Asiri, Mohammed, Arunasalam, Arjun, Saxena, Neetesh  ORCID: https://orcid.org/0000-0002-6437-0807 and Celik, Z. Berkay
2025.
Frontline responders: Rethinking indicators of compromise for industrial control system security.
Computers and Security
154
, 104421.
10.1016/j.cose.2025.104421
|
Preview |
PDF
- Published Version
Available under License Creative Commons Attribution. Download (1MB) | Preview |
Abstract
Industrial Control Systems (ICSs), widely employed in many critical infrastructure sectors that manage and control physical processes (e.g., energy, water, transportation), face heightened security risks due to increased digitization and connectivity. Monitoring Indicators of Compromise (IoCs), observable signs of intrusion, such as unusual network activity or unauthorized system changes, are crucial for early detection and response to malicious activities, including data breaches and insider threats. While IoCs have been extensively studied in traditional Information Technology (IT), their effectiveness and suitability for the unique challenges of ICS environments, which directly control physical processes, remain unclear. Moreover, the influence of human factors (e.g., sociotechnical factors, usability) on the utilization and interpretation of IoCs for attack prevention in ICSs is not well understood. To address this gap, we conducted two studies involving 52 ICS security professionals. In an IoC Applicability study (n=32), we explore the relevance of existing IoCs within ICS environments and investigate factors contributing to potential ambiguities in their interpretation. We examine the perceived value, effort required for the collection, and volatility of various data sources used for IoC identification. Participants in the IoC Applicability Study emphasized the significant role of human factors in recognizing and interpreting IoCs for threat mitigation within ICS ecosystems. Based on this insight, we conducted a Sociotechnical Factors in Recognition and Detection study (n=20) to investigate the impact of human factors on threat detection and explore the sociotechnical factors that influence the effective utilization of IoCs. Our results show significant discrepancies between conventional IT-based IoCs and their applicability to ICS environments, along with various socio-technical challenges (e.g., alert overload and desensitization). Our study provides pointers to rethinking the specific operational, technological, and human aspects of IoCs within the ICS context. Our findings provide insights for the development of ICS-specific IoC to enable security analysts to better respond to potential threats in industrial environments.
| Item Type: | Article |
|---|---|
| Date Type: | Publication |
| Status: | Published |
| Schools: | Schools > Computer Science & Informatics |
| Publisher: | Elsevier |
| ISSN: | 0167-4048 |
| Date of First Compliant Deposit: | 13 March 2025 |
| Date of Acceptance: | 6 March 2025 |
| Last Modified: | 02 Apr 2025 12:33 |
| URI: | https://orca.cardiff.ac.uk/id/eprint/176814 |
Actions (repository staff only)
 |
Edit Item |
Altmetric
Altmetric
Cardiff University Information Services