Abstract
As demonstrated by the large number of related studies, the field of anomaly detection in the context of Industrial Control Systems (ICS) has reached a certain level of maturity. However, we believe that additional research is needed in order to explore the side-channel specific parameters exposed by regular operations within ICS. The term “side channel” is a term usually found in cryptanalysis, where information about the behavior of the cipher, that is, the non-functional information, is used to break the ciphers. In the context of anomaly detection, sidechannels denote non-functional information that can be derived from the normal operation of the system in order to infer the actual system state. This paper presents an anomaly detection system that explores the periodicity in ICS communications, where particular application-level operations are triggered periodically. To this end, we leverage the periodicity of a security protocol that has been implemented as part of our prior work to secure communications in ICS. We measure the deviations in the execution of the protocol’s different phases in order to detect abnormal events that are caused at different levels in the architecture of the ICS. The main advantage of the developed approach is that it is protocol, software and application agnostic, making it suitable for legacy ICS as well. Experimental results are conducted in the context of a real industrial control system operating in a Romanian gas transportation network.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
