Through the eye of the PLC: semantic security monitoring for industrial processes

D. Hadziosmanovic, Robin Sommer, Emmanuele Zambon, Pieter H. Hartel

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

49 Citations (Scopus)
105 Downloads (Pure)

Abstract

Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.
Original languageUndefined
Title of host publicationACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Pages126-135
Number of pages10
ISBN (Print)978-1-4503-3005-3
DOIs
Publication statusPublished - 8 Dec 2014
Event30th Annual Computer Security Applications Conference, ACSAC 2014 - Hyatt French Quarter, New Orleans, United States
Duration: 8 Dec 201412 Dec 2014
Conference number: 30
https://www.acsac.org/2014/

Publication series

Name
PublisherACM

Conference

Conference30th Annual Computer Security Applications Conference, ACSAC 2014
Abbreviated titleACSAC 2014
CountryUnited States
CityNew Orleans
Period8/12/1412/12/14
Internet address

Keywords

  • SCS-Cybersecurity
  • semantic security monitoring
  • industrial processes
  • METIS-309910
  • PLC
  • IR-94337
  • EWI-25757

Cite this

Hadziosmanovic, D., Sommer, R., Zambon, E., & Hartel, P. H. (2014). Through the eye of the PLC: semantic security monitoring for industrial processes. In ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference (pp. 126-135). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/2664243.2664277
Hadziosmanovic, D. ; Sommer, Robin ; Zambon, Emmanuele ; Hartel, Pieter H. / Through the eye of the PLC: semantic security monitoring for industrial processes. ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference. New York : Association for Computing Machinery (ACM), 2014. pp. 126-135
@inproceedings{4f7f5c9c67cc43b7b3fdeb4b048e07c3,
title = "Through the eye of the PLC: semantic security monitoring for industrial processes",
abstract = "Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.",
keywords = "SCS-Cybersecurity, semantic security monitoring, industrial processes, METIS-309910, PLC, IR-94337, EWI-25757",
author = "D. Hadziosmanovic and Robin Sommer and Emmanuele Zambon and Hartel, {Pieter H.}",
note = "10.1145/2664243.2664277",
year = "2014",
month = "12",
day = "8",
doi = "10.1145/2664243.2664277",
language = "Undefined",
isbn = "978-1-4503-3005-3",
publisher = "Association for Computing Machinery (ACM)",
pages = "126--135",
booktitle = "ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference",
address = "United States",

}

Hadziosmanovic, D, Sommer, R, Zambon, E & Hartel, PH 2014, Through the eye of the PLC: semantic security monitoring for industrial processes. in ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference. Association for Computing Machinery (ACM), New York, pp. 126-135, 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, United States, 8/12/14. https://doi.org/10.1145/2664243.2664277

Through the eye of the PLC: semantic security monitoring for industrial processes. / Hadziosmanovic, D.; Sommer, Robin; Zambon, Emmanuele; Hartel, Pieter H.

ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference. New York : Association for Computing Machinery (ACM), 2014. p. 126-135.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Through the eye of the PLC: semantic security monitoring for industrial processes

AU - Hadziosmanovic, D.

AU - Sommer, Robin

AU - Zambon, Emmanuele

AU - Hartel, Pieter H.

N1 - 10.1145/2664243.2664277

PY - 2014/12/8

Y1 - 2014/12/8

N2 - Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.

AB - Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.

KW - SCS-Cybersecurity

KW - semantic security monitoring

KW - industrial processes

KW - METIS-309910

KW - PLC

KW - IR-94337

KW - EWI-25757

U2 - 10.1145/2664243.2664277

DO - 10.1145/2664243.2664277

M3 - Conference contribution

SN - 978-1-4503-3005-3

SP - 126

EP - 135

BT - ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference

PB - Association for Computing Machinery (ACM)

CY - New York

ER -

Hadziosmanovic D, Sommer R, Zambon E, Hartel PH. Through the eye of the PLC: semantic security monitoring for industrial processes. In ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference. New York: Association for Computing Machinery (ACM). 2014. p. 126-135 https://doi.org/10.1145/2664243.2664277