Through the eye of the PLC: semantic security monitoring for industrial processes

D. Hadziosmanovic, Robin Sommer, Emmanuele Zambon, Pieter H. Hartel

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    141 Citations (Scopus)
    188 Downloads (Pure)


    Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.
    Original languageUndefined
    Title of host publicationACSAC'14 Proceedings of the 30th Annual Computer Security Applications Conference
    Place of PublicationNew York
    PublisherAssociation for Computing Machinery
    Number of pages10
    ISBN (Print)978-1-4503-3005-3
    Publication statusPublished - 8 Dec 2014
    Event30th Annual Computer Security Applications Conference, ACSAC 2014 - Hyatt French Quarter, New Orleans, United States
    Duration: 8 Dec 201412 Dec 2014
    Conference number: 30

    Publication series



    Conference30th Annual Computer Security Applications Conference, ACSAC 2014
    Abbreviated titleACSAC 2014
    Country/TerritoryUnited States
    CityNew Orleans
    Internet address


    • SCS-Cybersecurity
    • semantic security monitoring
    • industrial processes
    • METIS-309910
    • PLC
    • IR-94337
    • EWI-25757

    Cite this