Abstract
The increasing automation of Industrial Control Systems (ICSs) has brought significant advantages across various industrial domains such as water treatment, power grids, and manufacturing. Simultaneously, the accompanying digitization of ICSs has led to increasing surfaces for cyberattacks. While preventive security measures to thwart these attacks exist, they can prove challenging to retrofit into legacy systems, making specialized Industrial Intrusion Detection Systems (IIDSs) a viable alternative. Addressing the specific needs of unique and diverging ICS applications, a large research community has gathered, inventing novel and effective detection methodologies yet focusing on specific industrial protocols or domains. However, as two ICSs are rarely identical, IIDSs are expected to generalize to different use cases or even transfer to new domains instead of being built for a single purpose. While the protocols and physical processes underlying all ICSs show remarkable similarity concerning their functionality or predictability, current IIDS research remains fragmented, as we show, rather than providing generalizable solutions. This dissertation addresses this overarching challenge by investigating the feasibility of protocol- and domain-independent intrusion detection. Through a Systematic Mapping Study (SMS), five critical issues hindering effective IIDS research were identified, including (i) disjoint research areas for each ICS domain, (ii) inefficiencies in evaluation methodologies to holistically capture the capabilities of new IIDSs, (iii) a strong focus of research on complex detection methodologies with little justification, (iv) few efforts to transfer existing achievements to all ICS domains, and (v) little considerations on implications to select and deploy an IIDS. To overcome these limitations, this dissertation introduces the Industrial Protocol Abstraction Layer (IPAL), a novel framework that proposes a standardized data representation for industrial intrusion detection. Thereby, IPAL facilitates the generalizability, transferability, and comparability of IIDSs across different ICS environments and among research. Furthermore, this dissertation presents new lightweight yet effective detection methodologies disproving the current misconception of complexity in research. Ultimately, since deploying just the single-best IIDS can be disadvantageous with respect to optimal detection performance, we successfully explore techniques for ensemble learning to streamline multiple IIDSs’ capabilities to enhance detection performance while reducing false positives. These findings demonstrate that intrusion detection can be both efficient and adaptable to ICS domains or leveraged communication technologies. On the one hand, our contributions support a more coherent and effective IIDS research landscape. On the other hand, we pave the way for sustainable and practical implementations of IIDSs in real-world deployments. Thereby, we make IIDSs more accessible for ICSs to protect critical infrastructure more efficiently against harmful cyberattacks.
