Towards Accurate and Reliable Industrial Intrusion Detection Systems Using Shadow Replicas

Abstract

Supervisory Control and Data Acquisition (SCADA) systems manage the operations of a plethora of safety-critical industrial control systems. Due to their sensitive nature, SCADA systems have been the target of adversaries employing a wide range of attacks. This thesis proposes an approach to protect SCADA systems against attacks that evade detection because of the lack of a comprehensive view of both application and network-layer responses. Specifically, we leverage multiple open-source Network Intrusion Detection Systems (NIDSs) paired with a SCADA shadow replica to provide both network and application threat detection. The shadow replica is augmented with a Finite State Machine (FSM) to compute the anticipated states of both the SCADA system and connected devices. Isolated from the operational network, it is protected from direct front-end attacks. When the SCADA system becomes compromised, even without an IDS alert, the replica can expose the attack and offer an operational failover. We implement a prototype of our system and evaluate it against locally executed attacks on commercial out-of-the-box devices and public IoT datasets. Results indicate that incorporating the shadow replica alongside NIDSs can enhance detection coverage in our evaluations.