Efficient Intrusion Detection on Low-Performance Industrial IoT Edge Node Devices
This addresses security vulnerabilities in industrial IoT systems by enabling decentralized protection, though it appears incremental as it builds on existing intrusion detection concepts.
The paper tackles the problem of insufficient centralized intrusion detection in industrial IoT networks by proposing a distributed agent-based method that runs on low-performance edge devices, demonstrating feasibility with a proof-of-concept implementation on a microcontroller.
Communication between sensors, actors and Programmable Logic Controllers (PLCs) in industrial systems moves from two-wire field buses to IP-based protocols such as Modbus/TCP. This increases the attack surface because the IP-based network is often reachable from everywhere within the company. Thus, centralized defenses, e.g. at the perimeter of the network do not offer sufficient protection. Rather, decentralized defenses, where each part of the network protects itself, are needed. Network Intrusion Detection Systems (IDSs) monitor the network and report suspicious activity. They usually run on a single host and are not able to capture all events in the network and they are associated with a great integration effort. To bridge this gap, we introduce a method for intrusion detection that combines distributed agents on Industrial Internet of Things (IIoT) edge devices with a centralized logging. In contrast to existing IDSs, the distributed approach is suitable for industrial low performance microcontrollers. We demonstrate a Proof of Concept (PoC) implementation on a MCU running FreeRTOS with LwIP and show the feasibility of our approach in an IIoT application.