On the Challenges of Holistic Intrusion Detection in ICS

TL;DR

This paper discusses the challenges in developing a comprehensive intrusion detection system for industrial control systems, emphasizing the complexity of monitoring multiple aspects simultaneously.

Contribution

It highlights the difficulties faced in creating a holistic intrusion detection approach that covers all ICS dimensions, based on the authors' research experience.

Findings

Multiple detection systems are needed for different ICS characteristics.

Deploying parallel detection systems complicates practical operation.

Holistic detection remains a significant research challenge.

Abstract

Past attacks against industrial control systems (ICS) show that adversaries often target both the ICS network and the physical process to achieve potential catastrophic impact. To secure ICS, intrusion detection systems promise timely uncovering of such adversaries. However, as these detection mechanisms typically focus on isolated characteristics of ICS (e.g., packet timings), multiple detection systems have to be deployed in parallel, complicating their operation in practice. In this work, to spur discussion and further research, we present challenges encountered during our research towards a holistic intrusion detection system aiming to cover all dimensions of an ICS.