Limitations of Detection Technologies and Solution Proposals in Cyber Defense of Critical Infrastructure
摘要
In contemporary defense paradigms, cyberspace is recognized as the fifth dimension of warfare. Understanding the Cyber Kill Chain requires a thorough examination of the interactions between Victim Infrastructure and Attacker Capabilities in the Diamond Model, which enables us to identify the attack surface and develop effective countermeasures. While IT systems share some similarities with Industrial Control Systems (ICS), they remain a distinct domain with unique characteristics, especially in Critical Infrastructure (CI), where vulnerabilities are prevalent. Once an attack bypasses preventive security layers, detection technologies become the primary line of defense. Advanced Persistent Threats (APTs) often evade detection by avoiding known malicious tools and instead leveraging existing system resources—also known as living-off-the-land (LotL) techniques. Therefore, beyond traditional Indicators of Compromise (IoC) matching, behavioral analysis is crucial for uncovering intrusions. Behavioral detection models are developed by cybersecurity vendors based on lessons learned, emulating known incidents. However, these models are highly dependent on the infrastructure in which they are trained. Moreover, the diversity of protocols and legacy systems in ICS complicates the development of effective detection rules and models for niche systems—a gap that attackers often exploit. In complex attacks, adversaries can manipulate system behavior in tailored ways, generating activities that do not fit known malicious or benign patterns, thereby evading detection. In this context, this exploratory study aims to identify the limitations of detection technologies in CI and explore potential solutions, such as fostering collaboration among organizations with similar infrastructures for threat intelligence sharing and developing detection models.