Exception Reporting in Industrial Networks: Importance & Examples

Instructor: Srinivasa krishna Goparaju
In this lesson, we will learn about exception reporting and its importance in industrial networks. We will briefly study automatic and manual exceptions and also see a few examples of exception reporting.

Exception Reporting in Industrial Networks

You have gone to an ATM to withdraw money and entered your details. The ATM displayed a message that the transaction was successful, but did not dispense any cash. You also got a message that the amount has been deducted from your bank account. This is a deviation from the usual behavior of an ATM. This type of behavior is called as an exception.

Industrial networks consist of multiple computer systems, devices which control and monitor mission critical operations in industries such as power, oil refineries, hospitals, nuclear facilities, and other manufacturing industries. They are isolated from outside networks to prevent any interruptions in their operations. But due to changing business needs, they are being integrated with enterprises' IT networks and are thus exposed to cyber threats. Any disruption in operations due to a security breach in these networks can cause havoc and result in immense financial loss and/or loss of property and/or human lives.

Industrial networks are protected against cyber attacks with stringent communication policies and standard operating procedures which are enforced by firewalls, application monitors, intrusion prevention systems, sensors and other devices. In case of any suspicious activity or abnormal behavior of the devices in the network, an alert is raised either automatically or manually.

Systematic or Automatic Exception Reporting

In systematic exception reporting, a computer system or device automatically triggers an alert to the security administrator when it observes any activity in the network which is not in conformity with the prescribed communication policies and standard operating procedures (SOP).

Consider the following scenarios.

Scenario 1:

A user is trying to copy data onto a USB drive from a system which controls a critical process in production. This is a prohibited activity as per SOP.

Scenario 2:

A communication is happening between a highly secured industrial control system and an enterprise server connected to the internet. This type of communication is not allowed as per communication policy.

In both the above scenarios, the automated system will trigger an alert to the administrator about deviations from standard procedures which may be potential attempts at intrusion and attack. Specialized software applications such as security information and event management (SIEM) systems and network behavior anomaly detection (NBAD) tools can be used to trigger the alert.

Manual Exception Reporting

In manual exception reporting, any behavior anomaly in the network is captured by comparing the network's expected behavior with the monitored behavior. This comparison is done by continuous monitoring or log review.

Various devices in the network generate logs during regular operations. These logs are configured to contain vital information such as source system/IP address, destination system/IP address, user, type of operation, time taken to complete the operation, etc. These details are used for monitoring the network.

A list of authorized users, authorized operations, applications and devices allowed in the network is maintained. This list is known as a white list. During network monitoring and log analysis, users, operations and devices involved in network activities are compared with those in the white list and any deviations are reported.

A list of baseline metrics such as traffic volume, total logons and logoffs, total unique function codes, etc., with permissible values, is also maintained. This list is compared with actual values of metrics captured during monitoring to detect any abnormal behavior and raise an exception.

For example, a ping operation to a SCADA system is taking an unusually long time. This might be an indication of a network anomaly and a potential risk. This behavior can be observed through real time monitoring or by reviewing the logs generated by the system.

Examples of Exception Reporting and Response

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account