Real-Time Threat Detection using SIEM for Industrial IoT Protocols

Abstract

The increasing integration of smart devices into industrial environments has led to the rapid growth of the Industrial Internet of Things, which introduces significant cybersecurity challenges due to the scale, heterogeneity, and limited security of many connected devices. Traditional security tools often fail to detect protocol-specific threats within IIoT networks, particularly in resource-constrained or legacy environments. To address this, the thesis investigates whether open-source technologies can offer a cost-effective yet capable solution for monitoring and securing IIoT communications. A virtualized test environment is constructed using VMware, in which an open-source SIEM system is deployed. The platform was enhanced with custom Suricata rules designed to detect anomalies in MQTT-based traffic, one of the most commonly used IIoT protocols. A packet crafting tool is used to simulate realistic attack scenarios, including Denial-of-Service, Brute Force, and Sybil attacks targeting MQTT communication. Traffic is monitored and analysed using features of the SIEM system. The results demonstrate that the SIEM solution is capable of accurately detecting and visualizing malicious IIoT traffic. Alerts are triggered in real time, and the system maintains stable performance under test conditions. However, limitations are observed in handling encrypted traffic, writing scalable and generalizable detection rules, and validating performance in more complex real-world environments. The findings confirm that open-source platforms can be configured into effective SIEM systems for IIoT use cases. Although more work is required to improve detection in encrypted or large-scale scenarios, this study highlights the practical viability of low-cost, open-source SIEM solutions in addressing emerging industrial cybersecurity threats.