Non-IP Industrial Networks: An Agnostic Anomaly Detection System

This paper describes a system to detect anomalies in non-IP (Internet Protocol) industrial networks on Industrial Control Systems (ICS). Non-IP industrial networks are widely applied in ICS to connect sensors and actuators to control systems or business networks. They were designed to be in an air-gapped security environment and therefore contain almost no cyber security features and are vulnerable to various attacks. Even though they are part of the communication layers, a few external cyber security controls are applied in this crucial tier. As an extension of the work by De Moura et al. (2021), this study proposes and tests the proof-of-concept of an agnostic anomaly detection system (AADS) to detect anomalies on any non-IP industrial network (e.g., DeviceNet, CANBus) as an additional cyber security measure working at the physical network layer. The proof-of-concept is comprised of three modules, including hardware and software components: data gathering (sniffer), parser, and detection. Testing the proof-of-concept in an industrial lab network (i.e., a Profibus-DP lab network) showed the proposal's feasibility with a detection rate above 99% (overall accuracy: 99.59%; F1-Score: 99.18%).