Intrusion Detection System/Intrusion Prevention System (IDS/IPS) Scenario

​​​​​This collection of resources, from the Cybersecurity Education for Advanced Manufacturing Organizations project, is a part of the Intrusion Detection System/Intrusion Prevention System (IDS/IPS) Scenario. This scenario is a training module that focuses on using IDS/IPS to monitor and protect industrial networks from cyberattacks. Participants will learn to configure an IDS/IPS, understand their functionalities, and observe how these systems can prevent attacks on industrial devices like PLCs and OPC servers.

Collection Description:

This scenario includes a PowerPoint presentation, a lab overview, a lab, lab questions and answers, a list of best practices, and a list of related videos. The presentation covers using IDS and IPS to identify or prevent industrial network attacks, explaining their differences, use cases, and functionalities. It covers network-based versus host-based IDS/IPS, and signature-based versus anomaly-based IDS/IPS, highlighting the importance of recognizing false positives and false negatives. PDF and PowerPoint versions are included.

The 3-page lab overview includes a summary, learning outcomes, a list of systems used, a general lab description, a setup and deploy diagram, and a list of resources for further information. The lab focuses on training participants to configure and utilize Intrusion Detection and Prevention Systems (IDS/IPS) to monitor and protect industrial control systems from cyber threats. Participants will learn the differences between IDS and IPS, explore various monitoring techniques, and engage in hands-on activities to observe how these systems can prevent attacks on critical industrial devices. PDF and Word versions are included.

The 21-page lab includes a scenario overview and lab instructions. The main steps of the lab include setting up an industrial control system (ICS) environment using virtual machines, configuring network settings, and enabling an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) using Snort to monitor and secure the network traffic. Systems are also tested by simulating a hacker's access to observe data visibility and the effectiveness of security measures. PDF and Word versions are included.

The 2-page lab form questions ask for screenshots as evidence of configurations and tests performed on IDS/IPS systems, and they require analysis of system behavior after implementing security measures, as well as considerations for deploying IDS/IPS in a critical industrial control system (ICS) environment. An answer sheet is also provided. PDF and Word versions are included.

For orientation purposes the IDS-IPS-Overview.pdf is included as a separate attachment and offers a sample of the type of material included in this learning module.

Below is a list of the files contained within the .zip attachment. The size of each file is included in parenthesis.

ids-ips-ate (15 files, 11.6 MB)

• Using IDS/IPS to Identify or Prevent Industrial Network Attacks (IDS-IPS-Background.pdf 236 KB)
• Using IDS/IPS to Identify or Prevent Industrial Network Attacks (IDS-IPS-Background.pptx 2.3 MB)
• IDS-IPS-Best Practices (IDS-IPS-BestPractices.docx 13 KB)
• IDS-IPS-Best Practices (IDS-IPS-BestPractices.pdf 85 KB)
• IDS/IPS Lab Form Answers (IDS-IPS-lab-answers.doc 492 KB)
• IDS/IPS Lab Form Answers (IDS-IPS-lab-answers.pdf 403 KB)
• IDS/IPS Lab Form Questions (IDS-IPS-lab-form.doc 45 KB)
• IDS/IPS Lab Form  Questions (IDS-IPS-lab-form.pdf 86 KB)
• IDS/IPS Lab (ids-ips-lab.docx 4.5 MB)
• IDS/IPS Lab (ids-ips-lab.pdf 2.1 MB)
• IDS-IPS Overview (IDS-IPS-Overview.docx 1 MB)
• IDS-IPS Overview (IDS-IPS-Overview.pdf 242 KB)
• IDS-IPS Videos (ids-ips-Videos.docx 14 KB)
• IDS-IPS Videos (ids-ips-Videos.pdf 21 KB)