Abstract
Cyber-physical systems incorporate powerful devices that are used to monitor and control physical processes. These devices along with collectable statistics can be leveraged as sensors for network-based and host-based anomaly detection. Host-based anomaly detection can be used in a defense-in-depth strategy to complement traditional network-based anomaly detection systems as well in systems for which network-based options are infeasible due to their operating environments.
This chapter discusses the development of an anomaly detection system for a SEL-3505 RTAC programmable logic controller using the recommended IEC 61131 programming tools. The required device statistics are harvested by creating a Modbus server on the test system and polling the server to retrieve data. The collected data is used to create a representative fingerprint for the associated task. When the measured behavior differs from the fingerprint, an anomaly is detected and an alarm is raised. This approach is flexible and easily implemented in existing installations. The performance of the anomaly detection system is evaluated against several network-based attacks across multiple firmware revisions and project types. Recommendations are made to improve anomaly detection performance.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
T. Alves, R. Das and T. Morris, Embedding encryption and machine learning intrusion prevention systems in programmable logic controllers, IEEE Embedded Systems Letters, vol. 10(3), pp. 99–102, 2018.
J. Bernacki and G. Kolaczek, Anomaly detection in network traffic using selected methods of time series analysis, International Journal of Computer Network and Information Security, vol. 7(9), pp. 10–18, 2015.
Y. Dodge, The Concise Encyclopedia of Statistics, Springer, New York, 2008.
S. Dunlap, J. Butts, J. Lopez, M. Rice and B. Mullins, Using timing-based side channels for anomaly detection in industrial control systems, International Journal of Critical Infrastructure Protection, vol. 15, pp. 12–26, 2016.
S. East, J. Butts, M. Papa and S. Shenoi, A taxonomy of attacks on the DNP3 protocol, in Critical Infrastructure Protection III, C. Palmer and S. Shenoi (Eds.), Springer, Berlin Heidelberg, Germany, pp. 67–81, 2009.
D. Formby and R. Beyah, Temporal execution behavior for host anomaly detection in programmable logic controllers, IEEE Transactions on Information Forensics and Security, vol. 15, pp. 1455–1469, 2020.
A. Keliris and M. Maniatakos, ICSREF: A framework for automated reverse engineering of industrial control system binaries, Proceedings of the Twenty-Sixth Annual Network and Distributed System Security Symposium, 2019.
D. Kite, Leveraging Security-Using the SEL RTAC’s Built-In Security Features, SEL White Paper LWP0018-01, Schweitzer Engineering Laboratories, Pullman, Washington, 2016.
H. Mann and D. Whitney, On a test of whether one of two random variables is stochastically larger than the other, The Annals of Mathematical Statistics, vol. 18(1), pp. 50–60, 1947.
L. Martin-Liras, M. Prada, J. Fuertes, A. Moran, S. Alonso and M. Dominguez, Comparative analysis of the security of configuration protocols for industrial control devices, International Journal of Critical Infrastructure Protection, vol. 19, pp. 4–15, 2017.
R. Mitchell and I. Chen, A survey of intrusion detection techniques for cyber-physical systems, ACM Computing Surveys, vol. 46(4), article no. 55, 2014.
N. Nachar, The Mann-Whitney U: A test for assessing whether two independent samples come from the same distribution, Tutorials in Quantitative Methods for Psychology, vol. 4(1), pp. 13–20, 2008.
M. Niedermaier, J. Malchow, F. Fischer, D. Marzin, D. Merli, V. Roth and A. von Bodisco, You snooze, you lose: Measuring PLC cycle times under attacks, Proceedings of the Twelfth USENIX Workshop on Offensive Technologies, 2018.
A. Nochvay, Security Research: CODESYS Runtime, A PLC Control Framework, Version 1.0, Kaspersky, Woburn, Massachusetts (ics-cert.kaspersky.com/media/KICS-CERT-Codesys-En.pdf), 2019.
C. Parian, T. Guldimann and S. Bhatia, Fooling the master: Exploiting weaknesses in the Modbus protocol, Procedia Computer Science, vol. 171, pp. 2453–2458, 2020.
D. Pliatsios, P. Sarigiannidis, T. Lagkas and A. Sarigiannidis, A survey of SCADA systems: Secure protocols, incidents, threats and tactics, IEEE Communications Surveys and Tutorials, vol. 22(3), pp. 1942–1976, 2020.
S. Raschka, MLxtend: Providing machine learning and data science utilities and extensions to Python’s scientific computing stack, Journal of Open Source Software, vol. 3(24), pp. 638–639, 2018.
Schweitzer Engineering Laboratories, SEL ranked top protective relay manufacturer in industry survey, Pullman, Washington (www.selinc.com/company/news/126347), June 12, 2019.
Schweitzer Engineering Laboratories, Customer Highlights, Pullman, Washington (www.selinc.com/solutions/success-stories), 2020.
Schweitzer Engineering Laboratories, SEL-3505 SEL-3505-3 Real-Time Automation Controller Instruction Manual, Pullman, Washington, 2020.
S. Senthivel, S. Dhungana, H. Yoo, I. Ahmed and V. Roussev, Denial of engineering operations attacks on industrial control systems, Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pp. 319–329, 2018.
J. Staggs, D. Ferlemann and S. Shenoi, Wind farm security: Attack surface, targets, scenarios and mitigation, International Journal of Critical Infrastructure Protection, vol. 17, pp. 3–14, 2017.
C. Vargas Martinez and B. Vogel-Heuser, A host intrusion detection system architecture for embedded industrial devices, Journal of the Franklin Institute, vol. 358(1), pp. 210–236, 2021.
P. Virtanen, R. Gommers, T. Oliphant, M. Haberland, T. Reddy, D. Cournapeau, E. Burovski, P. Peterson, W. Weckesser, J. Bright, S. van der Walt, M. Brett, J. Wilson, K. Millman, N. Mayorov, A. Nelson, E. Jones, R. Kern, E. Larson, C. Carey, I. Polat, Y. Feng, E. Moore, J. VanderPlas, D. Laxalde, J. Perktold, R. Cimrman, I. Henriksen, E. Quintero, C. Harris, A. Archibald, A. Ribeiro, F. Pedregosa, P. van Mulbregt and SciPy 1.0 Contributors, SciPy 1.0: Fundamental algorithms for scientific computing in Python, Nature Methods, vol. 17, pp. 261–272, 2020.
R. Wilcox, Applying Contemporary Statistical Techniques, Academic Press, Burlington, Massachusetts, 2003.
D. Zhu and Y. Cui, Understanding the random guessing line in a ROC curve, Proceedings of the Second International Conference on Image, Vision and Computing, pp. 1156–1159, 2017.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 This is a U.S. government work and not under copyright protection in the U.S.; foreign copyright protection may apply
About this paper
Cite this paper
Mellish, R., Graham, S., Dunlap, S., Sweeney, P. (2022). Anomaly Detection in Automation Controllers. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XV. ICCIP 2021. IFIP Advances in Information and Communication Technology, vol 636. Springer, Cham. https://doi.org/10.1007/978-3-030-93511-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-93511-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93510-8
Online ISBN: 978-3-030-93511-5
eBook Packages: Computer ScienceComputer Science (R0)