Temporal Execution Behavior for Host Anomaly Detection in Programmable Logic Controllers

Abstract

Programmable logic controllers (PLCs) make up the majority of endpoints on industrial control system (ICS) networks and are the vital bridge between the cyber and physical worlds. Although these devices are critical, they are often insecure by design: communicating over unauthenticated protocols, failing to provide standard password protection, and using trivially spoofed checksums for detecting program changes instead of cryptographic hashes. Furthermore, extreme resource limitations, long life cycles, and strict downtime requirements make it difficult to patch existing devices in the field and virtually impossible to install any kind of endpoint protection. While these limitations have traditionally been considered a security weakness, they may also be leveraged for change and anomaly detection. Specifically, this research proposes to leverage these resource limitations for continuous behavior anomaly detection for the PLCs themselves, using program execution times to detect single-instruction changes to control programs from both the network and local access. The basic techniques are extended to include white box modeling for estimating rare execution behavior from source code, and proof-of-work functions are utilized to increase the techniques’ resiliency against mimicry attacks.