(MC15) (FIC) Naval Group - A Behavioral Innovative Approach of Intrusion Detection for Industrial Control Systems.

Industrial Control Systems (ICSs) have a critical role in our society: electricity production and distribution, transportation, water supply, medical facilities, manufacturing, etc. These complex systems often show large and unprotected attack surfaces. Since the beginning of the 21st century, the number of cyberattacks against ICSs is constantly growing. Following the well-known Stuxnet attack that occurred around 2010, recent events illustrate this fact with a great diversity of attacks around the globe. In 2021, there was an attempt of poisoning the water supply of Oldsmar city in Florida via the supervisory control station [1]. Later in 2022, the Urengoy Gas Pipeline attack against the Russian giant Gazprom, resulted in an explosion of a gas pipeline which was caused by manipulation of the pipeline’s pressurization controls [2]. In this context of conflict between Ukraine and Russia, other cyberattacks were witnessed during the year 2022, such as a variant of the well-known Industroyer malware. Therefore, Industroyer2 (between others) impacted an electrical substation in Ukraine [3]. The reason of this substantial number of attacks is mainly explained by a recent convergence between the Information Technology (IT) and the Operational Technology (OT) world. Therefore, last decades advancements brought new technologies inherited from IT into ICSs as well as an increasing interconnectivity of assets into ICSs. Despite the growing awareness, the need to innovate on new detection solutions is more than ever present. On the matter of Intrusion Detection Systems (IDSs), three major approaches exist: Signature-based IDS. This approach relies on the detection of attack symptoms through observed activities. It is based on knowledge accumulated from known attacks. Most of the time, static rules are deployed in search for known data patterns characterizing an attack. This technique shows very efficient results, especially in the IT domain and is already applied in a lot of industrialized detection solutions (any anti-viruses softwares). The main drawback of this technique is the fact that it is not able to detect zero-day attacks and it requires frequent updates for the database containing the detection rules. Consequently, this approach is not the most suitable for OT. - Behavior-based IDS relying on machine learning. Behavior-based detection characterizes the normal behavior of a system and is therefore able to leverage the detection of unknown attacks. Using machine learning for detection purposes allows to automatically learn the behavior of a system and its assets. It is particularly adapted when a great quantity of data has to be processed. This methodology is intensively explored in the research community and some industrial solutions already exist in the market. From a network point of view, this approach obtains very efficient results. However, the main drawback for this approach is that the obtained models lack comprehension of the physical process. Indeed, every ICS data have a physical meaning and it is crucial to understand the physical process in order to protect it efficiently against intrusions. - Behavior-based IDS relying on expert knowledge. This technique is also based on characterizing the normal functioning of a system, but this time, knowledge of the physical process is used in order to construct the detection model. Most of the time, static or dynamic rules are set by a human expert in order to characterize the system. Manually derived rules are the main drawback of this approach, but it is not always the case and some approaches tend to automate this part. This direction of research is the most recently explored and the IDSs belonging to this last category are not widely commercialized yet (even though some COTS IDSs propose configurable rules adapted to behavioral detection). These three approaches are complementary and are more or less suitable according the system being monitored. We argue that behavior-based IDSs relying on expert knowledge are the most suitable in the specific context of ICS since they leverage the detection of novel attacks while considering knowledge of the physical process. Therefore, our researches are directed toward this category and more specifically specification-based IDS. In our approach, we characterize the normal behavior of an ICS through extraction of safety specifications present in international and industry standards. These specifications are translated into security properties, monitored by our detection system. They form temporal and sequential rules taking into account the dynamic behavior of the system together with the meaning of process data. Our approach has been validated on a real ICS platform [4] using different attacks covering a wide spectrum of the MITTRE ATT&CK framework [5] and provides real time detection. Moreover, our methodology generates a reasonable number of rules that have a longer lifespan than signature-based rules. In this presentation, we propose to detail the typical architecture and characteristics of ICSs, present various intrusion detection solutions with their advantages and disadvantages and then detail our approach: architecture, implementation on a use-case, results and future work.