Efficient Intrusion Detection on Low-Performance Industrial IoT Edge Node Devices

TL;DR

This paper presents a decentralized intrusion detection method tailored for low-performance industrial IoT edge devices, enabling effective security monitoring without high resource demands.

Contribution

It introduces a novel distributed IDS approach suitable for microcontrollers in industrial IoT environments, bridging the gap between resource constraints and security needs.

Findings

Feasibility demonstrated on MCU with FreeRTOS and LwIP

Distributed agents effectively detect suspicious activity

Approach suitable for low-performance industrial devices

Abstract

Communication between sensors, actors and Programmable Logic Controllers (PLCs) in industrial systems moves from two-wire field buses to IP-based protocols such as Modbus/TCP. This increases the attack surface because the IP-based network is often reachable from everywhere within the company. Thus, centralized defenses, e.g. at the perimeter of the network do not offer sufficient protection. Rather, decentralized defenses, where each part of the network protects itself, are needed. Network Intrusion Detection Systems (IDSs) monitor the network and report suspicious activity. They usually run on a single host and are not able to capture all events in the network and they are associated with a great integration effort. To bridge this gap, we introduce a method for intrusion detection that combines distributed agents on Industrial Internet of Things (IIoT) edge devices with a centralized logging. In contrast to existing IDSs, the distributed approach is suitable for industrial low performance microcontrollers. We demonstrate a Proof of Concept (PoC) implementation on a MCU running FreeRTOS with LwIP and show the feasibility of our approach in an IIoT application.