Industrial control systems (ICS) sit at the core of every industrial process - from power generation to water treatment and manufacturing. The term ICS refers to the set of devices that govern the process to guarantee its safe and successful execution and include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control systems such as Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC). A malfunction in any of these systems or the network in which they operate might cause the entire industrial process to fail, with serious consequences in terms of economic loss and compromised public safety. For instance, an incorrect distribution of power in an electricity transmission network might affect availability to households, offices, hospitals, etc. Similarly, a faulty component that regulates the amount of chemical substances in a pharmaceutical production process might lead to entire batches of harmful compounds.
The need to monitor ICS networks is advocated in many venues and has been included in several recommendations, guidelines and standards, such as the US National Institute of Standards and Technology (NIST) Cybersecurity Framework, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), the NIS Directive from the European Union, and America’s Water Infrastructure Act (AWIA). There are several reasons why monitoring should be an integral part of operations and may even be considered a competitive advantage. The marked increase of cyberattacks directed against ICS, as frequently reported by the ICS Cyber Emergency Response Team (ICS-CERT) of the U.S. Department of Homeland Security, is only one of them. Stuxnet, WannaCry, TRITON, NotPetya, LockerGoga and Ryuk have seized the full attention of the media but represent only a small portion of the cyber threats targeting ICS.