TY - GEN
T1 - KIDS
T2 - International Workshops on Availability, Reliability and Security, held under the umbrella of the 20th International conference on Availability, Reliability and Security, ARES 2025
AU - Wani, Nowshaba Jeelani
AU - Pesch, Dirk
AU - Roedig, Utz
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.
PY - 2025
Y1 - 2025
N2 - The convergence of Information Technology (IT) and Operational Technology (OT) has significantly increased the vulnerability of Industrial Control Systems (ICS). Prolonged undetected intrusions and the frequent exploitation of zero-day vulnerabilities have made ICS highly susceptible to cyberattacks, resulting in data loss and physical damage. Despite growing threats, majority of Intrusion Detection Systems (IDS) ignore the significance of process-based data and equipment such as Programmable Logic Controllers (PLCs) and focus on the management components of ICS, which are essentially an IT system. Many suggested IDS are also only effective with known attacks and fail to detect zero-day exploits. The lack of a unified IDS across IT and OT, applicable irrespective of protocols employed or hardware heterogeneity, is another significant gap in this field. This paper presents Kestrel-Based Intrusion Detection System (KIDS), a query-based, process-aware framework tailored for OT. Built on the Kestrel threat hunting language, KIDS combines process monitoring with traditional threat intelligence to detect sophisticated attacks across all layers of ICS. By abstracting system components and complexities into unified query interfaces, KIDS enables holistic visibility, from management systems to PLCs, and supports scalable, cross-platform threat detection adaptable to evolving industrial threats.
AB - The convergence of Information Technology (IT) and Operational Technology (OT) has significantly increased the vulnerability of Industrial Control Systems (ICS). Prolonged undetected intrusions and the frequent exploitation of zero-day vulnerabilities have made ICS highly susceptible to cyberattacks, resulting in data loss and physical damage. Despite growing threats, majority of Intrusion Detection Systems (IDS) ignore the significance of process-based data and equipment such as Programmable Logic Controllers (PLCs) and focus on the management components of ICS, which are essentially an IT system. Many suggested IDS are also only effective with known attacks and fail to detect zero-day exploits. The lack of a unified IDS across IT and OT, applicable irrespective of protocols employed or hardware heterogeneity, is another significant gap in this field. This paper presents Kestrel-Based Intrusion Detection System (KIDS), a query-based, process-aware framework tailored for OT. Built on the Kestrel threat hunting language, KIDS combines process monitoring with traditional threat intelligence to detect sophisticated attacks across all layers of ICS. By abstracting system components and complexities into unified query interfaces, KIDS enables holistic visibility, from management systems to PLCs, and supports scalable, cross-platform threat detection adaptable to evolving industrial threats.
KW - Industrial control systems
KW - Intrusion detection systems
KW - Operational technologies
KW - Security
KW - Threat hunting
UR - https://www.scopus.com/pages/publications/105014868793
U2 - 10.1007/978-3-032-00630-1_11
DO - 10.1007/978-3-032-00630-1_11
M3 - Conference proceeding
AN - SCOPUS:105014868793
T3 - Lecture Notes in Computer Science ((LNCS,volume 15994))
SP - 191
EP - 208
BT - International Conference on Availability, Reliability and Security
Y2 - 11 August 2025 through 14 August 2025
ER -
