Industrial Security & Intrusion Detection

Intrusion Detection and Intrusion Prevention for the Industrial Internet of Things (IIoT) – a need for web-connected devices.

Why smart factories need protection.

The Industrial Internet of Things (IIoT) will offer new growth opportunities primarily as a way to improve operational efficiency. The intersection of intelligent industrial products, processes and services that communicate with each other over a global network however has significant implications on the technical architecture and infrastructure. While in the past industrial networks tended to be isolated and based on proprietary communication protocols, more recently the demand for interoperability with centralized management and control software and the adoption of more cost-effective, standards-based technology such as Ethernet and TCP/IP has led to a substantial increase of vulnerable spots for disruptions to operations, sabotage, cyber attacks and data theft by criminals, foreign governments and rogue employees. Companies therefore must meet the risks of intelligent machinery connected to networks and must establish an all-embracing cyber-physical security architecture.

With intrusion detection and intrusion prevention against malicious activities.

As IP networking and the IIoT continue to expand, the need for protecting networks against malicious intruders and unauthorized activities, such as tampering with the configuration and operation of industrial control systems and connected field devices, becomes even more critical to any business. One of the most significant security problems for industrial control systems today is the inability to know when it is being attacked or to know when it has been compromised. An intrusion detection system identifies a potential security incident, logs all the captured data and typically signals an alert. On the other hand, an intrusion prevention system automatically responds to suspicious activities by resetting the connection or by blocking network traffic from the suspected malicious source. Ideally, both intrusion detection and intrusion prevention functionalities work hand in hand – new malicious attack patterns identified by intrusion detection algorithms should immediately be deployed in the intrusion prevention system to react against similar attack patterns so that it can prevent harm in the future.

Network intrusion detection and intrusion prevention for embedded devices.

In general, capabilities for intrusion detection and prevention can be deployed on individual devices such as routers, field devices, and programmable logic controllers (PCS), or they can be built into the network by constantly and continuously monitoring all data flowing through the network. Ideally, both approaches should be employed, however, embedded industrial devices have only limited resources available to them and therefore cannot perform the computationally expensive tasks necessary for intrusion detection; thus a network-based approach remains the only practical answer. Not only is this a more cost-effective solution – both initially and in the long-run – but also a much more feature-rich and flexible one: traffic data can be stored in full, which is crucial for later forensic analysis when doing post-mortem or routine checks; one deployment can monitor the entire network; upgrades to hardware and software are significantly cheaper and safer to do, since network-based IDS are usually non-invasive to the existing systems, and can easily be retrofitted to legacy networks and devices.

DATATRONiQ provides a purpose-built intrusion detection system for industrial networks.

While industrial and commercial networking technologies have converged, there are still substantial differences regarding communication protocols – ProfiNET, CAN Bus, EtherCAT are all specific to embedded device and industry scenarios – and the inherent nature of communication within the network – traffic in such environments shows much less variance in payload and endpoints. Therefore, traditional IDS solutions used in data centers or office IT networks are not suitable for intrusion detection in industrial environments. DATATRONiQ offers visionary intrusion detection capabilities that monitor the inbound and outbound packets within industrial networks and triggers alarms if suspicious activity is detected. By automatically learning behavior of the network in an uncompromised state, we continuously perform in-depth analysis on all network traffic data in order to identify uncharacteristic behavior. Simultaneously, we also monitor the machine controller of production machines to check for irregular behavior of the machine itself. In case of suspicious behavior DATATRONiQ can directly communicate with machine controllers in real-time in order to take protective measures, for example shutting down a machine to prevent damage on the equipment or work pieces. DATATRONiQ intrusion prevention directly converts attack knowledge gained from real-time intrusion detection into actionable defense strategies to mitigate future attacks – enriched by pre-defined policies and procedures.

Benefits and conclusions.

It is important to understand that even the most insignificant connected device can be a gateway allowing a cyber-attack to enter the entire network. It is essential to pay utmost attention to the networked equipment in order to identify vulnerable embedded devices, get them protected by an advanced intrusion detection and prevention solution and to continuously monitor all network activity for determining if the system or network is under attack. The earlier cyber-attacks are detected, the easier mitigation becomes and the greater the chance of limiting or preventing serious damage or loss of information. With DATATRONiQ, manufacturers can quickly identify patterns of network misuse, distinguish chance anomalies from actual attacks to avoid false alarms, keep an intrusion prevention and attack pattern memory up to date to help prevent future attacks and help their staff with on-going intrusion detection and prevention duties.