Through the Eye of the PLC: Towards Semantic Security Monitoring for Industrial Control Systems
Title | Through the Eye of the PLC: Towards Semantic Security Monitoring for Industrial Control Systems |
Publication Type | Technical Report |
Year of Publication | 2013 |
Authors | Hadziosmanovic, D., Sommer R., Zambon E., & Hartel P. |
Other Numbers | 3467 |
Abstract | Attacks on industrial control systems remain rare overall, yet they may carefully target theirvictims. A particularly challenging threat consists of adversaries aiming to change a plant's*process flow*. A prominent example of such a threat is Stuxnet, which manipulated the speedof centrifuges to operate outside of their permitted range. Existing intrusion detectionapproaches fail to address this type of threat. In this paper we propose a novel networkmonitoring approach that takes process semantics into account by (1) extracting the value ofprocess variables from network traffic, (2) characterizing types of variables based on thebehavior of time series, and (3) modeling and monitoring the regularity of variable values overtime. We implement a prototype system and evaluate it with real?world network traffic fromtwo operational water treatment plants. Our approach is a first step towards devising intrusiondetection systems that can detect semantic attacks targeting to tamper with a plant's physicalprocesses. |
Acknowledgment | This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS- 1032889 and CNS- 1314973. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation. |
URL | http://www.icsi.berkeley.edu/pubs/techreports/TR-13-003.pdf |
Bibliographic Notes | ICSI Technical Report TR-13-003 |
Abbreviated Authors | D. Hadziosmanovic, R. Sommer, E. Zambon, and P. Hartel |
ICSI Research Group | Networking and Security |
ICSI Publication Type | Technical Report |