Barriers to the Use of Intrusion Detection Systems in Safety-Critical Applications

Intrusion detection systems (IDS) provide valuable tools to monitor for, and militate against, the impact of cyber-attacks. However, this paper identifies a range of theoretical and practical concerns when these systems are integrated into safety-critical systems. White-list approaches enumerate the processes that can legitimately exploit system resources and any other access requests are interpreted to indicate the presence of malware. They cannot easily be used in safety-related applications where the use of legacy applications and Intellectual Property (IP) barriers associated with the extensive use of subcontracting can make it different to enumerate the resource requirements for all valid processes. In contrast, blacklist intrusion detection systems characterize the behavior of known malware. In order to be effective, blacklist IDS must be updated at regular intervals. This raises enormous concerns in safety-critical systems where extensive validation and verification requirements ensure that software updates must be rigorously tested. In other words, there is a concern that an IDS signature update might itself introduce bugs into a safety-related system. Isolation between an IDS and a safety related application can minimize this threat, for instance, using information diodes. However, further problems arise when IDS false positives compromise the reliability of safety-related applications.