Skip to Main Content
Detecting network intrusions and anomalies in industrial control systems is growing in urgency. Such systems used to be isolated but are now being connected to the outside world. Even in the case of isolated networks, privileged users may still present various threats to the system, either accidentally or intentionally. Also malfunctions in devices may cause anomalous traffic. Anomaly detection based network monitoring and intrusion detection systems could be capable of discerning normal and aberrant traffic in industrial control systems, detecting security incidents in an early phase. In this paper we discuss the challenges for such a monitoring system. One of the challenges is which features best differentiate between anomalous and normal behaviour. In the analysis, special focus is placed on this selection.