Method for Assessment of Security-Relevant Settings in Anomaly-Based Intrusion Detection for Industrial Control Systems

Ensuring the integrity of Ethernet-based networks is a challenging and constantly evolving domain. This problem is exacerbated for those operational technology (OT) networks supporting industrial control systems (ICS) since much of that equipment was originally designed to be on a network that was isolated and generally considered free of malefactors. Increasing pressure to bridge these systems with traditional information technology (IT) networks has introduced a bevy of new threats. In response, both academia and industry have responded with security solutions tailored to ICS environments. Deploying these protection systems often involves several configuration choices. While some of these choices are clear (e.g., block/enable protocol X) others are far more subjective (e.g. alert threshold == 3.43). Further complicating the situation, while often similar to IT networks, OT networks have unique challenges and characteristics that make the task of protecting them simultaneously more difficult and straight forward.Extant solutions for quantifying the relative security of intrusion detection systems fail to effectively support the operators of said systems with understanding the impact of various configuration changes. Further, they assume that the attacks are static and not subject to manipulation or alteration in the face of defenses. In this paper, we present a threat-based method for quantifying the relative impact of various security settings for intrusion detection systems (IDSs) within ICS environments. This method provides operational staff with a clear understanding of the relative impact of their settings and assumes that the attacks levied against them are dynamic. The model is described in detail, we apply the model to a synthetic data set, and discuss the inferences that can be made and what types of decisions they could be used to support.