A Network Based Approach , 2014 .

[16]  Mo-Yuen Chow,et al.  Networked Control System: Overview and Research Trends , 2010, IEEE Transactions on Industrial Electronics.

[17]  Sergey Bratus,et al.  Intrusion detection for resource-constrained embedded control systems in the power grid , 2012, Int. J. Crit. Infrastructure Prot..

[18]  Ravi Sankar,et al.  A Survey of Intrusion Detection Systems in Wireless Sensor Networks , 2014, IEEE Communications Surveys & Tutorials.

[19]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[20]  Piroska Haller,et al.  Engineering Edge Security in Industrial Control Systems , 2019 .

[21]  Thelma Virginia Rodrigues,et al.  OpenPLC: An open source alternative to automation , 2014, IEEE Global Humanitarian Technology Conference (GHTC 2014).

[22]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..