On the multiple anomaly detection of a third-party monitoring system for secured control

Abstract

The industrial control systems face cybersecurity problems due to the connection with internets, and the cyberattacks are targeting industrial controllers: Programmable Logic Controllers (PLCs). To maintain the availability of the control system, the availability of anomaly detection itself is important. This paper considers a third-party monitoring system with multiple anomaly detection functions. The third monitoring system devotes control systems to control operations instated of security operations. Also, when a control system is subjected to a high-level cyberattack which loses control and security functions, it is expected that the multiple detection functions allow the operator to detect the abnormality earlier. Our proposed system uses two redundant PLCs for sequence control, and one of them is for normal operation, and the other one is for anomaly detection. They operate in conjunction, and when the cyberattacked PLC deviates from the normal operation, the anomaly detection PLC turns on the LED to make it easier to recognize visually, and determines that it is an anomaly. The cyberattack detection method is that the anomaly detection PLC always holds the normal state transition information of the control PLC, and the former PLC always monitors that of the latter PLC. Only when an abnormality occurs, the former PLC detects it as an abnormality. The display method of the detection way is shown by using three types of LEDs. By LEDs turning on or off, the operator can recognize which status is abnormal. The LED lighting state is shown in the state transition diagram, and we explain the superiority of the third-party monitoring system incorporating multiple detection methods.