Advanced System for the Detection of Persistent Cyberattacks in Industry 4.0

Duration: 01/04/2016 to 31/12/2018

Project Overview: 

The problem of cybersecurity in industrial control environments is becoming increasingly more important. These type of systems have gone from being isolated to become Internet-connected systems, thus they are exposed to the dangers and threats that affect more open networks. However, the digitization of the industry and the rapid growth of paradigms such as Industry 4.0 (I4.0) and the Industrial Internet of Things (IioT), in which physical objects and other processes are seamlessly integrated into the information network, creates new potential vulnerabilities and attack vectors, making industrial environments even more exposed than before. As one of the tenets of these paradigms is the creation of a virtual copy of the real world, one of the strategies that can be used to protect them is to provide services that are able to monitor the behavior of such virtual world at all times.

In order to achieve such goal, it is essential to understand what are the risks associated to the technological pillars of I4.0 and IIoT, such as the Internet of Things (IoT) and Cyber-Physical Systems (CPS). In theory, these technologies allow the creation of an interoperable and modular environment, where all actors connect and communicate with each other, making decisions on their own. In practice, there are many hurdles to overcome, such as the combination of heterogeneous technologies and standards with multiple protocols and access policies. In parallel, we have also to consider that the possible attacks in industrial environments have become even more complex, and Advanced Persistent Threats (APTs) are increasingly common.

Consequently, the main objective of the SADCIP project is the development of an advanced detection system capable of dealing with APTs and other threats in the context of modern industrial control systems, taking into account the specific characteristics of Industry 4.0 [1] and related paradigms, plus its integration with IoT and CPS technologies [2][3]. For this purpose, NICS has developed a modular and extensible architecture where multiple cooperative and distributed detection systems can be integrated. Such architecture has been instantiated and deployed in real world scenarios in collaboration with the cybersecurity company S2Grupo. From this collaboration, multiple approaches have already been proposed for the literature [4][5][6] to detect in real time APT attacks in IT-OT (Information Technologies-Operational Technologies) domains.  

Note that many of the internal proofs (e.g., the implementation of cyber-attacks and the detection framework) carried out by NICS Lab in SADCIP have also been validated and tested from the I4Testbed laboratory.


  1. J. E. Rubio, R. Roman, and J. Lopez, "Analysis of cybersecurity threats in Industry 4.0: the case of intrusion detection",
    The 12th International Conference on Critical Information Infrastructures Security, vol. Lecture Notes in Computer Science, vol 10707, Springer, pp. 119-130, 08/2018. More..
  2. J. E. Rubio, C. Alcaraz, R. Roman, and J. Lopez, "Current Cyber-Defense Trends in Industrial Control Systems",
    Computers & Security Journal, vol. 87, Elsevier, 11/2019. DOI (I.F.: 3.579)More..


    Advanced Persistent Threats (APTs) have become a serious hazard for any critical infrastructure, as a single solution to protect all industrial assets from these complex attacks does not exist. It is then essential to understand what are the defense mechanisms that can be used as a first line of defense. For this purpose, this article will firstly study the spectrum of attack vectors that APTs can use against existing and novel elements of an industrial ecosystem. Afterwards, this article will provide an analysis of the evolution and applicability of Intrusion Detection Systems (IDS) that have been proposed in both the industry and academia.

    Impact Factor: 3.579
    Journal Citation Reports® Science Edition (Thomson Reuters, 2019)

  3. J. Lopez, C. Alcaraz, J. Rodriguez, R. Roman, and J. E. Rubio, "Protecting Industry 4.0 against Advanced Persistent Threats",
    European CIIP Newsletter, vol. 11, issue 26, no. 1, European CIIP Newsletter, pp. 27-29, 03/2017. More..
  4. J. E. Rubio, R. Roman, C. Alcaraz, and Y. Zhang, "Tracking APTs in Industrial Ecosystems: A Proof of Concept",
    Journal of Computer Security, vol. 27, issue 5, Elsevier, pp. 521-546, 09/2019. (I.F.: 3.579)More..
    Impact Factor: 3.579
    Journal Citation Reports® Science Edition (Thomson Reuters, 2019)

  5. J. E. Rubio, R. Roman, C. Alcaraz, and Y. Zhang, "Tracking Advanced Persistent Threats in Critical Infrastructures through Opinion Dynamics",
    European Symposium on Research in Computer Security (ESORICS 2018), vol. 11098, Springer, pp. 555-574, 08/2018. DOI More..


    Advanced persistent threats pose a serious issue for modern industrial environments, due to their targeted and complex attack vectors that are difficult to detect. This is especially severe in critical infrastructures that are accelerating the integration of IT technologies. It is then essential to further develop effective monitoring and response systems that ensure the continuity of business to face the arising set of cyber-security threats. In this paper, we study the practical applicability of a novel technique based on opinion dynamics, that permits to trace the attack throughout all its stages along the network by correlating different anomalies measured over time, thereby taking the persistence of threats and the criticality of resources into consideration. The resulting information is of essential importance to monitor the overall health of the control system and correspondingly deploy accurate response procedures.

  6. C. Alcaraz, J. Rodriguez, R. Roman, and J. E. Rubio, "Estado y Evolución de la Detección de Intrusiones en los Sistemas Industriales",
    III Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2017), 2017. More..


    Debido a la necesidad de proteger los sistemas industriales ante amenazas, se hace necesario comprender cual es el verdadero alcance de los mecanismos capaces de detectar potenciales anomalías e intrusiones. Es por tanto el objetivo de este artículo analizar el estado y la evolución, tanto académica como industrial, de los mecanismos de detección de intrusiones en este campo, así como estudiar su aplicabilidad actual y futura.

Proyecto RTC-2016-4847-8 financiado por: