NIST IR 8219 Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection James McCarthy Michael Powell Keith Stouffer CheeYee Tang Timothy Zimmerman William Barker Titilayo Ogunyale Devin Wynne Johnathan Wiltberger This publication is available free of charge from: https://doi.org/10.6028/ NIST.IR.8219 NISTIR 8219 Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection James McCarthy William Barker Michael Powell Dakota Consulting Applied Cybersecurity Division Silver Spring, MD Information Technology Laboratory Keith Stouffer Titilayo Ogunyale CheeYee Tang Devin Wynne Timothy Zimmerman Johnathan Wiltberger Intelligent Systems Division The MITRE Corporation Engineering Laboratory McLean, VA This publication is available free of charge from: https://doi.org/10.6028/ NIST.IR.8219 July 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Undersecretary of Commer ce for Standards and Technology i National Institute of Standards and Technology Interagency or Internal Report 8219 93 pages ( July 2020) This publication is available free of charge from: https://doi.org/10.6028/ NIST.IR.8219 Certain commercial entities, equipment, or materials may be ide ntified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are ne cessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guideline s, and procedures, where they exist, remain operative. For plan ning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NI ST cybersecurity publications , other than the ones noted above, are available at https://csrc.nist.gov/publications . Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: National Cybersecurity Center of Excellence, 100 Bureau Drive (Mail Stop 2002) Gaithersburg, MD 20899 -2002 Email: manufacturing_nccoe@ni st.gov All comments are subject to release under the Freedom of Information Act (FOIA). NISTIR 8219 SECURING MANUFACTURING ICS: BEHAVIORAL ANOMALY DETECTION ii This publication is available free of charge from: http s://doi.org/10.6028/ NIST.IR.8219 Abstract Industrial c ontrol s ystems (ICS) are used in many industries to monitor and control physical processes. As ICS continue to adopt commercial ly available information technology (IT) to promote corporate business systems ’ connectivity and remote access capabilities, ICS become more vulnerable to cyber security threats. The National Institute of Standards and Technology’s (NIST ’s) National Cybersecur ity Center of Excellence (NCCoE), in conjunction with NIST’s Engineering Laboratory (EL), has demonstrated a set of behavioral anomaly detection capabilities to support cybersecurity in manufacturing organizations. These capabilities enable manufacturers t o detect anomalous conditions in their operating environments to mitigate malware attacks and other threats to the integrity of critical operational data. NIST’s NCCoE and EL have mapped these demonstrated ca