Industrial networks are routinely described as smaller and more stable than typical enterprise networks and so should be good candidates for anomaly-based intrusion detection. This article describes simple network anomaly detectors attached to industrial networks. The anomaly detector looks only at IP addresses and TCP/UDP ports. At each site, a manual calibration/learning process is undertaken to identify network traffic that complies with the site's security policies. All other traffic triggers alarms.
This article summarizes experience with anomaly detection at a number of sites. A surprising finding is the degree of customer interest in understanding and reviewing traffic flows identified by the anomaly detection system. Many control systems are small enough to make such manual review feasible with the anomaly detection tool. The article describes traffic which surprised site personnel, and describes remediations which were initiated as a result of the observed traffic. The article concludes that some industrial networks described are large enough to be difficult to characterize manually. Some automatic learning or characterization is desirable for such networks, but only if such characterization is amenable to manual review.