Angriffserkennung und IDS-Effektivität in einer Standard-OT-Umgebung

  • Simon Elias Freudenthaler

    Student thesis: Master's Thesis

    Abstract

    This master’s thesis investigates which intrusion detection systems (IDS) are capable of
    detecting realistic attack techniques within a given operational technology (OT) environment.
    The research was conducted in cooperation with the Austrian Institute of Technology
    GmbH, which developed and provided a realistic testbed environment. Several intrusion detection systems (IDS) were integrated into this environment. In collaboration
    with Deutsche Telekom Cyber Security Austria GmbH, the proprietary IDS solutions
    „CrowdStrike“ and „Dragos“ were integrated. Additionally, the open-source IDS „Suricata“ and „Wazuh“ were utilized.
    An attack was developed and executed within the provided OT environment, based
    on researched attack scenarios and techniques commonly used in OT environments, as
    well as current trends in adversarial behavior. The used attack scenarios and techniques
    were considered to be feasible within the given environment. They were also considered
    to be executable within a realistic timeframe, and applicable under realistic conditions.
    The goal of the attack is to compromise the OT infrastructure and put the industrial
    process into an insecure state in various ways.
    The IDS detections triggered by the used attack techniques during execution of the
    developed attack were documented. A subsequent analysis evaluated the general detectability of these attack techniques based on associated data sources and considering
    both signature- and anomaly-based detection approaches. Additionally, it was analyzed
    how the attack techniques were actually detected by the IDS. The triggered detections
    were evaluated for relevance, with particular attention given to those capable of identifying behavior that is likely to be non-legitimate. These were considered meaningful.
    Based on the results of the analysis, a conclusion was drawn. In the conclusion, the
    effectiveness of each IDS was evaluated according to the detections considered as meaningful.
    The master’s thesis provides an overview of attack scenarios and techniques in OT
    environments. It highlights existing approaches to detecting such scenarios and techniques, and examines the challenges involved. The work contributes to the evaluation
    of the effectiveness of different IDS in OT environments and supports the selection of
    security solutions for the OT area.
    Date of Award2025
    Original languageGerman (Austria)
    SupervisorRobert Kolmhofer (Supervisor)

    Studyprogram

    • Secure Information Systems

    Cite this

    Links

    '