KIDS: Intrusion Detection for Industrial Control Systems

Nowshaba Jeelani Wani; Dirk Pesch; Utz Roedig

doi:10.1007/978-3-032-00630-1_11

KIDS: Intrusion Detection for Industrial Control Systems

Nowshaba Jeelani Wani
, Dirk Pesch
, Utz Roedig

School of Computer Science and Information Technology

Research output: Chapter in Book/Report/Conference proceedings › Conference proceeding › peer-review

Abstract

The convergence of Information Technology (IT) and Operational Technology (OT) has significantly increased the vulnerability of Industrial Control Systems (ICS). Prolonged undetected intrusions and the frequent exploitation of zero-day vulnerabilities have made ICS highly susceptible to cyberattacks, resulting in data loss and physical damage. Despite growing threats, majority of Intrusion Detection Systems (IDS) ignore the significance of process-based data and equipment such as Programmable Logic Controllers (PLCs) and focus on the management components of ICS, which are essentially an IT system. Many suggested IDS are also only effective with known attacks and fail to detect zero-day exploits. The lack of a unified IDS across IT and OT, applicable irrespective of protocols employed or hardware heterogeneity, is another significant gap in this field. This paper presents Kestrel-Based Intrusion Detection System (KIDS), a query-based, process-aware framework tailored for OT. Built on the Kestrel threat hunting language, KIDS combines process monitoring with traditional threat intelligence to detect sophisticated attacks across all layers of ICS. By abstracting system components and complexities into unified query interfaces, KIDS enables holistic visibility, from management systems to PLCs, and supports scalable, cross-platform threat detection adaptable to evolving industrial threats.

Original language	English
Title of host publication	International Conference on Availability, Reliability and Security
Pages	191-208
Number of pages	18
DOIs	https://doi.org/10.1007/978-3-032-00630-1_11
Publication status	Published - 2025
Event	International Workshops on Availability, Reliability and Security, held under the umbrella of the 20th International conference on Availability, Reliability and Security, ARES 2025 - Ghent, Belgium Duration: 11 Aug 2025 → 14 Aug 2025

Publication series

Name	Lecture Notes in Computer Science ((LNCS,volume 15994))

Conference

Conference	International Workshops on Availability, Reliability and Security, held under the umbrella of the 20th International conference on Availability, Reliability and Security, ARES 2025
Country/Territory	Belgium
City	Ghent
Period	11/08/25 → 14/08/25

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 9 Industry, Innovation, and Infrastructure

Keywords

Industrial control systems
Intrusion detection systems
Operational technologies
Security
Threat hunting

Access to Document

10.1007/978-3-032-00630-1_11

Cite this

@inproceedings{0f4cf8a382ba4d0cad0c49457f2ce7f8,

title = "KIDS: Intrusion Detection for Industrial Control Systems",

abstract = "The convergence of Information Technology (IT) and Operational Technology (OT) has significantly increased the vulnerability of Industrial Control Systems (ICS). Prolonged undetected intrusions and the frequent exploitation of zero-day vulnerabilities have made ICS highly susceptible to cyberattacks, resulting in data loss and physical damage. Despite growing threats, majority of Intrusion Detection Systems (IDS) ignore the significance of process-based data and equipment such as Programmable Logic Controllers (PLCs) and focus on the management components of ICS, which are essentially an IT system. Many suggested IDS are also only effective with known attacks and fail to detect zero-day exploits. The lack of a unified IDS across IT and OT, applicable irrespective of protocols employed or hardware heterogeneity, is another significant gap in this field. This paper presents Kestrel-Based Intrusion Detection System (KIDS), a query-based, process-aware framework tailored for OT. Built on the Kestrel threat hunting language, KIDS combines process monitoring with traditional threat intelligence to detect sophisticated attacks across all layers of ICS. By abstracting system components and complexities into unified query interfaces, KIDS enables holistic visibility, from management systems to PLCs, and supports scalable, cross-platform threat detection adaptable to evolving industrial threats.",

keywords = "Industrial control systems, Intrusion detection systems, Operational technologies, Security, Threat hunting",

author = "Wani, \{Nowshaba Jeelani\} and Dirk Pesch and Utz Roedig",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; International Workshops on Availability, Reliability and Security, held under the umbrella of the 20th International conference on Availability, Reliability and Security, ARES 2025 ; Conference date: 11-08-2025 Through 14-08-2025",

year = "2025",

doi = "10.1007/978-3-032-00630-1\_11",

language = "English",

series = "Lecture Notes in Computer Science ((LNCS,volume 15994))",

pages = "191--208",

booktitle = "International Conference on Availability, Reliability and Security",

}

Wani, NJ, Pesch, D & Roedig, U 2025, KIDS: Intrusion Detection for Industrial Control Systems. in International Conference on Availability, Reliability and Security. Lecture Notes in Computer Science ((LNCS,volume 15994)), pp. 191-208, International Workshops on Availability, Reliability and Security, held under the umbrella of the 20th International conference on Availability, Reliability and Security, ARES 2025, Ghent, Belgium, 11/08/25. https://doi.org/10.1007/978-3-032-00630-1_11

TY - GEN

T1 - KIDS

T2 - International Workshops on Availability, Reliability and Security, held under the umbrella of the 20th International conference on Availability, Reliability and Security, ARES 2025

AU - Wani, Nowshaba Jeelani

AU - Pesch, Dirk

AU - Roedig, Utz

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025

Y1 - 2025

N2 - The convergence of Information Technology (IT) and Operational Technology (OT) has significantly increased the vulnerability of Industrial Control Systems (ICS). Prolonged undetected intrusions and the frequent exploitation of zero-day vulnerabilities have made ICS highly susceptible to cyberattacks, resulting in data loss and physical damage. Despite growing threats, majority of Intrusion Detection Systems (IDS) ignore the significance of process-based data and equipment such as Programmable Logic Controllers (PLCs) and focus on the management components of ICS, which are essentially an IT system. Many suggested IDS are also only effective with known attacks and fail to detect zero-day exploits. The lack of a unified IDS across IT and OT, applicable irrespective of protocols employed or hardware heterogeneity, is another significant gap in this field. This paper presents Kestrel-Based Intrusion Detection System (KIDS), a query-based, process-aware framework tailored for OT. Built on the Kestrel threat hunting language, KIDS combines process monitoring with traditional threat intelligence to detect sophisticated attacks across all layers of ICS. By abstracting system components and complexities into unified query interfaces, KIDS enables holistic visibility, from management systems to PLCs, and supports scalable, cross-platform threat detection adaptable to evolving industrial threats.

AB - The convergence of Information Technology (IT) and Operational Technology (OT) has significantly increased the vulnerability of Industrial Control Systems (ICS). Prolonged undetected intrusions and the frequent exploitation of zero-day vulnerabilities have made ICS highly susceptible to cyberattacks, resulting in data loss and physical damage. Despite growing threats, majority of Intrusion Detection Systems (IDS) ignore the significance of process-based data and equipment such as Programmable Logic Controllers (PLCs) and focus on the management components of ICS, which are essentially an IT system. Many suggested IDS are also only effective with known attacks and fail to detect zero-day exploits. The lack of a unified IDS across IT and OT, applicable irrespective of protocols employed or hardware heterogeneity, is another significant gap in this field. This paper presents Kestrel-Based Intrusion Detection System (KIDS), a query-based, process-aware framework tailored for OT. Built on the Kestrel threat hunting language, KIDS combines process monitoring with traditional threat intelligence to detect sophisticated attacks across all layers of ICS. By abstracting system components and complexities into unified query interfaces, KIDS enables holistic visibility, from management systems to PLCs, and supports scalable, cross-platform threat detection adaptable to evolving industrial threats.

KW - Industrial control systems

KW - Intrusion detection systems

KW - Operational technologies

KW - Security

KW - Threat hunting

UR - https://www.scopus.com/pages/publications/105014868793

U2 - 10.1007/978-3-032-00630-1_11

DO - 10.1007/978-3-032-00630-1_11

M3 - Conference proceeding

AN - SCOPUS:105014868793

T3 - Lecture Notes in Computer Science ((LNCS,volume 15994))

SP - 191

EP - 208

BT - International Conference on Availability, Reliability and Security

Y2 - 11 August 2025 through 14 August 2025

ER -