With the escalating threats posed by cyberattacks on Industrial Control Systems (ICSs), the development of customized Industrial Intrusion Detection Systems (IIDSs) received significant attention in research. While existing literature proposes effective IIDS solutions evaluated in controlled environments, their deployment in real-world industrial settings poses several challenges. This paper highlights two critical yet often overlooked aspects that significantly impact their practical deployment, i.e., the need for sufficient amounts of data to train the IIDS models and the challenges associated with finding suitable hyperparameters, especially for IIDSs training only on genuine ICS data. Through empirical experiments conducted on multiple state-of-the-art IIDSs and diverse datasets, we establish the criticality of these issues in deploying IIDSs. Our findings show the necessity of extensive malicious training data for supervised IIDSs, which can be impractical considering the complexity of recording and labeling attacks in actual industrial environments. Furthermore, while other IIDSs circumvent the previous issue by requiring only benign training data, these can suffer from the difficulty of setting appropriate hyperparameters, which likewise can diminish their performance. By shedding light on these challenges, we aim to enhance the understanding of the limitations and considerations necessary for deploying effective cybersecurity solutions in ICSs, which might be one reason why IIDSs see few deployments.

翻译：随着针对工业控制系统（ICSs）的网络攻击威胁日益加剧，定制化工业入侵检测系统（IIDSs）的研究受到广泛关注。尽管现有文献提出了在受控环境中评估有效的IIDS解决方案，但它们在真实工业环境中的部署仍面临诸多挑战。本文重点探讨了两个关键但常被忽视的方面，即需要充足数据来训练IIDS模型，以及寻找合适超参数（尤其是仅使用真实ICS数据训练的IIDS）的困难。通过对多种最先进IIDS和多样化数据集进行实证实验，我们确立了这些问题在部署IIDS中的关键性。研究结果表明，监督式IIDS需要大量恶意训练数据，但鉴于在实际工业环境中记录和标注攻击的复杂性，这并不现实。此外，尽管其他IIDS仅需良性训练数据可避免前述问题，但它们可能因难以设置合适的超参数而导致性能下降。通过揭示这些挑战，我们旨在加深对在ICS中部署有效网络安全解决方案所需限制和考量的理解——这或可解释IIDS实际部署稀少的现状。