Frontline responders: Rethinking indicators of compromise for industrial control system security

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-03-19 DOI:10.1016/j.cose.2025.104421

Mohammed Asiri , Arjun Arunasalam , Neetesh Saxena , Z. Berkay Celik

{"title":"Frontline responders: Rethinking indicators of compromise for industrial control system security","authors":"Mohammed Asiri , Arjun Arunasalam , Neetesh Saxena , Z. Berkay Celik","doi":"10.1016/j.cose.2025.104421","DOIUrl":null,"url":null,"abstract":"<div><div>Industrial Control Systems (ICSs), widely employed in many critical infrastructure sectors that manage and control physical processes (e.g., energy, water, transportation), face heightened security risks due to increased digitization and connectivity. Monitoring Indicators of Compromise (IoCs), observable signs of intrusion, such as unusual network activity or unauthorized system changes, are crucial for early detection and response to malicious activities, including data breaches and insider threats. While IoCs have been extensively studied in traditional Information Technology (IT), their effectiveness and suitability for the unique challenges of ICS environments, which directly control physical processes, remain unclear. Moreover, the influence of human factors (e.g., sociotechnical factors, usability) on the utilization and interpretation of IoCs for attack prevention in ICSs is not well understood.</div><div>To address this gap, we conducted two studies involving 52 ICS security professionals. In an IoC Applicability study (n=32), we explore the relevance of existing IoCs within ICS environments and investigate factors contributing to potential ambiguities in their interpretation. We examine the perceived value, effort required for the collection, and volatility of various data sources used for IoC identification. Participants in the IoC Applicability Study emphasized the significant role of human factors in recognizing and interpreting IoCs for threat mitigation within ICS ecosystems. Based on this insight, we conducted a Socio-technical Factors in Recognition and Detection study (n=20) to investigate the impact of human factors on threat detection and explore the sociotechnical factors that influence the effective utilization of IoCs. Our results show significant discrepancies between conventional IT-based IoCs and their applicability to ICS environments, along with various socio-technical challenges (e.g., alert overload and desensitization). Our study provides pointers to rethinking the specific operational, technological, and human aspects of IoCs within the ICS context. Our findings provide insights for the development of ICS-specific IoC to enable security analysts to better respond to potential threats in industrial environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104421"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001105","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Industrial Control Systems (ICSs), widely employed in many critical infrastructure sectors that manage and control physical processes (e.g., energy, water, transportation), face heightened security risks due to increased digitization and connectivity. Monitoring Indicators of Compromise (IoCs), observable signs of intrusion, such as unusual network activity or unauthorized system changes, are crucial for early detection and response to malicious activities, including data breaches and insider threats. While IoCs have been extensively studied in traditional Information Technology (IT), their effectiveness and suitability for the unique challenges of ICS environments, which directly control physical processes, remain unclear. Moreover, the influence of human factors (e.g., sociotechnical factors, usability) on the utilization and interpretation of IoCs for attack prevention in ICSs is not well understood.

To address this gap, we conducted two studies involving 52 ICS security professionals. In an IoC Applicability study (n=32), we explore the relevance of existing IoCs within ICS environments and investigate factors contributing to potential ambiguities in their interpretation. We examine the perceived value, effort required for the collection, and volatility of various data sources used for IoC identification. Participants in the IoC Applicability Study emphasized the significant role of human factors in recognizing and interpreting IoCs for threat mitigation within ICS ecosystems. Based on this insight, we conducted a Socio-technical Factors in Recognition and Detection study (n=20) to investigate the impact of human factors on threat detection and explore the sociotechnical factors that influence the effective utilization of IoCs. Our results show significant discrepancies between conventional IT-based IoCs and their applicability to ICS environments, along with various socio-technical challenges (e.g., alert overload and desensitization). Our study provides pointers to rethinking the specific operational, technological, and human aspects of IoCs within the ICS context. Our findings provide insights for the development of ICS-specific IoC to enable security analysts to better respond to potential threats in industrial environments.

查看原文本刊更多论文

一线反应者：重新思考工业控制系统安全危害指标

工业控制系统（ics）广泛应用于管理和控制物理过程（如能源、水、交通）的许多关键基础设施部门，由于数字化和连通性的提高，面临着更大的安全风险。监测入侵指标（ioc），可观察到的入侵迹象，如异常的网络活动或未经授权的系统更改，对于早期检测和响应恶意活动（包括数据泄露和内部威胁）至关重要。虽然在传统的信息技术（IT）领域中对ICS进行了广泛的研究，但对于直接控制物理过程的ICS环境的独特挑战，其有效性和适用性仍然不清楚。此外，人为因素（如社会技术因素、可用性）对国际通信系统中利用和解释国际通信系统进行攻击预防的影响还没有得到很好的理解。为了解决这一差距，我们进行了两项涉及52名ICS安全专业人员的研究。在一项IoC适用性研究（n=32）中，我们探讨了现有IoC在ICS环境中的相关性，并调查了导致其解释可能含糊不清的因素。我们检查了用于IoC识别的各种数据源的感知价值、收集所需的工作量和波动性。国际奥委会适用性研究的与会者强调，人为因素在识别和解释国际奥委会以减轻国际奥委会生态系统内的威胁方面发挥了重要作用。基于这一认识，我们开展了一项“识别和检测中的社会技术因素”研究（n=20），以调查人为因素对威胁检测的影响，并探索影响网络安全有效利用的社会技术因素。我们的研究结果表明，传统的基于it的ioc与其在ICS环境中的适用性之间存在显著差异，同时还存在各种社会技术挑战（例如，警报过载和脱敏）。我们的研究为在ICS背景下重新思考ioc的具体操作、技术和人员方面提供了指导。我们的研究结果为ics特定的IoC的发展提供了见解，使安全分析师能够更好地应对工业环境中的潜在威胁。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.