1. EU Project 730843
EU Project 730843
How to Detect Attacks and Supervise
Rail Systems?
Taha Abdelmoutaleb Cherfia
fortiss
CYRAIL Final Conference
Paris, 18.09.2018
2. EU Project 730843
Assessment of Existing IDS
Solutions
Identifying and analyzing the current open source and commercial intrusion
detection solutions for IT and OT systems.
3. EU Project 730843
Intrusion Detection
Intrusion detection is the process of monitoring the events occurring in a
computer system or network and analysing them for signs of possible
incidents, which are violations or imminent threats of violation of
computer security policies, acceptable use policies, or standard security
practices.
Collection
Analysis
Response
4. EU Project 730843
Intrusion Detection System
An intrusion detection system (IDS) is a hardware/software that
automates the intrusion detection process.
5. EU Project 730843
IDS Characteristics
An intrusion detection system has to fulfil the following requirements:
Accuracy:
IDS must detect and distinguish malicious activities from the legitimate
ones.
Performance:
IDS must be able to perform real-time intrusion detection.
Completeness:
IDS should not fail to detect and intrusion.
Fault tolerance:
IDS must itself be resistant and robust against malicious attacks.
Scalability:
IDS must be able to monitor the worst-case number of events in a large
network topology
6. EU Project 730843
IDS Taxonomy
Host-based Intrusion Detection System (HIDS):
HIDS is a software application which resides on and monitors a single host
and the events occurring within that host for malicious activities.
Network-based Intrusion Detection System (NIDS):
NIDS is a standalone hardware device that monitors networks traffic for
particular network segments or devices to identify malicious activities.
7. EU Project 730843
Intrusion Detection Methodologies
Signature-based intrusion detection is the process of comparing
signatures against observed events to identify possible incidents.
Anomaly-based intrusion detection is the process of comparing definitions
of what activity is considered normal against observed events to identify
significant deviations.
Audit Data Knowledge Base Attack
Statistically
Anomalous?
Audit Data Knowledge Base Attack
Match ?
12. EU Project 730843
Deployment of Intrusion Detection
Solutions
Proposing a flexible deployment scheme of the intrusion detection solutions on
the different zones of CyRail’s operational scenario.
13. EU Project 730843
NIDS Solutions
1
1 = NIDS for CI
NIDS monitoring
internet networks for
critical infrastructures
They are designed by
cyber security experts
and then implement
attack detection rules
(attack patterns and
behaviour). They have
to be deployed in a
way they can analyse
the IN/OUT internet
network traffic.
Eg. GateWatcher and
KeelbackNet.
14. EU Project 730843
2
2 = Industrial
NIDS
Industrial NIDS
Specialized in the
industrial protocols,
based on operational
knowledge of the
processes and
communications. They
are mostly designed to
detect anomalies.
Eg. Claroty, Cyberbit,
CyberX, Cylus, Cypres,
ICS², Indegy,
NexDefense, Nozomi,
Radiflow,
SecurityMatters and
Sentryo.
Industrial NIDS Solutions
15. EU Project 730843
3
3 = HIDS
Host-based
Intrusion
Detection System
Eg. RazorSecure.
HIDS Solutions
16. EU Project 730843
4
4 = FW/IPS
Firewall
Intrusion
Prevention
System
Located at the
border of a zone.
E.g. Stormshield.
FW/IPS Solutions
17. EU Project 730843
5 5 = IT NIDS
IT-extended IDS
They can fit IT
networks monitoring,
due to their origin.
Their capability to
address industrial
networks is more
limited than industrial
NIDS.
Eg. Checkpoint,
TippingPoint, Cisco IPS,
Fortinet, Forcepoint,
Leidos and Juniper.
IT NIDS Solutions
18. EU Project 730843
1
2
4
3
5 1 = NIDS for CI
2 = Industrial
NIDS
3 = HIDS
4 = FW/IPS
5 = IT NIDS
Deployment of Intrusion Detection Solutions
19. EU Project 730843
Facts and Figures
Europe has a strong representation of industrial IDS companies.
Most Industrial IDS vendors are recent SMEs.
Fast growing market, but not mature enough yet.