A Host Intrusion Detection System architecture for embedded industrial devices

The integration of Cyber-Physical Systems in the industrial domain has become indispensable for Industry 4.0. Unfortunately, as the interconnectivity among them increases, so do the opportunities for malicious users to target them. Hence, it is necessary to increase the security of these systems and their components. A wide range of security solutions (e.g., industrial Firewalls) are already an integral part of Industrial Automation Systems, however, these are deployed at strategical system locations and might not be capable of identifying intrusions that target specific elements of embedded industrial devices. Host Intrusion Detection Systems (Host IDS) are one security solution that allow to detect such type of intrusions, as they analyze information related to specific host devices. This contribution presents a feasible Host IDS architecture for embedded industrial devices. This architecture takes into consideration features and capabilities of Host IDS from the IT domain. It also considers system-, environmental- and device-specific properties from the industrial domain. These properties are presented in the form of abstracted requirements and considerations that are contemplated for the conceptualization of the presented architecture. Furthermore, the feasibility of this architecture is validated through the implementation and evaluation of a prototypical Host IDS deployed in a Programmable Logic Controller (PLC) hosting a Real-Time Operating System (RTOS). This evaluation is achieved through the demonstration of a set of hypotheses derived from the abstracted requirements and supported by the evaluation of test scenarios. To the best of our knowledge, this is the first fully operational Host IDS to be deployed and evaluated on a PLC.