Industrial Control System Network Intrusion Detection by Telemetry Analysis

Until recently, Industrial Control Systems (ICSs) used “air-gap” security measures, where every node of the ICS network was isolated from other networks, including the Internet, by a physical disconnect. Attaching ICS networks to the Internet benefits companies and engineers who use them. However, as these systems were designed for use in the air-gapped security environment, protocols used by ICSs contain little to no security features and are vulnerable to various attacks. This paper proposes an approach to detect the intrusions into network attached ICSs by measuring and verifying data that is transmitted through the network but is not inherently the data used by the transmission protocol - network telemetry. Using simulated PLC units, the developed IDS was able to achieve 94.3% accuracy when differentiating between machines of an attacker and engineer on the same network, and 99.5% accuracy when differentiating between attacker and engineer on the Internet.