Abstract
Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.
Original language | Undefined |
---|---|
Title of host publication | ACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference |
Place of Publication | New York |
Publisher | Association for Computing Machinery |
Pages | 126-135 |
Number of pages | 10 |
ISBN (Print) | 978-1-4503-3005-3 |
DOIs | |
Publication status | Published - 8 Dec 2014 |
Event | 30th Annual Computer Security Applications Conference, ACSAC 2014 - Hyatt French Quarter, New Orleans, United States Duration: 8 Dec 2014 → 12 Dec 2014 Conference number: 30 https://www.acsac.org/2014/ |
Publication series
Name | |
---|---|
Publisher | ACM |
Conference
Conference | 30th Annual Computer Security Applications Conference, ACSAC 2014 |
---|---|
Abbreviated title | ACSAC 2014 |
Country/Territory | United States |
City | New Orleans |
Period | 8/12/14 → 12/12/14 |
Internet address |
Keywords
- SCS-Cybersecurity
- semantic security monitoring
- industrial processes
- METIS-309910
- PLC
- IR-94337
- EWI-25757