Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection

Introduction

The goal of this National Institute of Standards and Technology (NIST) Interagency Report (NISTIR) is to show practical approaches that manufacturers can use to strengthen cybersecurity in their manufacturing processes. Behavioral anomaly detection (BAD) tools can provide a key security component for sustaining business operations, particularly those based on industrial control systems (ICS). Because introducing anomalous data into a manufacturing process can disrupt operations, whether deliberately or inadvertently, the examples provided in this NISTIR demonstrate how detecting anomalous conditions can improve the reliability of manufacturing and other ICS, in addition to providing the demonstrated cybersecurity benefits.

Background

As stated in NIST Special Publication (SP) 800-82 [3], ICS are vital to the operation of the United States’ critical infrastructures, which are often highly interconnected and mutually dependent systems. While federal agencies also operate many ICS, approximately 90 percent of the nation’s critical infrastructures are privately owned and operated. As ICS increasingly adopt information technology (IT) to promote corporate business systems’ connectivity and remote access capabilities by using industry-standard computers, operating systems (OSs), and network protocols, the accompanying integration provides significantly less isolation of ICS from the outside world. While security controls have been designed to deal with security issues in typical IT systems, special precautions must be taken when introducing these same approaches in ICS environments. In some cases, new security techniques tailored to the specific ICS environment are needed. NIST recognizes this concern and is working with industry to solve these challenges by developing reference designs and a practical application of cybersecurity technologies. BAD is one tool for improving ICS security.

NIST’s National Cybersecurity Center of Excellence (NCCoE), in conjunction with NIST’s Engineering Lab (EL) and NCCoE industry collaborators, has demonstrated a set of behavioral anomaly detection capabilities to support cybersecurity in manufacturing organizations. The use of these capabilities enables manufacturers to detect anomalous conditions in their operating environments to mitigate malware attacks and other threats to the integrity of critical operational data. NIST’s NCCoE and EL have mapped these demonstrated capabilities to the NIST Cybersecurity Framework [1] and have documented how this set of standards-based controls can support many of the security requirements of manufacturers. This NISTIR documents the use of BAD capabilities in two distinct but related demonstration environments: a collaborative robotics-based manufacturing system and a process control system (PCS) that resembles what is being used by chemical manufacturing industries.