The present invention relates to industrial control systems, more particularly, to a system and methods for detecting and combating an attack in the protection system of an industrial control system.
Industrial control systems (ICS), such as SCADA (supervisory control and data acquisition), monitor and control industrial or infrastructure facilities (e.g., oil and gas, refining, chemical, pharmaceutical, food and beverage, water and wastewater, pulp and paper, utility power, mining, metals, manufacturing facilities, etc.). Little concern has been given to the security in ICS because they have been isolated from the internet. However, more and more ICS are being interconnected to each other or connected to IT networks to control facilities smarter. Therefore, attacks on an ICS have now become a real issue, especially in light of examples of real attacks like the “Stuxnet” malware or the examples of other attacks like the Utilities in Brazil and the like.
In contrast to IT networks, ICS have some unique features as follows:
1. They may threaten human lives when they do not terminate in a predefined safety manner.
2. They often contain a number of devices in multiple zones dependent on each other.
3. They usually have a more stable or fixed configuration.
4. They cannot depend on the commercial strategy to defend only against known malware (black list approach). That is, they cannot afford an initial attack by an unknown piece of malware at all.
5. It is generally held that it is not possible to stop all intrusions into an ICS. Further, it will be likely that a target ICS will be unaware that it is infected. The first knowledge of infection will be when an attack begins to execute.
With reference to FIG. 1, a known ICS 100 comprises an ICS controller 105, at least one subcontroller 110, with each subcontroller associated with or in communication with a respective zone 115. Each zone 115 may be directly or indirectly connected to Input/Output devices 120, such as sensors and/or actuators, or may have another subcontroller 125 to which such I/O devices are connected.
There remains a need to enhance an ICS to include the ability to protect against a security attack on a protector system.