Detecting PLC Intrusions Using Control Invariants

Programmable logic controllers (PLCs), i.e., the core of control systems, are well-known to be vulnerable to a variety of cyber attacks. To mitigate this issue, we design PLC-Sleuth, a novel noninvasive intrusion detection/localization system for PLCs, which is built on a set of control invariants-i.e., the correlations between sensor readings and the concomitantly triggered PLC commands-that exist pervasively in all control systems. Specifically, taking the system's supervisory control and data acquisition log as input, PLC-Sleuth abstracts/identifies the system's control invariants as a control graph using data-driven structure learning, and then monitors the weights of graph edges to detect anomalies thereof, which is in turn, a sign of intrusion. We have implemented and evaluated PLC-Sleuth using both a platform of ethanol distillation system (EDS) and a realistically simulated Tennessee Eastman (TE) process. The results show that PLC-Sleuth can: 1) identify control invariants with 100%/98.11% accuracy for EDS/TE; 2) detect PLC intrusions with 98.33%/0.85 parts per thousand true/false positives (TPs/FPs) for EDS and 100%/0% TP/FP for TE; and 3) localize intrusions with 93.22%/96.76% accuracy for EDS/TE.

Automated summary

PLC-Sleuth is an intrusion detection/localization system for PLCs based on control invariants and control graphs, which has shown high accuracy and effectiveness in detecting and localizing intrusions during testing.