Industrial control systems (ICSs) are an important part of critical infrastructure in cyberspace. They are especially
vulnerable to cyber-attacks because of their legacy hardware and software and the difficulty of changing it. We first
survey the history of intrusions into ICSs, the more serious of which involved a continuing adversary presence on an ICS
network. We discuss some common vulnerabilities and the categories of possible attacks, noting the frequent use of
software written a long time ago. We propose a framework for designing ICS incident response under the constraints
that no new software must be required and that interventions cannot impede the continuous processing that is the norm
for such systems. We then discuss a prototype toolkit we built using the Windows Management Instrumentation
Command-Line tool for host-based analysis and the Bro intrusion-detection software for network-based analysis.
Particularly useful techniques we used were learning the historical range of parameters of numeric quantities so as to
recognize anomalies, learning the usual addresses of connections to a node, observing Internet addresses (usually rare),
observing anomalous network protocols such as unencrypted data transfers, observing unusual scheduled tasks, and
comparing key files through registry entries and hash values to find malicious modifications. We tested our methods on
actual data from ICSs including publicly-available data, voluntarily-submitted data, and researcher-provided “advanced
persistent threat” data. We found instances of interesting behavior in our experiments. Intrusions were generally easy to
see because of the repetitive nature of most processing on ICSs, but operators need to be motivated to look.