Abstract
Intrusion detection systems (IDS) provide valuable tools to monitor for, and militate against, the impact of cyber-attacks. However, this paper identifies a range of theoretical and practical concerns when these software systems are integrated into safety-critical applications. Whitelist approaches enumerate the processes that can legitimately exploit system resources. Any other access requests are interpreted to indicate the presence of malware. Whitelist approaches cannot easily be integrated into safety-related systems where the use of legacy applications and Intellectual Property (IP) barriers associated with the extensive use of sub-contracting make it different to enumerate the resource requirements for all valid processes. These concerns can lead to a high number of false positives. In contrast, blacklist intrusion detection systems characterize the behavior of known malware. In order to be effective, blacklist IDS must be updated at regular intervals as new forms of attack are identified. This raises enormous concerns in safety-critical environments where extensive validation and verification requirements ensure that software updates must be rigorously tested. In other words, there is a concern that the IDS update might itself introduce bugs into a safety-related system. Isolation between an IDS and a safety related application minimizes this threat. For instance, information diodes limit interference by ensuring that an IDS is restricted to read-only access on a safety related network. Further problems arise in determining what to do when an IDS identifies a possible attack, given that false positives can increase risks to the public during an emergency shutdown.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Adelstein, F.: Live forensics: diagnosing your system without killing it first. Commun. ACM 49(2), 63–66 (2006)
Sutherland, I., Evans, J., Tryfonas, T., Blyth, A.: Acquiring volatile operating system data tools and techniques. SIGOPS Oper. Syst. Rev. 42(3), 65–73 (2008)
European Network and Information Security Agency (ENISA): Technical Guidelines on Reporting Incidents: Article 13a Implementation, Heraklion, Greece, December 2011
US Government Auditors Office: Information Security: FAA Needs to Address Weaknesses in Air Traffic Control Systems, GAO-15-221, 29 January 2015
Naedele, M.: Addressing IT security for critical control systems. In: Proceedings of the 40th Hawaii International Conference on System Sciences. IEEE Computer Society (2007)
Johnson, C.W.: Anti-social networking: crowdsourcing and the cyber defence of national critical infrastructures. Ergonomics 57(3), 419–433 (2014)
Johnson, C.W.: Inadequate legal, regulatory and technical guidance for the forensic analysis of cyber-attacks on safety-critical software. In: Swallom, D. (ed.) Proceedings of the 32nd International Systems Safety Society, Louisville, USA. International Systems Safety Society, Unionville (2014)
Garfinkel, S.L.: Digital forensics research: the next 10 years. Digital Invest. 7, 64–73 (2010)
Nilsson, D.K., Larson, U.E.: Conducting forensic investigations of cyber attacks on automobile in-vehicle networks. In: Proceedings of eForensics 2008, Proceedings of the 1st International Conference in Forensic Applications. ACM (2008)
Jones, R.A., Horowitz, B.: A system-aware cyber security architecture. Syst. Eng. 15(2), 225–240 (2012)
U.S. National Institute of Standards and Technology (NIST): Computer Security Incident Handling Guide (Draft), Special Publication 800-61 Revision 2 (Draft), Gaithersburg, Maryland (2012)
U.S. National Institute of Standards and Technology (NIST): Guide to Integrating Forensic Techniques into Incident Response, Special Publication 800-86, Gaithersburg, Maryland (2006)
DigitalBond SCADA intrusion detection forum. http://www.digitalbond.com/support-center/. Accessed March 2015
Australian Signals Directorate: Application Whitelisting Explained. Australian Government, Department of Defense (2012)
Anderson, D., Khiabani, H.: Protect critical infrastructure computer systems with whitelisting. The SANS Institute, Bethesda (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Johnson, C.W. (2015). Barriers to the Use of Intrusion Detection Systems in Safety-Critical Applications. In: Koornneef, F., van Gulijk, C. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2014. Lecture Notes in Computer Science(), vol 9337. Springer, Cham. https://doi.org/10.1007/978-3-319-24255-2_27
Download citation
DOI: https://doi.org/10.1007/978-3-319-24255-2_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-24254-5
Online ISBN: 978-3-319-24255-2
eBook Packages: Computer ScienceComputer Science (R0)