Agentless approach for security information and event management in industrial IoT

Abstract

The Internet of Things (IoT) provides ease of real-time communication in homes, industries, health care, and many other dependable and interconnected sectors. However, in recent years, smart infrastructure, including cyber-physical industries, has witnessed a severe disruption of operation due to privilege escalation, exploitation of misconfigurations, firmware hijacking, malicious node injection, botnets, and other malware infiltrations. The proposed agentless module for Wazuh security information and event management (SIEM) solution contributes to securing small- to large-scale IoT networks of industry 4.0. An agentless module is implemented by vigilantly examining the IoT device traffic without installing any agent or software on the endpoints. In the proposed research scheme, a module sniffs the network traffic of IoT devices captured from the gateway and passes it to a machine learning model for initial detection and prediction. The output of the ML model is embedded in the JSON log format and passed through the Wazuh agent to the Wazuh server where a decoder is added that decodes the network traffic logs. For event monitoring in Wazuh, industrial protocols are also thoroughly analyzed, and the feature set is determined. These features are used to write rules which are tested on the SWaT dataset, utilizing a common industrial protocol (CIP) for communication. Custom and dynamic rules are written at the Wazuh end to generate alerts to respond to any anomaly detected by the machine learning (ML) model or in the protocols used. Finally, in case of any event or an attack is detected, the alerts are fired on the Wazuh dashboard. This agentless SIEM solution has practical implications for the security of the industrial control systems of industry 4.0.