Intrusion Detection & Prevention in Programmable Logic Controllers: A Model-driven Approach

Abstract

Industrial Control Systems (ICS) deployed in critical cyber-physical infrastructures are ripe targets for cyber attacks. In this paper, we consider false data injection or inflight data tampering at the industrial control communications layer, as our threat model. Such attacks are possible through targeted malware implants inside the industrial control network or through insider attacks even when the network is isolated from the Internet. We consider the problems such attacks could cause at the programmable logic controllers (PLCs) and thereby to the overall control and monitoring function. We devise a light-weight solution for the PLC to detect & protect against data tampering in real-time. We implement this in our power distribution test bed on Schneider Electric PLCs. We describe our methodology, algorithms and implementation. We demonstrate experimentally the efficacy of our detection algorithms upon inducing real false data injection attacks based on various vulnerabilities we have disclosed. Our methodology is model driven – whereas most intrusion detection mechanisms in the CPS domain seem to be data-driven. To avoid overburdening the limited computational resources on PLCs, the model-driven approach is designed to be light-weight. Even though we have implemented our demonstration on specific PLCs – they are generic and applicable to most makes and models.