Cybersecurity (Credit: Adobe Stock)

BAS/CS™: Behavioral Alerting Sets for Control Systems

Our Contribution

Standardizing Industrial Cyber Analytics

Cyberattacks on industrial control systems (ICS)—which power essential services like electricity, water, and transportation—are on the rise. In recent years, cyber threats targeting infrastructure have increased significantly.

To address these evolving threats, APL developed the Behavioral Alerting Sets for Control Systems (BAS/CS™) framework. This advanced cybersecurity solution strengthens defenses by analyzing behaviors, tagging system events, and applying sophisticated rules to detect real threats while reducing false alarms.

BAS/CS™ can be implemented in existing security information and event management capabilities or analytics platforms, helping mitigate cyber threats in real-time. By implementing BAS/CS™, organizations can enhance national resilience and ensure the safety of critical infrastructure against increasingly sophisticated cyber adversaries.

Related Areas of Impact

Mission Area

How BAS/CS™ Works

Example of a cyberattack

Attack

Cyberattack begins on an operational technology (OT) network. The advanced persistent threat (APT) executes a script on an engineering workstation, resulting in OT protocol commands transmitted over the network to the programable logic controller (PLC). These commands change values on the PLC and can impair process control.

Watch: Cyberattack Detection
Behavior Tagging

Tagging

Monitoring of the workstation and the network generate unique events corresponding to the APT activities. These vendor specific events are tagged with an agnostic BAS/CS™ behavior tag, normalizing the event data for further analysis. The detected APT actions were tagged with New Command/Scripting (PRO03) and OT Write Command (IDS04) behaviors.

Behavior Tagging
Correlation Alert

Alerting

The BAS/CS™ correlation rules logically evaluate behavior tags across a window of time and the systems affected. When a set of behaviors are identified, an alert is triggered. The New Command/Scripting (PRO03) and OT Write Command (IDS04) behaviors correlated with the workstation triggers an Unexpected OT Command and Control Shell Alert (BAS 8.2), which is raised to the defenders of this system. 

Alert Examples
Previous slide Next slide

Industrial control system network connectivity is critical to the operation and management of facilities and their processes. Cyberattacks against the network itself can have widespread and severe consequences, endangering the safety of operators, halting critical operations, and resulting in costly downtime.

Alexander Beall Control System Cybersecurity Researcher, Cyber Operations Mission Area
Alexander Beall
An industrial security professional looks at a computer screen to monitor alerts provided by BAS/CS.

Behavior Tagging

Definitions

BAS/CS™ behavior tagging provides broad behavioral groupings to categorize the types of events sensors may generate. Learn more about identifying BAS/CS™ tags and see examples of alerts.

Explore BAS/CS™ Definitions
Contact Us
A group of APL staff members work together in a computer lab

Let’s Solve the Nation’s Challenges Together

APL meets critical national challenges through the innovative application of science and technology.

Contact us to learn more about our work.


Learn more about Let’s Solve the Nation’s Challenges Together

Related Video

Protecting Critical Infrastructure: Detection, Identification, and Response

Play Video
Related Work
Water treatment facility

MOSAICS: Cyber Defense for Industrial Control Systems

APL is leading the development of the first-ever comprehensive, integrated, and automated solution for industrial control system cybersecurity.
Learn more about MOSAICS: Cyber Defense for Industrial Control Systems
Related Labs and Facilities
CYPRESS Laboratory

CYPRESS Lab

CYPRESS (Cyber-Physical Resilient Systems Solutions) Laboratory is a premier facility where our nation’s most critical industrial control systems are evaluated, tested, and reimagined to survive any type of attack or failure. CYPRESS features a collection of reconfigurable, high-fidelity testbeds spanning a diverse set of critical infrastructure sectors including wastewater treatment, transportation, and power systems.

About CYPRESS Lab
Explore APL Labs

Related Expertise

Critical Infrastructure ProtectionCyber-Physical SecurityInformation SystemsSoftware Development and Electronics
Related Areas of Impact

Mission Area