The objective of this project is the development of a non-intrusive device for the protection of industrial control systems against APTs and other cyber threats in the Industry 4.0 environment. With the rapid growth of the Industry 4.0 concept as a new paradigm of organization of the means of production, industrial environments are even more exposed and vulnerable than before against Advanced Persistent Threats (APTs) and other cyber-attacks. This situation is aggravated by the direct integration of these industrial systems with other ICT systems, which opens the door to a new range of possible vulnerabilities. The developed device will analyze the incoming and outgoing network traffic through automatic learning techniques, in order to detect anomalies that could be indicative of the presence of a threat. In addition to having anomaly detection algorithms, the device will also integrate traditional cyber-defense technologies, such as intrusion detection (IDS). Incidents recorded by different sensors will be correlated with an event correlation engine. The resulting system will expand the range of S2 Grupo monitoring products and will be part of the company’s managed security services. The solution developed will consist of several elements:
- A data acquisition layer responsible for monitoring and collecting network traffic from industrial control systems.
- An anomaly detector module that processes the information collected by the data acquisition layer and combines different techniques of automatic learning with the objective of identifying alterations in the traffic patterns that could be due to the presence of a threat in the system.
- A passive vulnerability scanning module that processes the information collected by the data acquisition layer identifying computational weaknesses inherent in the software or hardware present in the system.
- An event correlation layer that receives and processes the information received by the fault detection and passive scanning modules that decides whether to sound the alarm.
- An interoperability layer that facilitates integration with alert management systems.