Intrusion Detection in Networked Control Systems: From System Knowledge to Network Security

M. Caselli

    Research output: ThesisPhD Thesis - Research UT, graduation UT

    1104 Downloads (Pure)


    “Networked control system‿ (NCS) is an umbrella term encompassing a broad variety of infrastructures such as industrial control systems (ICSs) and building automation systems (BASs). Nowadays, all these infrastructures play an important role in several aspects of our daily life, from managing essential services such as en- ergy and water (e.g., critical infrastructures) to monitoring the increasingly smart environments that surround us (e.g., the Internet of Things). Over the years, NCS technology has progressively switched to IT digital networks and integrated to the Internet. This fact has changed the way operators manage and control their infras- tructures and has introduced several security threats. Skilled crackers (also known as black-hat hackers) can remotely access NCSs and change infrastructure behav- ior potentially endangering human lives (e.g., causing a malfunction of a nuclear power plant). For this reason, NCS stakeholders have been facing the challenge of protecting their infrastructures against cyber-attacks and, especially, targeted attacks, namely those attacks carried out by resourceful and motivated organiza- tions (e.g., Stuxnet). A common practice for protecting NCSs includes the use of standard IT security solutions and techniques. However, most of the times, these solutions do not fit such different environments. Furthermore, any security solu- tion applied to NCSs should never interfere with infrastructure operations. This is particularly important when it comes to NCSs that monitor critical infrastruc- tures and thus, sensitive physical processes (e.g., energy production). Finally, most of today’s NCS security solutions still fail to convey accurate information to the operators and do not allow them to quickly and undoubtedly identify potentially dangerous situations. In fact, this would require more sophisticated techniques capable of understanding the surrounding environment and conclusively discern between malicious activities and valid operations. For all these reasons, this thesis tackles the challenge of developing more in- cisive and effective security solutions for NCSs. We focus on intrusion detection to passively monitor and evaluate infrastructure operations without causing any interference and we aim attention at the acquisition of knowledge about the moni- tored infrastructures to improve the process of detection as well as the feedback to the operators. In what follows, we present a novel approach to NCS security based on the integration between system knowledge acquisition and network intrusion detection. Our work starts by identifying and evaluating valuable sources of infor- mation to gain knowledge about the monitored systems. Then, we show how this knowledge contributes to improving intrusion detection systems (IDSs). Finally, we leverage a specific kind of intrusion detection, namely specification-based in- trusion detection, to strengthen the bond between system knowledge and network security. We achieve this by automating the deployment of specification-based IDSs that autonomously use information gathered from NCS network traffic and analyze NCS-related available documentation to describe infrastructure expected behavior. Tests and evaluations performed on real infrastructures support the pro- posed approach and confirm the advantages of including information about NCS properties and components within the employed security solutions.
    Original languageEnglish
    QualificationDoctor of Philosophy
    Awarding Institution
    • University of Twente
    • Kargl, Frank, Supervisor
    • Zambon, Emmanuele, Advisor
    • Zambon, Eduardo, Supervisor
    Award date4 Nov 2016
    Place of PublicationEnschede
    Print ISBNs978-90-365-4177-0
    Publication statusPublished - 4 Nov 2016


    • EWI-27385
    • EC Grant Agreement nr.: FP7-SEC-285477-CRISALIS
    • Networked
    • Intrusion Detection
    • IR-101975
    • Control Systems
    • METIS-318366
    • SCS-Cybersecurity


    Dive into the research topics of 'Intrusion Detection in Networked Control Systems: From System Knowledge to Network Security'. Together they form a unique fingerprint.

    Cite this