The stereotypical behavior of control systems has always seemed like a great opportunity to use anomaly detection to identify cyber attacks. We have considered research in this area but have passed because there wasn’t a good underlying engine to test hypothesis that we could add to. DHS funded two HSARPA projects a few years ago with no tangible results. The closest we have seen is the SRI paper last year at S4 that discussed it a bit; primarily with detecting anomalies on new entities/IP addresses beginning to communicate on the network or new destination ports being used. While this was interesting, this type of detection was being handled by signature based systems.

At S4 2008 we have two papers on anomaly detection in control systems. The first is from Brian Moran and Rick Belisle of researchers at IBM/Internet Security Systems. Their paper focuses on using flow data readily available from routers and other network devices to detect anomalies not only based on the IP address / ports, but also on the volume of data between different entities.

There are so many possible hypotheses to regression test after the data is collected. You could assign weights to protocols on the network, device type (real time servers, historians, PLC, IED, …), sites, … the list is endless. The key in this paper is this flow information is available for analysis, and they will talk about a framework for collecting and developing models to test for anomalous behavior that is correlated to event such as a general loss of availability or a specific type of cyber attack.

Having just read Ian Ayres Super Crunchers on the airplane last night I’m even more interested in this talk. The book points out through numerous examples how bad even top experts are at predicting results based on data compared to “Super Cruncher” statistical algorithms. What if we found a + or - 2 standard deviation spike in the number of events written to a historian per minute was highly predictive of an impending outage? Would a high number or low number be more predictive? How about a statistical surge in DNP3 unsolicited responses? Or maybe a dearth of unsolicited responses is more important to watch for. Lots of questions and possibilities.