Technical Article

NIST Finds Patterns in Cyber Security Behavior Related to Industrial Manufacturing

August 28, 2020 by Jeff Kerns

The latest report from NIST and other government organizations found that tracking behavior may be a new way to track potential security threats.

Cybersecurity continues to be a growing concern for manufacturing companies. Many IT professionals are juggling new and old infrastructure while engineers want easy unfettered access to manufacturing data and devices.

Unfortunately, increasing access points are making it easier to gain access to data and connected devices inherently decrease security. 

To keep networks safe, it is important to ask suppliers what type of security measures products have built into them. However, with internal and external cybersecurity threats combined with both human and maintenance errors, understanding behavioral differences could add value in detecting malicious intent. 

Recently, the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE), along with NIST’s Engineering Laboratory (EL) published a report on how tracking behavior may be a new way to track potential security threats.

Accessing unsecured websites, opening spam emails, and other actions from employees jeopardize security. However, the NIST report tracked actions within the Industrial control systems (ICS) to identify behavioral abnormality detection (BAD) that would help support cybersecurity in manufacturing organizations.

The following presents the detection methods, architecture, benefits, and results taken from the NIST report

This report mapped the security characteristics of the demonstrated capabilities to the framework for improving critical infrastructure cybersecurity based on NISTIR 8183, the Cybersecurity Framework Manufacturing Profile. “The mapping can be used as a reference in applying specific security controls found in prominent industry standards and guidance.” 


This specific report demonstrated the following two environments: 

  • A collaborative robotics-based manufacturing system.
  • “A process control system (PCS) that resembles what is being used by chemical manufacturing industries.”  


The project demonstrates BAD techniques to highlight potential problems in a manufacturing process that may weaken cybersecurity. Tests for BAD were continuously monitoring manufacturing processes for any unusual events or trends. It is important to note that the monitor looks for evidence of a compromise rather than for the attack itself.

For example, if a work cell reports an increase in inspection failures or faulty door sensor, it is important to catch, document, and notify an operator early. Behavioral abnormality notifications don’t necessarily indicate malicious intent. Notifications could be a sign of equipment failure or human error.

More data, preventative maintenance technology, and research such as the NIST report will help establish more detailed baselines overtime. As more accurate baselines are established a better understanding of what is causing abnormal behavior and how to mitigate alerts. 


Detection Methods

The project demonstrated three different detection methods: network-based, agent-based, and operational historian/sensor-based. 



“Identifies, monitors, and reports anomalous industrial control systems (ICS) traffic that might indicate a potential intrusion. Collects ICS network traffic via passive (agentless) monitoring. The system uses deep packet inspection to dissect traffic from both serial and Ethernet control network equipment.”  



“Identifies, monitors, and reports anomalous ICS traffic that might indicate a potential intrusion. Uses non-intrusive software agents to monitor the ICS network that requires no updating. The network intrusive detection system passively collects data from the ICS/Supervisory Control and Data Acquisition network via Switch Port Analyzer (SPAN)/mirroring ports.

The host-monitoring agents collect data from within endpoints. The agents send event information to the detector, which looks for early warnings of cybersecurity attacks, and alerts on the anomalies detected by using a web interface.”


Operational Historian/Sensor Based

According to the report, NIST, the report, “gathers raw data, records process data, and creates calculations. Provides monitoring and performance alerts of the process historian. The historian accesses historical data and consolidates it with current, real-time data. It allows for investigating intermittent issues, troubleshooting equipment failures, comparing current versus past production performance, and measuring new-plant startups against existing facilities.”



The report offers more details on how each project was executed. Overall, network-based anomaly detection aggregates all network traffic into a single collection point. This central collection point then uses all available data to determine a baseline of behavior.


 BAD High-Level Architecture. image courtesy of NIST. 

Once a baseline is established, the software will send an alert anytime there is a deviation in network traffic or pre-configured baseline parameter. 



The NIST Interagency Report is intended to help organizations accomplish their goals by using anomaly detection tools for the following:

  • Catch cybersecurity threats and problems quickly to allow prompt response and recovery.
  • “Expand visibility and monitoring capabilities within manufacturing control systems, networks, and devices.” 
  • “Reduce opportunities for disruptive cyber incidents by providing real-time monitoring and anomaly-detection alerts.”
  • “Support the oversight of resources (e.g., IT, personnel, data.)”



The demonstration effort examined 16 classes of BAD for which anomalous events were successfully detected:  

  • “Plaintext passwords”
  • “User authentication failures” 
  • “New network devices” 
  • “Abnormal network traffic between devices” 
  • “Internet connectivity” 
  • “Data exfiltration”
  • “Unauthorized software installations”
  • “PLC firmware modifications”
  • “Unauthorized PLC logic modifications” 
  • “File transfers between devices” 
  • “Abnormal ICS protocol communications” 
  • “Malware” 
  • “Denial of service (DoS)” 
  • “Abnormal manufacturing system operations” 
  • “Port scans/probes” 
  • “Environmental changes” 


Connectivity adds value and risk. Technicians and engineers able to better understand what data is telling them will be able to determine if preventative maintenance or stronger security measures are needed to keep alerts from disrupting production.

BAD data might become a trend. Including BAD with preventative maintenance and other connected capabilities will help digital models better match reality.

Until larger datasets and more research are available, built-in security features, limiting access, segmentation, encryption, and education on cybersecurity can go a long way to keeping manufacturers safe.