IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems

TL;DR

This paper introduces IPAL, a protocol abstraction layer that decouples industrial intrusion detection from specific protocols, enabling cross-domain application and addressing siloed research in industrial cybersecurity.

Contribution

The paper proposes IPAL, a novel abstraction layer that generalizes intrusion detection systems across different industrial protocols, supported by a correctness proof and empirical analysis.

Findings

Existing detection systems can generalize beyond their original protocols.

IPAL effectively decouples detection from protocol-specific details.

Many approaches are not inherently limited to specific domains.

Abstract

The increasing interconnection of industrial networks exposes them to an ever-growing risk of cyber attacks. To reveal such attacks early and prevent any damage, industrial intrusion detection searches for anomalies in otherwise predictable communication or process behavior. However, current efforts mostly focus on specific domains and protocols, leading to a research landscape broken up into isolated silos. Thus, existing approaches cannot be applied to other industries that would equally benefit from powerful detection. To better understand this issue, we survey 53 detection systems and find no fundamental reason for their narrow focus. Although they are often coupled to specific industrial protocols in practice, many approaches could generalize to new industrial scenarios in theory. To unlock this potential, we propose IPAL, our industrial protocol abstraction layer, to decouple intrusion detection from domain-specific industrial protocols. After proving IPAL's correctness in a reproducibility study of related work, we showcase its unique benefits by studying the generalizability of existing approaches to new datasets and conclude that they are indeed not restricted to specific domains or protocols and can perform outside their restricted silos.