On the Efficacy of Anomaly Detection in Process Control Networks

1. On the Efficacy of Anomaly Detection in Process Control Networks Alfonso Valdes SRI International alfonso.valdes@sri.com April, 2006

2. Background • Digital automation has made control systems safer, more productive • Formerly, purpose-built, isolated, proprietary protocols and platforms • Increasingly, commodity platforms and protocols encapsulating legacy, integration to enterprise systems • Intelligent end devices with embedded OS and configured over web interface • Security practices lag enterprise security • Best practice documents emerging • Widely distributed systems with weak perimeter control • IDS/IPS still relatively novel in PCS • Threat not well understood

3. Critical Need • The National Critical Infrastructure needs defenses that • detect and prevent cyber and blended cyber/physical attack, • enable effective response, and facilitate timely recovery • Such defenses must secure the present heterogeneous environment of legacy and modern systems, as well as get and stay ahead of the technology curve

4. Anomaly Detection • Advantage over signature systems: potential to detect unknown attacks • Not widely used in enterprise IDS/IPS • False alarms • Malicious is not always anomalous, anomalous is not always malicious (McHugh) • Learning based • Statistical • N-Grams • Specification Based • Difficult to specify real systems at adequate fidelity

5. Hypothesis: AD Will be more Effective in Control Systems • Topology is relatively static • System mission is relatively narrow in scope • Many important messages are regularly timed • Both learning and spec based AD may be more feasible and effective • Room to explore information theoretic, frequency, wavelet, other novel approaches • Counter trend: adoption of sensor nets (large number of nodes, nodes come and go)