Through the eye of the PLC
- 8 December 2014
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
Abstract
Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.Keywords
Funding Information
- Seventh Framework Programme (FP7-SEC-285477-CRISALIS, FP7-SEC-607093-PREEMPTIVE)
- Division of Computer and Network Systems (CNS-1314973)
This publication has 24 references indexed in Scilit:
- Anomaly Detection in Liquid Pipelines Using Modeling, Co-Simulation and Dynamical EstimationIFIP Advances in Information and Communication Technology, 2013
- Difficulties in Modeling SCADA Traffic: A Comparative AnalysisLecture Notes in Computer Science, 2012
- N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary ProtocolsLecture Notes in Computer Science, 2012
- Assessing The Integrity Of Field Devices In Modbus NetworksIFIP International Federation for Information Processing, 2010
- Cyber-Critical Infrastructure Protection Using Real-Time Payload-Based Anomaly DetectionLecture Notes in Computer Science, 2010
- Scada Malware, a Proof of ConceptLecture Notes in Computer Science, 2009
- Passive Scanning in Modbus NetworksPublished by Springer Science and Business Media LLC ,2007
- Intrusion Detection and Event Monitoring in SCADA NetworksPublished by Springer Science and Business Media LLC ,2007
- Bro: a system for detecting network intruders in real-timeComputer Networks, 1999
- Further analysis of the data by Akaike's information criterion and the finite correctionsCommunications in Statistics - Theory and Methods, 1978