Through the Eye of the Plc: towards Semantic Security Monitoring for Industrial Control Systems
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation. Abstract Attacks on industrial control systems remain rare overall, yet they may carefully target their victims. A particularly challenging threat consists of adversaries aiming to change a plant's *process flow*. A prominent example of such a threat is Stuxnet, which manipulated the speed of centrifuges to operate outside of their permitted range. Existing intrusion detection approaches fail to address this type of threat. In this paper we propose a novel network monitoring approach that takes process semantics into account by (1) extracting the value of process variables from network traffic, (2) characterizing types of variables based on the behavior of time series, and (3) modeling and monitoring the regularity of variable values over time. We implement a prototype system and evaluate it with real‐world network traffic from two operational water treatment plants. Our approach is a first step towards devising intrusion detection systems that can detect semantic attacks targeting to tamper with a plant's physical processes.