Through the eye of the PLC: semantic security monitoring for industrial processes

Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.

[1]  Roberto Setola,et al.  Critical Information Infrastructure Security, Third International Workshop, CRITIS 2008, Rome, Italy, October 13-15, 2008. Revised Papers , 2009, Critical Information Infrastructures Security.

[2]  C. Bellettini,et al.  Vulnerability Analysis of SCADA Protocol Binaries through Detection of Memory Access Taintedness , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[3]  N. Sugiura Further analysts of the data by akaike' s information criterion and the finite corrections , 1978 .

[4]  Paul W. Oman,et al.  Intrusion Detection and Event Monitoring in SCADA Networks , 2007, Critical Infrastructure Protection.

[5]  Alfonso Valdes,et al.  Communication pattern anomaly detection in process control systems , 2009, 2009 IEEE Conference on Technologies for Homeland Security.

[6]  Wei Gao,et al.  On SCADA control system command and response injection and intrusion detection , 2010, 2010 eCrime Researchers Summit.

[7]  George Athanasopoulos,et al.  Forecasting: principles and practice , 2013 .

[8]  Stephen E. McLaughlin CPS: stateful policy enforcement for control system device usage , 2013, ACSAC.

[9]  Christof Störmann,et al.  Cyber-Critical Infrastructure Protection Using Real-Time Payload-Based Anomaly Detection , 2009, CRITIS.

[10]  Larry L. Peterson,et al.  binpac: a yacc for writing application protocol parsers , 2006, IMC '06.

[11]  G. Barrie Wetherill,et al.  Statistical Process Control , 1991 .

[12]  Stephen E. McLaughlin On Dynamic Malware Payloads Aimed at Programmable Logic Controllers , 2011, HotSec.

[13]  Sujeet Shenoi,et al.  Assessing The Integrity Of Field Devices In Modbus Networks , 2008, Critical Infrastructure Protection.

[14]  Bernhard M. Hämmerli,et al.  Critical Information Infrastructure Security , 2011, Lecture Notes in Computer Science.

[15]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[16]  Saed Alajlouni,et al.  Anomaly Detection in Liquid Pipelines Using Modeling, Co-Simulation and Dynamical Estimation , 2013, Critical Infrastructure Protection.

[17]  Sandro Etalle,et al.  N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols , 2012, RAID.

[18]  A. Treytl,et al.  Security measures for industrial fieldbus systems - state of the art and solutions for IP-based approaches , 2004, IEEE International Workshop on Factory Communication Systems, 2004. Proceedings..

[19]  D. Coleman Statistical Process Control—Theory and Practice , 1993 .

[20]  Marco Caccamo,et al.  S3A: secure system simplex architecture for enhanced security and robustness of cyber-physical systems , 2013, HiCoNS '13.

[21]  E. J. Byres,et al.  On shaky ground - A study of security vulnerabilities in control protocols , 2006 .

[22]  Aiko Pras,et al.  Difficulties in Modeling SCADA Traffic: A Comparative Analysis , 2012, PAM.

[23]  H. Dam PARAMETER ESTIMATION OF NEARLY NON-STATIONARY AUTOREGRESSIVE PROCESSES , 2022 .

[24]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[25]  Igor Nai Fovino,et al.  Scada Malware, a Proof of Concept , 2008, CRITIS.

[26]  Lui Sha,et al.  S3A: Secure System Simplex Architecture for Enhanced Security of Cyber-Physical Systems , 2012, ArXiv.

[27]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[28]  Patrick D. McDaniel,et al.  Programmable Logic Controllers , 2012 .

[29]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.

[30]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[31]  P. Young,et al.  Time series analysis, forecasting and control , 1972, IEEE Transactions on Automatic Control.

[32]  James Demmel,et al.  IEEE Standard for Floating-Point Arithmetic , 2008 .

[33]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[34]  Mauricio Papa,et al.  Passive Scanning in Modbus Networks , 2007, Critical Infrastructure Protection.

[35]  Igor Nai Fovino,et al.  Modbus/DNP3 State-Based Intrusion Detection System , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.