Industrial control systems contain a multitude of devices deployed into the field to observe and control a physical process. Currently, most of these devices lack common host-based cybersecurity features, which can lead them to be seen as vulnerable targets. The Cymbiote device was developed to address this problem by examining multiple streams of data to determine what might indicate a potential threat, and to evaluate and execute appropriate response actions. This paper discusses the evolution of the Cymbiote device in response to evaluation and testing done on real-world hardware. Experimental results are discussed, as are the new developments that have been made to the device in response to the findings. In addition, we describe future research directions for this approach along with the experimental setup changes in response to the requirements for statistical rigor.
Revised: March 18, 2020 |
Published: December 30, 2019
Citation
Rice T.R., G.E. Seppala, T.W. Edgar, E.Y. Choi, D.M. Cain, and S.M. Mahserejian. 2019.Development of a Host-Based Intrusion Detection and Control Device for Industrial Field Control Devices. In IEEE Resilience Week (RWS 2019), November 4-7, 2019, San Antonio, TX, 105-111. Piscataway, New Jersey:IEEE.PNNL-SA-144940.doi:10.1109/RWS47064.2019.8971821