Through the eye of the PLC: semantic security monitoring for industrial processes

August 2013

New Scientific Publication online:
Through the Eye of the PLC: Towards Semantic Security Monitoring for Industrial Control Systems

Attacks on industrial control systems remain rare overall, yet they may carefully target their victims. A articularly challenging threat consists of adversaries aiming to change a plant’s *process flow*. A prominent example of such a threat is Stuxnet, which manipulated the speed of centrifuges to operate outside of their permitted range. Existing intrusion detection approaches fail to address this type of threat. In this paper we propose a novel network monitoring approach that takes process semantics into account by (1) extracting the value of process variables from network traffic, (2) characterizing types of variables based on the behavior of time series, and (3) modeling and monitoring the regularity of variable values over time. We implement a prototype system and evaluate it with real‐world network traffic from two operational water treatment plants. Our approach is a first step towards devising intrusion detection systems that can detect semantic attacks targeting to tamper with a plant’s physical processes.