CPS: Through the Eye of the PLC: Semantic Security Monitoring for Industrial Processes

Off-the-shelf intrusion detection systems prove an ill fit for protecting
industrial control systems, as they do not take their process semantics into
account. Specifically, current systems fail to detect recent process
control attacks that manifest as unauthorized changes to the configuration of
a plant's programmable logic controllers(PLCs). In this work we present a
detector that continuously tracks updates to corresponding process variables
to then derives variable-specific models as the basis for assessing
future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates
from the devices' network communication. We evaluate the capabilities of our
detection approach with traffic recorded at two operational water treatment
plants serving a total of about one million people in two urban areas. We show
that the proposed approach can reliably detect direct attacks on process
control, and we further explore its potential to identify more sophisticated
indirect attacks on field device measurements as well.

Author(s):

Dina Hadziosmanovic    
Delft University of Technology
Netherlands

Robin Sommer    
International Computer Science Institute
United States

Emmanuele Zambon    
University of Twente
Netherlands

Pieter Hartel    
University of Twente
Netherlands