Skip to main content

The Four Types of Threat Detection With Case-Studies in Industrial Control Systems (ICS)

By Sergio Caltagirone and Robert M. Lee

There is a considerable amount of market confusion around the types of threat detection, how they are derived, and the uses for each. The purpose of this paper is to address those challenges by identifying the four types of threat detection and offering sample use-cases focused on industrial control system (ICS) and industrial internet of things (IIoT) environments.

Threat Detection: The Most Important Function

Threat detection plays an outsized role in cybersecurity as arguably the most important function in an “assume breach” world.

Threat detection comprises one of the three core cybersecurity functions, along with prevention and response. But, detection plays an outsized role as arguably the most important cybersecurity function in an “assume breach” world. Prevention is critical to reducing the noise from common threats, but sufficiently determined adversaries will always defeat prevention. Without detection, an adversary will dwell in an environment, achieving incredible freedom of movement enabling significant disruption at a time of their choosing. Good detection enables better response, and good response enables better prevention through root cause analysis.

Detection in industrial networks can help avoid significant financial impact to the organization, environmental impacts, loss of safety, or inappropriate response plans when a cyber component of the disruption is not understood. Historically, detection has been positioned in numerous ways, with a focus either on the type of threat that was being detected, like targeted threats versus cybercrime as an example; or in the tools and technologies used to facilitate the detection such as system information and event management (SIEM) rules, intrusion detection system (IDS) rules, machine learning models, and user-entity analytics. But, not all detection is equivalent or fits every scenario and application. Therefore, it’s best to match the detection to the application. The following sections provide guidance for defenders on detection types and their applications so threats can be found and defeated earlier.

Enter your information to download the whitepaper.

Discover more resources.

Explore more resources to support you on your ICS cybersecurity journey.

Read our next whitepaper


Hunting with Rigor: Quantifying the Breadth, Depth and Threat Intelligence Coverage of a Threat Hunt in Industrial Control System Environments

Dan Gunter

View more whitepapers

Right Arrow

Ready to put your insights into action?

Take the next steps and contact our team today.