Abstract
Vulnerability in industrial control systems (ICS) has increased radically in the past few decades. This can be accounted to reasons including accessibility of ICS through Internet, development of sophisticated attack methods, and advancement in Internet of Things (IoT). The damage that can be caused by attackers on insecure ICS could cost hundreds of human lives and a huge state economy. Therefore, having such systems every where around us makes the concern for security nothing but a priority. Programmable logic controllers (PLCs) are the central devices of ICS and also a target to attacks which aim at gaining access and privilege to the control logic of the controller. A successful alteration or intrusion of the control logic by attackers can have a catastrophic effect on the plant. In this paper, control logic intrusion detection methodology for PLC-based control systems is proposed. The methodology implements the detection process by comparing a potentially intruded PLC program with a trusted version of the program. In order to achieve this goal, a scheme is proposed that operates in sequence of stages by first translating the PLC program to formal models (based on previous research work), then translating the formal models to graphs followed by performing a comparison between a trusted system model graph and a potentially intruded system graph. In the last stage of the methodology, graph discrepancy analysis is made in order to identify any intrusions. For demonstration purposes, a water level control system is presented as a case study, which is modeled using UPPAAL toolbox. We have verified our methodology by developing an in-house software. Our test results prove the concept that intrusions can be shown as discrepancies in the graphs generated from the UPPAAL-based formal modeling, which can be detected utilizing the proposed graph comparison approach. The premise of our study is that logic intrusions in PLC based ICS can be identified by the changes in the PLC code, and the methodology we proposed can successfully detect those changes by observing the code’s graph model.
Similar content being viewed by others
References
Schwartz M et al (2014) Emerging techniques for field device security. IEEE Secur Priv 6:24–31
Krotofil M, Dieter G (2013) Industrial control systems security: what is happening?. In: 2013 11th IEEE international conference on industrial informatics (INDIN). IEEE
Cardenas A, Amin S, Sinopoli B, Giani A, Perrig A, Sastry S et al (2009) Challenges for securing cyber physical systems. In: Workshop on future directions in cyber-physical systems security, vol 5
Loukas G (2015) Cyber-physical attacks: a growing invisible threat. Butterworth-Heinemann. https://www.elsevier.com/books/cyber-physical-attacks/loukas/978-0-12-801290
Yang W, Qianchuan Z (2014) Cyber security issues of critical components for industrial control system. In: 2014 IEEE Chinese guidance, navigation and control conference (CGNCC). IEEE, pp 2698–2703. http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=32799
Valentine SE (2013) PLC code vulnerabilities through SCADA systems. Diss. University of South Carolina
Drias Z, Serhrouchni A, Olivier V (2015) Analysis of cyber security for industrial control systems. In: 2015 international conference on cyber security of smart cities, industrial control system and communications (SSIC). IEEE, p 18. http://www.ssic-conf.org/2015/quickstart/
Huang S et al (2015) Cyber-physical system security for networked industrial processes. Inte J Autom Comput 12.6:567–578
Lu T et al (2015) Towards a framework for assuring cyber physical system security. Int J Secur Appl 9.3:25–40
Gjendemsjø M (2013) Creating a weapon of mass disruption: attacking programmable logic controllers. MS thesis. Institutt for datateknikk og informasjonsvitenskap
Hadziosmanovic D et al (2013) Through the eye of the PLC: towards semantic security monitoring for industrial control systems. International Computer Science Institute, Berkeley
Klick J, Lau S, Marzin D, Malchow J-O, Roth V Internet-facing PLCs—a new back orifice
Lee EA (2008) Cyber physical systems: design challenges. In: 2008 11th IEEE international symposium on object oriented real-time distributed computing (ISORC). IEEE, pp 363–369. http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=13730
McLaughlin SE et al (2014) A trusted safety verifier for process controller code, vol 14. NDSS
McLaughlin S (2015) Blocking unsafe behaviors in control systems through static and dynamic policy enforcement. In: 2015 52nd ACM/EDAC/IEEE design automation conference (DAC). IEEE, pp 1–6. https://www.arm.com/about/events/design-automation-conference-2015.php
Adiego BF et al (2014) Bringing automated model checking to PLC program development—a CERN case study—. IFAC Proceedings 47.2:394–399
Baier C, Katoen J-P, Larsen KG (2008) Principles of model checking. MIT Press. https://mitpress.mit.edu/books/principles-model-checking. ISBN: 9780262026499
VERIMAG, http://www-verimag.imag.fr/BIP-Tools-93. Accessed October 2017
Fondazione Bruno Kessler, https://nuxmv.fbk.eu/. Accessed October 2017
Department of Information Technology at Uppsala University, Sweden and the Department of Computer Science at Aalborg University in Denmark, http://uppaal.org/. Accessed October 2017
http://www.iwote.com/arts/crafts/build-a-simple-water-level-control.html. Accessed October 2017
Eberle W, Holder L (2007) Anomaly detection in data represented as graphs. Intell Data Anal 11.6:663–689
Zonouz S, Rrushi J, Steve M (2014) Detecting industrial control malware using automated PLC code analytics. Secur Priv IEEE 12.6:40–47
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Hailesellasie, M., Hasan, S.R. Intrusion Detection in PLC-Based Industrial Control Systems Using Formal Verification Approach in Conjunction with Graphs. J Hardw Syst Secur 2, 1–14 (2018). https://doi.org/10.1007/s41635-017-0017-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41635-017-0017-y