This disclosure related to an intrusion prevention system (IPS) that detects security breaches in a control system by monitoring the physical behavior of the control system.
Generally, an IPS may be configured to detect and/or prevent a digital intrusion into the control system, such as the industrial control system, by monitoring network communications in the control system. Specifically, the network IPS may look for indications of an intrusion and/or anomaly based on network parameters. For example, the network IPS may monitor parameters such as network traffic, file system access/modifications, or operating system/library calls. The monitored parameters may then be compared to rule sets to determine whether intrusions and/or anomalies are present in the control system.
Security breaches, referred to as intrusions, may enable an unauthorized party to access a control system, such as an industrial control system, and cause unexpected behavior within the system. For example, the intrusion may cause the system to perform processes that were not requested. Because the industrial control system may include devices such as turbines, generators, compressors, or combustors, it would be beneficial to improve the security in industrial control systems beyond network parameters.