Pre-print NFV-driven intrusion detection for smart manufacturing Daniel Behnke * , Marcel M¨ uller * , Patrick-Benjamin B¨ ok * , Stefan Schneider † , Manuel Peuster † , Holger Karl † , Alberto Rocha ‡ , Miguel Mesquita ‡ , and Jos´ e Bonnet ‡ * Weidm¨ uller Group: {daniel.behnke, marcel.mueller, patrick-benjamin.boek}@weidmueller.com † Paderborn University: stefan.schneider@upb.de, manuel.peuster@upb.de, holger.karl@upb.de ‡ Altice Labs: {alberto.rocha, miguel.mesquita, jose.bonnet}@alticelabs.com Abstract—The significant progress in softwarization of hard- ware components with technologies like Network Function Vir- tualization (NFV) enables manifold applications for the industry, especially for smart manufacturing. The gained agility and flexibility leverages data gathering and analysis. In this work, we focus on a very important precondition for networked manufac- turing: cyber security. We provide concepts and a first proof-of- work for an cloud-native NFV-driven Intrusion Detection System using Kubernetes, stating challenges we solved during the process and the used software tools. Focusing on traffic monitoring and filtering to enable certain guidelines to ensure the integrity of the factory network by an automatic reconfiguration of the Network Services. I. I NTRODUCTION The ongoing trend of increasing digitalization in manu- facturing leverages automation, facilitates to gather data and analyze the data to optimize the manufacturing processes. Key enablers in terms of enhanced commnication systems are 5G and Network Function Virtualization (NFV) [1]. With NFV, smart manufacturing scenarios can be softwarized and implemented as flexible network services consisting of inter- connected virtual network functions (VNFs), which can run on commodity servers. In recent years, first research has been started on 5G and especially NFV usage in manufacturing. Existing work focuses on the potential benefits and architecture concepts [2], [3]. Now, testbeds and first experiments are the obvious continua- tion. Besides proofing the usability of NFV-technology for smart manufacturing, common challenges experienced by all com- panies which drives digitalization have to be addressed. An important challenge is cyber security, saving data and data transmissions to avoid loss of data and prevent potential attacks on the manufacturing. The Federal Office for Infor- mation Security in Germany listed in [4] manifold threats like malware or hacking attacks for companies. One solution to detect ongoing attacks and react to them accordingly are Intru- sion Detection Systems (IDS), which have gained significant attention of researchers in recent years. In [5], the authors present a multi-agent approach for hybrid intrusion detection in industrial networks. They create network analysis agents using Zeek 1 on Raspberry Pi which indicates that this approach 1 https://www.zeek.org/ 2 4 3 1 NS2 Cloud Shadow Fig. 1: A softwarized IDS detects a potential threat, NFV technology facilitates to isolate the machine and to re-route the data. is based on additional hardware. In [6], the authors propose an IEC 61499 Service Interface Function Blocks (SIFB) based Network Intrusion Detection and Prevention System (IDPS) solution to protect programmable logic controllers (PLCs), where the security functions are provided through SIFB exe- cuting Snort 2 . Leveraging the experience of Weidm¨ uller Group 3 , a large- scale manufacturer, we previously designed an NFV-based ar- chitecture for smart manufacturing with multiple use cases [7], [8]. This work is done in the framework of the Horizon2020 research project 5GTANGO. The system architecture consist- ing of a verification & validation platform, an SDK, and a service platform for the management and orchestration of all Network Services is introduced in [9]. We demonstrated the scalability of our architecture by emu- lating several interconnected and globally distributed factories that use our developed network services simultaneously [10]. The work has shown how NFV might be used in manufac- turing in general. The focus of this work is on the specific use case of intrusion detection. IT security, and here especially cyber security, is a major concern of companies connecting 2 https://www.snort.org/ 3 https://www.weidmueller.com This work has been accepted for publication in 2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN). Copyright © 2019 by IEEE. © 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, including reprinting/republishing this material for advertising or promotional purposes, collecting new collected works for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.