Through the Eye of the PLC: Towards Semantic Security Monitoring for Industrial Control Systems

Attacks on industrial control systems remain rare overall, yet they may carefully target theirvictims. A particularly challenging threat consists of adversaries aiming to change a plant's*process flow*. A prominent example of such a threat is Stuxnet, which manipulated the speedof centrifuges to operate outside of their permitted range. Existing intrusion detectionapproaches fail to address this type of threat. In this paper we propose a novel networkmonitoring approach that takes process semantics into account by (1) extracting the value ofprocess variables from network traffic, (2) characterizing types of variables based on thebehavior of time series, and (3) modeling and monitoring the regularity of variable values overtime. We implement a prototype system and evaluate it with real?world network traffic fromtwo operational water treatment plants. Our approach is a first step towards devising intrusiondetection systems that can detect semantic attacks targeting to tamper with a plant's physicalprocesses.


