Industrial Control Systems (ICS) are critical for managing essential industrial processes within key infrastructure sectors, including energy, water treatment, transportation, and manufacturing. Securing these systems is paramount due to the severe consequences associated with their disruption or compromise, such as significant financial losses, operational interruptions, and threats to public safety. However, ICS infrastructures face increasing vulnerabilities from sophisticated cyber-attacks, necessitating comprehensive security strategies tailored specifically to their unique characteristics.

This ongoing project addresses ICS security from two interconnected perspectives: (1) a primary focus on Advanced Persistent Threats (APTs) targeting ICS infrastructures, and (2) an additional supportive focus on addressing vulnerabilities in critical fieldbus technologies.

The primary objective involves developing comprehensive threat intelligence capabilities specifically designed for ICS environments, encompassing forensic analysis, intrusion detection, and proactive response strategies. Advanced Persistent Threats are stealthy, prolonged, multi-stage cyber-attacks involving reconnaissance, initial exploitation, lateral movement, data exfiltration, and eventual system disruption. Examples of such attacks targeting nuclear facilities, power grids, and industrial safety systems illustrate the potentially catastrophic impacts of APTs. Current ICS security solutions often adopt fragmented approaches, individually analyzing isolated system components such as sensor data, PLC interactions, or network traffic. This approach is insufficient, as it fails to consider the ICS as an integrated whole, significantly limiting the ability to detect and mitigate complex, multi-stage attacks effectively.

Additionally, existing forensic solutions are either heavily reliant on manual expert-driven analysis or, when automated, primarily designed for generalized IT environments rather than ICS-specific contexts. Many automated forensic tools focus predominantly on host-based analysis, lacking the integration and context awareness required for ICS environments. Similarly, traditional intrusion detection systems commonly fail to identify slow-progressing, stealthy threats because they inadequately correlate isolated events over extended periods. Existing response strategies are also predominantly reactive, without the predictive insights necessary for proactive intervention.

To overcome these challenges, the project leverages a semi-virtual ICS environment hosted on a cyber range, enabling realistic and repeatable simulations of complex APT scenarios. This platform facilitates detailed and integrated analysis of SCADA systems, PLCs, HMIs, historians, sensors, and actuators. The integrated approach ensures a holistic understanding of threats and significantly enhances the accuracy and effectiveness of forensic investigations, intrusion detection, and proactive response mechanisms.

As an additional supportive aspect, the project specifically targets vulnerabilities associated with critical fieldbus technologies, such as Single Pair Ethernet (SPE) and Controller Area Network (CAN). Fieldbus systems frequently suffer from inadequate security measures due to limited availability of dedicated security solutions and numerous undiscovered vulnerabilities arising from their specialized architectures and deterministic operational requirements. To address these issues, the project systematically identifies vulnerabilities through rigorous methodologies, including formal verification techniques and specialized protocol fuzzing frameworks. Subsequently, the project develops and implements tailored, practical security solutions explicitly designed to accommodate the stringent deterministic and performance-critical requirements of fieldbus communications within ICS environments. These comprehensive measures ensure enhanced protection against both sophisticated cyber threats and the unique vulnerabilities inherent in fieldbus technologies.