Industrial control systems differ significantly from standard, general-purpose computing environments, and they face quite different security challenges. With physical "air gaps" now the exception, our critical infrastructure has become vulnerable to a broad range of potential attackers. In this project we develop novel network monitoring approaches that can detect sophisticated semantic attacks: malicious actions that drive a process into an unsafe state without however exhibiting any obvious protocol-level red flags. In one thrust, we conduct a measurement-centric study of ICS network activity, aimed at developing a deep understanding of operational semantics in terms of actors, workloads, dependencies, and state changes over time. In a second thrust, we develop domain-specific behavior models that abstract from low-level protocol activity to their semantic meaning according to the current state of the processes under control. Our goal is to integrate these models into operationally viable, real-time network monitoring that reports unexpected deviations as indicators of attacks or malfunction. A separate "Transition to Practice" phase advances our research results into deployment-ready technology by integrating it into the open-source Bro network monitor. Overall, our work will improve security and safety of today's critical infrastructure by providing effective, unobtrusive security monitoring tailored to their specific semantics. In addition, we tie a number of educational activities to the research and involve students at all levels.
