On the practical integration of anomaly detection techniques in industrial control applications

https://doi.org/10.1016/j.ijcip.2018.10.008Get rights and content

Abstract

Despite significant advances made on anomaly detection systems, few reports are found documenting their practical integration into the industrial realm. Furthermore, the literature reports a wide range of complex detection strategies, which may require hardware changes/updates in order to be supported by critical industrial equipment such as industrial controllers (e.g., Programmable Logic Controllers). To address these issues, this paper documents a systematic methodology for the practical integration of lightweight anomaly detection algorithms into industrial control applications. It shows that industrial controllers, and in particular the scheduling rate of user programs, are sensitive to network traffic-based disturbances. Therefore, the methodology embraces the task scheduling rates found in control applications, and their deviation from the “normal” behavior. It designs a “monitoring” task, and an innovative algorithm for detecting abnormal task scheduling rates by leveraging the cumulative sum model (CUSUM) and a regression strategy applied on a specific time interval. Essentially, the approach enhances the industrial controller with a “security module” that can trigger alerts to identify early cyber attacks. The approach is extensively analyzed in the context of two industrial controllers: a Phoenix Contact ILC 350-PN controller, and a Siemens SIMATIC S7-1200 Programmable controller.

Introduction

Industrial controllers (e.g., Programmable Logic Controllers, Remote Terminal Units) are, in most cases, embedded devices specialized for real-time applications in manufacturing and process control. These are available in a wide variety of configurations, running a diverse palette of operating systems together with dedicated real-time schedulers. While these controllers are designed to deliver robust and effective control strategies, little has been done towards the integration of security solutions within their application layer. In fact, in the vast majority of cases, control applications do not account for the security and the inner monitoring of their behavior. This immense responsibility has been transferred to external devices such as “bump-in-the-wire” monitoring devices (Intrusion/Anomaly Detection Systems, process monitoring systems), and cryptographic devices providing the secure tunneling of legacy industrial protocols (e.g., IPSec).

To this end, a considerable amount of research has been focused on the development of Intrusion Detection Systems (IDS) [1], [2], [3], [4], [5] for the industrial realm. Different strategies have been developed by leveraging diverse techniques such as classification [6], [7], [8], multivariate statistical analysis including principal component analysis [9], [10], and data fusion [11], [12], [13]. Nevertheless, we observe that the practical implementation of previous methodologies within the industrial realm would require major software/hardware changes. Furthermore, in most cases, the complexity of the suggested detection strategy does not permit their integration within the application running on industrial controllers. This is owed to the time constraints imposed to the scheduling of real-time control applications, where complex computations may significantly affect the schedulability of such applications.

Based on the aforementioned issues, this paper presents a methodology for integrating anomaly detection systems into control applications. At its core, the methodology embraces the task scheduling rates found in control applications, and their deviation from the “normal” behavior. It proposes an innovative methodology for detecting the abnormal behavior by leveraging the cumulative sum model (CUSUM) and a regression strategy applied on a specific time interval. Furthermore, a simplistic implementation is presented for reducing its complexity and the memory requirement. The approach demonstrates that the continuous observation of the scheduling rate of control applications from a dedicated “monitoring” task constitutes a significant metric for the detection of external disturbances. Accordingly, we show that industrial controllers (IC) are sensitive to network discovery attacks, as well as to Denial of Service (DoS) attacks. The former case constitutes a significant step in the construction of a cyber kill chain [14], [15], a technique adopted from the military domain to denote the steps followed in the deployment of a targeted cyber attack. We note that, while previous reports have confirmed the sensitivity of IC to network discovery attempts [16], the developed methodology provides an effective detection strategy that can signal network discovery attempts and DoS attacks at their early stage. Accordingly, the approach can be integrated into early warning systems [17] to issue alarms and prevent possibly damaging attacks.

Extensive experimental investigations are conducted in the context of two IC: a Phoenix Contact ILC 350-PN, and a Siemens SIMATIC S7-1200 Programmable controller. The experiments show that IC are indeed sensitive to network discovery and DoS attacks. Furthermore, they prove that the proposed implementation can be readily integrated into a wide variety of IC. Throughout this paper we make the following main contributions:

  • We formulate a methodology for integrating anomaly detection systems within the application of industrial controllers.

  • We propose a simple and efficient detection engine based on the cumulative sum model and a regression strategy.

  • We develop a simplistic implementation of the proposed methodology that can be readily integrated into IC.

  • We present extensive experimental results on two well-established IC: a Phoenix Contact ILC 350-PN and a Siemens SIMATIC S7-1200 Programmable controller, which represent two widely used IC found in the automation systems of Romanian natural gas transportation networks.

The remainder of this paper is organized as follows. Section 2 provides an introduction to the architecture of industrial control systems, and an overview of related studies. Section 3 describes the proposed methodology for detecting abnormal task scheduling rates, while Section 4.2 documents the implementation of the proposed detection algorithm. Experimental results based on ILC 350-PN controllers are presented in Section 5, and the results concerning the Siemens SIMATIC S7-1200 Programmable controller are detailed in Section 6. The paper concludes in Section 7.

Section snippets

Overview of industrial control systems

The architecture of modern industrial control systems (ICS) can be viewed as a unique technological ecosystem consisting of various devices ranging from sensors and actuators, industrial equipment, video surveillance cameras, to traditional personal computers and networking devices. In terms of communications we find a broad range of technologies (traditional and industry-grade) including wired and wireless. At their core, ICS include the Supervisory Control And Data Acquisition (SCADA) system,

Architecture of IC

The architecture of modern IC can vary according to different vendors. Accordingly, on top of the hardware we may find a classical operating system (e.g., Linux Version 2.6 or later, FreeRTOS OPENRTOS, RTX, Windows CE 6.0, Windows Embedded Compact 7, etc.) together with a dedicated real-time operating system (e.g., ProconOS) or a real-time scheduler [40]. Irrespective on the underlying solution, control code is usually organized in several distinct user tasks, which are scheduled for periodic

Infrastructure

The implementation has been mainly evaluated in the context of a testbed that recreates the main components of a typical gas distribution node from a Romanian natural gas transportation network (see Fig. 3). The system builds on a primary controller (PLCP) produced by Phoenix Contact, model ILC 350-PN. PLCP runs the necessary control logic and handles the communication (OPC, Modbus TCP, Modbus RTU) with the other components, including the secondary controllers (PLCS), the Modbus RTU slaves,

Experimental results with the ILC 350-PN controller

This section documents the results produced using the ILC 350-PN controller in the context of the natural gas transportation system testbed described in the previous section. The analysis focuses extensively on the network traffic, since, as demonstrated later, traditional computer scans have a significant impact on the industrial traffic, and ultimately, on the scheduling rate of program tasks. We start by illustrating the recorded task rate values and the network traffic in the case of the

Experimental results with the Siemens SIMATIC S7-1200 Programmable controller

In order to demonstrate the feasible integration of the proposed detection engine into other IC, we performed a series of measurements with the Siemens SIMATIC S7-1200 Programmable controller (S7-1214C CPU). The testbed consisted of the S7-1200 IC, an engineering station running the Totally Integrated Automation portal (the TIA portal), an OPC server, and an Ethernet switch.

In terms of its software architecture, the S7-1200 family of controllers are notably different from the previously

Conclusions

We developed an innovative methodology for the practical integration of a lightweight anomaly detection algorithm in industrial control applications. The methodology consists of a “monitoring” task and of a detection algorithm that distinguishes itself from previous studies by a simple implementation that can precisely pin-point the attack interval. This represents a salient feature in the designed approach, which can help in the diagnosis procedure of intrusion events. While extensive

Acknowledgment

This work was supported by a grant of the Romanian National Authority for Scientific Research and Innovation, CNCS/CCCDI-UEFISCDI, project number PN-III-P2-2.1-BG-2016-0013, within PNCDI III.

References (51)

  • A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. N. Fovino, and A. Trombetta, “A multidimensional critical state...
  • S. Stone and M. Temple, “Radio-frequency-based anomaly detection for programmable logic controllers in the critical...
  • A. Almalawi, A. Fahad, Z. Tari, A. Alamri, R. AlGhamdi, and A. Y. Zomaya, “An efficient data-driven clustering...
  • S. Shitharth and D. P. Winston, “An enhanced optimization based algorithm for intrusion detection in scada network,”...
  • J. E. Rubio, C. Alcaraz, R. Roman, and J. Lopez, “Analysis of intrusion detection systems in industrial ecosystems,”...
  • I. Kiss, B. Genge, P. Haller, and G. Sebestyén, “Data clustering-based anomaly detection in industrial control...
  • M. Wan, W. Shang, and P. Zeng, “Double behavior characteristics for one-class classification anomaly detection in...
  • B. Wang and Z. Mao, “One-class classifiers ensemble based anomaly detection scheme for process control systems,”...
  • D. Ha, U. Ahmed, H. Pyun, C.-J. Lee, K. H. Baek, and C. Han, “Multi-mode operation of principal component analysis with...
  • I. Portnoy, K. Melendez, H. Pinzon, and M. Sanjuan, “An improved weighted recursive PCA algorithm for adaptive fault...
  • B. Genge, C. Siaterlis, and G. Karopoulos, “Data fusion-base anomaly detection in networked critical infrastructures,”...
  • A. Di Pietro, S. Panzieri, and A. Gasparri, “Situational awareness using distributed data fusion with evidence...
  • B. Chen, D. W. C. Ho, W.-A. Zhang, and L. Yu, “Distributed dimensionality reduction fusion estimation for...
  • US-CERT, “Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure...
  • T. Yadav and A. M. Rao, “Technical aspects of cyber kill chain,” in Security in Computing and Communications, J. H....
  • Siemens, “Information regarding the Behaviour of SIMATIC S7-1200 in Industrial Networks,” 2011, [Online; Accessed March...
  • C. Alcaraz, C. Fernandez-Gago, and J. Lopez, “An early warning system based on reputation for energy control systems,”...
  • J. Wan, M. K. Khan, M. Qiu, and D. Zhang, “Cloud-assisted industrial systems and applications,” Mobile Networks and...
  • M. Hagerott, “Stuxnet and the vital role of critical infrastructure operators and engineers,” International Journal of...
  • Symantec, “Dragonfly: Cyberespionage attacks against energy suppliers,” Symantec Security Response, 2014. Version 1.21:...
  • R. Filippini and A. Silva, “A modeling framework for the resilience analysis of networked systems-of-systems based on...
  • A. Giani, R. Bent, and F. Pan, “Phasor measurement unit selection for unobservable electric power data integrity attack...
  • J. E. Rubio, C. Alcaraz, R. Roman, and J. Lopez, “Analysis of intrusion detection systems in industrial ecosystems,”...
  • A. A. Cárdenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, and S. Sastry, “Attacks against process control systems:...
  • J. Giraldo, A. Cardenas, and N. Quijano, “Integrity attacks on real-time pricing in smart grids: Impact and...
  • Cited by (11)

    • Discovery of potential risks for the gas transmission station using monitoring data and the OOBN method

      2023, Reliability Engineering and System Safety
      Citation Excerpt :

      The cumulative sum is the total amount of deviations, including data from all prior samples. They're great at detecting slight changes in the variable [52]. The CUSUM method is used to analyze observations that have been collected over time.

    • A multilayer perceptron model for anomaly detection in water treatment plants

      2020, International Journal of Critical Infrastructure Protection
    View all citing articles on Scopus
    View full text