Real-Time Intrusion Detection of Insider Threats in Industrial Control System Workstations Through File Integrity Monitoring

Industrial control systems (ICS) play a crucial role in various industries and ensuring their security is paramount for maintaining process continuity and reliability. In ICS, the most damaging cyber-attacks often come from trusted insiders rather than external threats or malware. Insiders have the advantage of bypassing security measures and staying undetected. This research focuses on developing a real-time intrusion detection system for ICS workstations that effectively detects insider threats while prioritizing user privacy. The approach employs file integrity monitoring to identify suspicious activities, particularly file violations such as data tampering and destruction. The model presented in this research demonstrates low system resource consumption by utilizing an event-triggered approach instead of continuous polling of file data. The model leverages built-in operating system functions, eliminating the need for third-party software installation. To minimize disruptions to the ICS network, the model operates at the supervisory level within the ICS architecture. Through extensive testing, the model achieves a high level of accuracy, detecting insider intrusions with a high true positive rate. This reliable detection capability contributes to enhancing the security of ICS and mitigating the risks associated with insider threats. By implementing this real-time intrusion detection system, organizations can effectively protect their control systems while preserving user privacy.