Through the eye of the PLC: semantic security monitoring for industrial processes

D. Hadziosmanovic, Robin Sommer, Emmanuele Zambon, Pieter H. Hartel

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    58 Citations (Scopus)
    119 Downloads (Pure)

    Abstract

    Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.
    Original languageUndefined
    Title of host publicationACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference
    Place of PublicationNew York
    PublisherAssociation for Computing Machinery (ACM)
    Pages126-135
    Number of pages10
    ISBN (Print)978-1-4503-3005-3
    DOIs
    Publication statusPublished - 8 Dec 2014
    Event30th Annual Computer Security Applications Conference, ACSAC 2014 - Hyatt French Quarter, New Orleans, United States
    Duration: 8 Dec 201412 Dec 2014
    Conference number: 30
    https://www.acsac.org/2014/

    Publication series

    Name
    PublisherACM

    Conference

    Conference30th Annual Computer Security Applications Conference, ACSAC 2014
    Abbreviated titleACSAC 2014
    CountryUnited States
    CityNew Orleans
    Period8/12/1412/12/14
    Internet address

    Keywords

    • SCS-Cybersecurity
    • semantic security monitoring
    • industrial processes
    • METIS-309910
    • PLC
    • IR-94337
    • EWI-25757

    Cite this

    Hadziosmanovic, D., Sommer, R., Zambon, E., & Hartel, P. H. (2014). Through the eye of the PLC: semantic security monitoring for industrial processes. In ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference (pp. 126-135). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/2664243.2664277
    Hadziosmanovic, D. ; Sommer, Robin ; Zambon, Emmanuele ; Hartel, Pieter H. / Through the eye of the PLC: semantic security monitoring for industrial processes. ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference. New York : Association for Computing Machinery (ACM), 2014. pp. 126-135
    @inproceedings{4f7f5c9c67cc43b7b3fdeb4b048e07c3,
    title = "Through the eye of the PLC: semantic security monitoring for industrial processes",
    abstract = "Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.",
    keywords = "SCS-Cybersecurity, semantic security monitoring, industrial processes, METIS-309910, PLC, IR-94337, EWI-25757",
    author = "D. Hadziosmanovic and Robin Sommer and Emmanuele Zambon and Hartel, {Pieter H.}",
    note = "10.1145/2664243.2664277",
    year = "2014",
    month = "12",
    day = "8",
    doi = "10.1145/2664243.2664277",
    language = "Undefined",
    isbn = "978-1-4503-3005-3",
    publisher = "Association for Computing Machinery (ACM)",
    pages = "126--135",
    booktitle = "ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference",
    address = "United States",

    }

    Hadziosmanovic, D, Sommer, R, Zambon, E & Hartel, PH 2014, Through the eye of the PLC: semantic security monitoring for industrial processes. in ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference. Association for Computing Machinery (ACM), New York, pp. 126-135, 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, United States, 8/12/14. https://doi.org/10.1145/2664243.2664277

    Through the eye of the PLC: semantic security monitoring for industrial processes. / Hadziosmanovic, D.; Sommer, Robin; Zambon, Emmanuele; Hartel, Pieter H.

    ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference. New York : Association for Computing Machinery (ACM), 2014. p. 126-135.

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    TY - GEN

    T1 - Through the eye of the PLC: semantic security monitoring for industrial processes

    AU - Hadziosmanovic, D.

    AU - Sommer, Robin

    AU - Zambon, Emmanuele

    AU - Hartel, Pieter H.

    N1 - 10.1145/2664243.2664277

    PY - 2014/12/8

    Y1 - 2014/12/8

    N2 - Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.

    AB - Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.

    KW - SCS-Cybersecurity

    KW - semantic security monitoring

    KW - industrial processes

    KW - METIS-309910

    KW - PLC

    KW - IR-94337

    KW - EWI-25757

    U2 - 10.1145/2664243.2664277

    DO - 10.1145/2664243.2664277

    M3 - Conference contribution

    SN - 978-1-4503-3005-3

    SP - 126

    EP - 135

    BT - ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference

    PB - Association for Computing Machinery (ACM)

    CY - New York

    ER -

    Hadziosmanovic D, Sommer R, Zambon E, Hartel PH. Through the eye of the PLC: semantic security monitoring for industrial processes. In ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference. New York: Association for Computing Machinery (ACM). 2014. p. 126-135 https://doi.org/10.1145/2664243.2664277