Anomaly Detection in Automation Controllers

Anomaly Detection in Automation Controllers

연구 분야: Analysis

학회: International Conference on Critical Infrastructure Protection

Cyber-physical systems incorporate powerful devices that are used to monitor and control physical processes. These devices along with collectable statistics can be leveraged as sensors for network-based and host-based anomaly detection. Host-based anomaly detection can be used in a defense-in-depth strategy to complement traditional network-based anomaly detection systems as well in systems for which network-based options are infeasible due to their operating environments. This chapter discusses the development of an anomaly detection system for a SEL-3505 RTAC programmable logic controller using the recommended IEC 61131 programming tools. The required device statistics are harvested by creating a Modbus server on the test system and polling the server to retrieve data. The collected data is used to create a representative fingerprint for the associated task. When the measured behavior differs from the fingerprint, an anomaly is detected and an alarm is raised. This approach is flexible and easily implemented in existing installations. The performance of the anomaly detection system is evaluated against several network-based attacks across multiple firmware revisions and project types. Recommendations are made to improve anomaly detection performance.