Cyber resilience monitoring in industrial automation and control systems (CyReM-ICS)

Current situation

Cyber resilience is seen as the next step in IT security and focuses primarily on incident response and restoring process capability. Appropriate monitoring of process-carrying automation systems and infrastructures is necessary to achieve cyber resilience. CyReM-ICS, an internally funded pre-competitive research project started in 2023, addresses this need by transferring existing approaches to anomaly detection into a holistic monitoring system. The system collects various input data within process infrastructures and uses it as a basis for calculating defined metrics for the resilience assessment of the process networks.

 

Objectives and approach

For the target system, the necessary database for a meaningful resilience assessment must be defined based on a system analysis. Open-source detection systems are used to collect the needed data on network traffic and devices. Initial methods to obtain additional information by using active probing have already been integrated and will be updated successively. Collected information is transferred to a central data management system, a security information and event management (SIEM) system. As cyber resilience goes beyond just security and also emphasizes incident response, we are also including advisories.

Predefined resilience parameters and metrics are calculated on the basis of the status information obtained from the devices and are used to evaluate and quantify the resilience status of the systems. External data sources, such as vulnerability information, are evaluated and integrated into the overall system using cyberthreat intelligence approaches.