On the practical integration of anomaly detection techniques in industrial control applications
Introduction
Industrial controllers (e.g., Programmable Logic Controllers, Remote Terminal Units) are, in most cases, embedded devices specialized for real-time applications in manufacturing and process control. These are available in a wide variety of configurations, running a diverse palette of operating systems together with dedicated real-time schedulers. While these controllers are designed to deliver robust and effective control strategies, little has been done towards the integration of security solutions within their application layer. In fact, in the vast majority of cases, control applications do not account for the security and the inner monitoring of their behavior. This immense responsibility has been transferred to external devices such as “bump-in-the-wire” monitoring devices (Intrusion/Anomaly Detection Systems, process monitoring systems), and cryptographic devices providing the secure tunneling of legacy industrial protocols (e.g., IPSec).
To this end, a considerable amount of research has been focused on the development of Intrusion Detection Systems (IDS) [1], [2], [3], [4], [5] for the industrial realm. Different strategies have been developed by leveraging diverse techniques such as classification [6], [7], [8], multivariate statistical analysis including principal component analysis [9], [10], and data fusion [11], [12], [13]. Nevertheless, we observe that the practical implementation of previous methodologies within the industrial realm would require major software/hardware changes. Furthermore, in most cases, the complexity of the suggested detection strategy does not permit their integration within the application running on industrial controllers. This is owed to the time constraints imposed to the scheduling of real-time control applications, where complex computations may significantly affect the schedulability of such applications.
Based on the aforementioned issues, this paper presents a methodology for integrating anomaly detection systems into control applications. At its core, the methodology embraces the task scheduling rates found in control applications, and their deviation from the “normal” behavior. It proposes an innovative methodology for detecting the abnormal behavior by leveraging the cumulative sum model (CUSUM) and a regression strategy applied on a specific time interval. Furthermore, a simplistic implementation is presented for reducing its complexity and the memory requirement. The approach demonstrates that the continuous observation of the scheduling rate of control applications from a dedicated “monitoring” task constitutes a significant metric for the detection of external disturbances. Accordingly, we show that industrial controllers (IC) are sensitive to network discovery attacks, as well as to Denial of Service (DoS) attacks. The former case constitutes a significant step in the construction of a cyber kill chain [14], [15], a technique adopted from the military domain to denote the steps followed in the deployment of a targeted cyber attack. We note that, while previous reports have confirmed the sensitivity of IC to network discovery attempts [16], the developed methodology provides an effective detection strategy that can signal network discovery attempts and DoS attacks at their early stage. Accordingly, the approach can be integrated into early warning systems [17] to issue alarms and prevent possibly damaging attacks.
Extensive experimental investigations are conducted in the context of two IC: a Phoenix Contact ILC 350-PN, and a Siemens SIMATIC S7-1200 Programmable controller. The experiments show that IC are indeed sensitive to network discovery and DoS attacks. Furthermore, they prove that the proposed implementation can be readily integrated into a wide variety of IC. Throughout this paper we make the following main contributions:
- •
We formulate a methodology for integrating anomaly detection systems within the application of industrial controllers.
- •
We propose a simple and efficient detection engine based on the cumulative sum model and a regression strategy.
- •
We develop a simplistic implementation of the proposed methodology that can be readily integrated into IC.
- •
We present extensive experimental results on two well-established IC: a Phoenix Contact ILC 350-PN and a Siemens SIMATIC S7-1200 Programmable controller, which represent two widely used IC found in the automation systems of Romanian natural gas transportation networks.
The remainder of this paper is organized as follows. Section 2 provides an introduction to the architecture of industrial control systems, and an overview of related studies. Section 3 describes the proposed methodology for detecting abnormal task scheduling rates, while Section 4.2 documents the implementation of the proposed detection algorithm. Experimental results based on ILC 350-PN controllers are presented in Section 5, and the results concerning the Siemens SIMATIC S7-1200 Programmable controller are detailed in Section 6. The paper concludes in Section 7.
Section snippets
Overview of industrial control systems
The architecture of modern industrial control systems (ICS) can be viewed as a unique technological ecosystem consisting of various devices ranging from sensors and actuators, industrial equipment, video surveillance cameras, to traditional personal computers and networking devices. In terms of communications we find a broad range of technologies (traditional and industry-grade) including wired and wireless. At their core, ICS include the Supervisory Control And Data Acquisition (SCADA) system,
Architecture of IC
The architecture of modern IC can vary according to different vendors. Accordingly, on top of the hardware we may find a classical operating system (e.g., Linux Version 2.6 or later, FreeRTOS OPENRTOS, RTX, Windows CE 6.0, Windows Embedded Compact 7, etc.) together with a dedicated real-time operating system (e.g., ProconOS) or a real-time scheduler [40]. Irrespective on the underlying solution, control code is usually organized in several distinct user tasks, which are scheduled for periodic
Infrastructure
The implementation has been mainly evaluated in the context of a testbed that recreates the main components of a typical gas distribution node from a Romanian natural gas transportation network (see Fig. 3). The system builds on a primary controller (PLCP) produced by Phoenix Contact, model ILC 350-PN. PLCP runs the necessary control logic and handles the communication (OPC, Modbus TCP, Modbus RTU) with the other components, including the secondary controllers (PLCS), the Modbus RTU slaves,
Experimental results with the ILC 350-PN controller
This section documents the results produced using the ILC 350-PN controller in the context of the natural gas transportation system testbed described in the previous section. The analysis focuses extensively on the network traffic, since, as demonstrated later, traditional computer scans have a significant impact on the industrial traffic, and ultimately, on the scheduling rate of program tasks. We start by illustrating the recorded task rate values and the network traffic in the case of the
Experimental results with the Siemens SIMATIC S7-1200 Programmable controller
In order to demonstrate the feasible integration of the proposed detection engine into other IC, we performed a series of measurements with the Siemens SIMATIC S7-1200 Programmable controller (S7-1214C CPU). The testbed consisted of the S7-1200 IC, an engineering station running the Totally Integrated Automation portal (the TIA portal), an OPC server, and an Ethernet switch.
In terms of its software architecture, the S7-1200 family of controllers are notably different from the previously
Conclusions
We developed an innovative methodology for the practical integration of a lightweight anomaly detection algorithm in industrial control applications. The methodology consists of a “monitoring” task and of a detection algorithm that distinguishes itself from previous studies by a simple implementation that can precisely pin-point the attack interval. This represents a salient feature in the designed approach, which can help in the diagnosis procedure of intrusion events. While extensive
Acknowledgment
This work was supported by a grant of the Romanian National Authority for Scientific Research and Innovation, CNCS/CCCDI-UEFISCDI, project number PN-III-P2-2.1-BG-2016-0013, within PNCDI III.
References (51)
- A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. N. Fovino, and A. Trombetta, “A multidimensional critical state...
- S. Stone and M. Temple, “Radio-frequency-based anomaly detection for programmable logic controllers in the critical...
- A. Almalawi, A. Fahad, Z. Tari, A. Alamri, R. AlGhamdi, and A. Y. Zomaya, “An efficient data-driven clustering...
- S. Shitharth and D. P. Winston, “An enhanced optimization based algorithm for intrusion detection in scada network,”...
- J. E. Rubio, C. Alcaraz, R. Roman, and J. Lopez, “Analysis of intrusion detection systems in industrial ecosystems,”...
- I. Kiss, B. Genge, P. Haller, and G. Sebestyén, “Data clustering-based anomaly detection in industrial control...
- M. Wan, W. Shang, and P. Zeng, “Double behavior characteristics for one-class classification anomaly detection in...
- B. Wang and Z. Mao, “One-class classifiers ensemble based anomaly detection scheme for process control systems,”...
- D. Ha, U. Ahmed, H. Pyun, C.-J. Lee, K. H. Baek, and C. Han, “Multi-mode operation of principal component analysis with...
- I. Portnoy, K. Melendez, H. Pinzon, and M. Sanjuan, “An improved weighted recursive PCA algorithm for adaptive fault...
Cited by (11)
Discovery of potential risks for the gas transmission station using monitoring data and the OOBN method
2023, Reliability Engineering and System SafetyCitation Excerpt :The cumulative sum is the total amount of deviations, including data from all prior samples. They're great at detecting slight changes in the variable [52]. The CUSUM method is used to analyze observations that have been collected over time.
A multilayer perceptron model for anomaly detection in water treatment plants
2020, International Journal of Critical Infrastructure ProtectionUTILIZING A UNIQUE DEEP LEARNING TECHNIQUE FOR DETECTING ANOMALIES IN INDUSTRIAL AUTOMATION SYSTEMS
2024, Proceedings on Engineering SciencesMFFAMM: A Small Object Detection with Multi-Scale Feature Fusion and Attention Mechanism Module
2022, Applied Sciences (Switzerland)A Comprehensive Survey of Security Situational Awareness on Industrial Control Systems
2022, Journal of Cyber SecurityOnline Cyber-Attack Detection in the Industrial Control System: A Deep Reinforcement Learning Approach
2022, Mathematical Problems in Engineering