Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process

Abstract

Industrial control systems are used to operate critical infrastructure assets in the civilian and military sectors. Current industrial control system architectures are predominantly based on networked digital computers that enable reliable monitoring and control of critical functions via localized and distributed operations. Many industrial control systems, in particular, supervisory control and data acquisition (SCADA) systems, implement monitoring and control using programmable logic controllers, which have served as gateways through which cyber attacks have been orchestrated against high-profile industrial control system targets.This paper focuses on securing the programmable logic controller gateway against unauthorized entry and mitigating attack risks by (i) adopting a previously demonstrated capability that provides hardware device discrimination using information extracted from intentional radio frequency (RF) emissions; and (ii) adapting the RF-based verification methodology to exploit information in unintentional programmable logic controller emissions to detect anomalous operations and enhance industrial control system security. Operational status verification (normal operation versus anomalous operation) is demonstrated using emissions from 10 like-model programmable logic controllers. The correlation-based verification approach with Hilbert transform features demonstrates superior performance than with untransformed time domain features. Experimental results demonstrate that an arbitrary equal error rate (EER) benchmark (EER≤10%) is achieved for all programmable logic controllers with a signal-to-noise ratio (SNR) of 5.0dB when Hilbert-transformed features are used for complete programmable logic controller program scans or SNR=0.0dB when each programmable logic controller program operation is compared independently. This benchmark was not achieved for any programmable logic controllers when untransformed time domain features were employed.