Power stations, water supplies, oil refineries, large transport hubs and telecommunication networks are all defined as critical infrastructure needed for a country to function normally. However, the importance of these assets mean they are also likely targets of malicious cyber attacks – particularly from terrorist or state actors.

Modern large-scale infrastructure is increasingly operated by bespoke computer systems known as Industrial Control Systems (ICS).  There have been several high profile examples of Industrial Control Systems being attacked – these include nuclear research facilities, a German steel mill and the Ukrainian power grid.

Control systems are typically defended by passive Intrusion Detection Systems. Passive systems are traditional Network Intrusion Detection Systems, which generate no new network traffic.

Passive systems offer a low cost solution and are effective against simplistic threats. However, when deployed on their own, passive defences can be exploited by more determined and sophisticated attacks, producing a detection rate as low as 53 per cent in testbed environments.

Active defence systems are more effective against sophisticated attacks, however their use is undesirable because they are costly, resource-intensive and risk overloading old hardware systems. These solutions involve directly interrogating the system’s controlling device for information.

Research by Lancaster University’s Security Lancaster research centre has identified a hybrid approach to Intrusion Detection for ICS that provides the best of both worlds. The system, called ‘Selective Non-invasive Active Monitoring for ICS Intrusion Detection’ (SENAMI), is a new method of active monitoring that is used very selectively.

SENAMI works by first passively establishing baseline patterns of information – such as traffic quantity, IP addresses, timings and type of data. SENAMI then performs checks every 30 seconds and alerts if the level of traffic is suspicious. It also actively assesses a select small number of values of information from the system’s controlling device, which could give away an intrusion. The low quantity of values ensures SENAMI is able to request values frequently without putting strain on the system it is monitoring, while still being able to detect highly-targeted attacks. This provides the benefits of active detection without the associated risks.

Through experiments conducted on Siemens S7 ICS equipment (the same type used in ICS environments all over the UK today), using Lancaster University’s comprehensive ICS testbed, researchers found SENAMI was able to detect almost all passive attacks and a significant amount of the active attacks modelled by the researchers, with very few  false negatives.

Professor Awais Rashid, Director of Security Lancaster and co-author of the paper, said: “SENAMI’s combination of active and passive monitoring allows the detection of a range of attacks, including combined attacks using decoys – such as denial of service attacks.

“This work is a first step towards developing more robust and practical defences that can ensure industrial control systems for national critical infrastructure are secure from sophisticated and determined attack.”

The work, which is detailed in the paper ‘SENAMI: Selective Non-Invasion Active Monitoring for ICS Intrusion Detection’, is due to be presented at the second ACM workshop on Cyber-Physical Systems Security and Privacy (CPS-SPC) by William Jardine, who co-authored the paper while studying at Lancaster University and is now at MWR InfoSecurity.

He said: “SENAMI is a very specific solution for Siemens S7 Industrial Control Systems Environments; it addresses particular issues that could be exploited against those systems.

“The main takeaway we hope people have from this work is the benefit truly bespoke ICS security can have, as compared to more generic solutions. As well as the importance of this.”

More information about Security Lancaster can be found by visiting http://www.lancaster.ac.uk/security-lancaster/ . The full SENAMI paper can be found here: http://eprints.lancs.ac.uk/81642/1/senami.pdf.