Through the Eye of the PLC: Towards Semantic Security Monitoring for Industrial Control Systems

TitleThrough the Eye of the PLC: Towards Semantic Security Monitoring for Industrial Control Systems
Publication TypeTechnical Report
Year of Publication2013
AuthorsHadziosmanovic, D., Sommer R., Zambon E., & Hartel P.
Other Numbers3467
Abstract

Attacks on industrial control systems remain rare overall, yet they may carefully target theirvictims. A particularly challenging threat consists of adversaries aiming to change a plant's*process flow*. A prominent example of such a threat is Stuxnet, which manipulated the speedof centrifuges to operate outside of their permitted range. Existing intrusion detectionapproaches fail to address this type of threat. In this paper we propose a novel networkmonitoring approach that takes process semantics into account by (1) extracting the value ofprocess variables from network traffic, (2) characterizing types of variables based on thebehavior of time series, and (3) modeling and monitoring the regularity of variable values overtime. We implement a prototype system and evaluate it with real?world network traffic fromtwo operational water treatment plants. Our approach is a first step towards devising intrusiondetection systems that can detect semantic attacks targeting to tamper with a plant's physicalprocesses.

Acknowledgment

This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS- 1032889 and CNS- 1314973. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.

URLhttp://www.icsi.berkeley.edu/pubs/techreports/TR-13-003.pdf
Bibliographic Notes

ICSI Technical Report TR-13-003

Abbreviated Authors

D. Hadziosmanovic, R. Sommer, E. Zambon, and P. Hartel

ICSI Research Group

Networking and Security

ICSI Publication Type

Technical Report