The complexity and scale of critical infrastructures, their strong security requirements and increasing costs require comprehensive methodologies for provisioning cost-effective distributed intrusion detection systems. This paper introduces a novel framework for designing resilient distributed intrusion detection systems. The framework leverages the output of a risk assessment methodology to identify and rank critical communications flows. These flows are integrated in an optimization problem that minimizes the number of deployed detection devices while enforcing a shortest-path routing algorithm to minimize communications delays. The framework engages a resilient distributed intrusion detection design algorithm that accounts for the possibility that detection devices may be compromised or fail. The algorithm optimally positions detection devices to ensure that the infrastructure is resilient to at most K communications path failures. Experimental results demonstrate the effectiveness of the distributed intrusion detection design framework.