Abstract
Programmable logic controllers that monitor and control industrial processes are attractive targets for cyber attackers. Although techniques and tools have been developed for detecting anomalous programmable logic controller behavior, they rely heavily on knowledge of the complex programmable logic controller control programs that perform process monitoring and control. To address this limitation, this chapter describes an automated process mining methodology that relies on event logs comprising programmable logic controller inputs and outputs. The methodology discovers a process model of normal programmable logic controller behavior, which is used to detect anomalous behavior and support forensic investigations. Experiments involving a popular Siemens SIMATIC S7-1212C programmable logic controller and a simulated traffic light system demonstrate the utility and effectiveness of the methodology.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
A. Augusto, R. Conforti, M. Dumas, M. La Rosa, F. Maria Maggi, A. Marrella, M. Mecella and A. Soo, Automated Discovery of Process Models from Event Logs: Review and Benchmark, IEEE Transactions on Knowledge and Data Engineering, vol. 31(4), pp. 686–705, 2019.
W. Bolton, Programmable Logic Controllers, Newnes, Burlington, Massachusetts, 2009.
European Union Agency for Network and Information Security, Critical Infrastructures and Services, Heraklion, Greece (enisa.europa.eu/topics/critical-information-infrastrucinfrastructures-and-services), 2017.
N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier, Version 1.4, Symantec, Mountain View, California, 2011.
T. Hergenhahn, libnodave (sourceforge.net/projects/libnodave), 2014.
E. Laftchiev, X. Sun, H. Dau and D. Nikovski, Anomaly detection in discrete manufacturing systems using event relationship tables, Proceedings of the International Workshop on Principles of Diagnosis, 2018.
D. Myers, K. Radke, S. Suriadi and E. Foo, Process discovery for industrial control system cyber attack detection, in ICT Systems Security and Privacy Protection, S. De Capitani di Vimercati and F. Martinelli (Eds.), Springer, Cham, Switzerland, pp. 61–75, 2017.
D. Nardella, Step 7 Open Source Ethernet Communications Suite, Bari, Italy (snap7.sourceforge.net), 2016.
RapidProM Team, ProM Tools, Eindhoven University of Technology, Eindhoven, The Netherlands (promtools.org/doku.php), 2019.
V. Rubin, A. Mitsyuk, I. Lomazova and W. van der Aalst, Process mining can be applied to software too! Proceedings of the Eighth ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, article no. 57, 2014.
Siemens, SIMATIC S7-300 Programmable Controller Quick Start, Primer, Preface, C79000-G7076-C500-01, Nuremberg, Germany, 1996.
T. Spyridopoulos, T. Tryfonas and J. May, Incident analysis and digital forensics in SCADA and industrial control systems, Proceedings of the Eighth IET International System Safety Conference Incorporating the Cyber Security Conference, 2013.
K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams and A. Hahn, Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82, Revision 2, National Institute of Standards and Technology, Gaithersburg, Maryland, 2015.
W. van der Aalst and A. de Medeiros, Process mining and security: Detecting anomalous process execution and checking process conformance, Electronic Notes in Theoretical Computer Science, vol. 121, pp. 3–21, 2005.
J. Wang, Petri nets for dynamic event-driven system modeling, in Handbook of Dynamic System Modeling, P. Fishwick (Ed.), Chapman and Hall/CRC, Boca Raton, Florida, pp. 24-1–24-17, 2007.
T. Wu and J. Nurse, Exploring the use of PLC debugging tools for digital forensic investigations of SCADA systems, Journal of Digital Forensics, Security and Law, vol. 10(4), pp. 79–96, 2015.
K. Yau and K. Chow, PLC forensics based on control program logic change detection, Journal of Digital Forensics, Security and Law, vol. 10(4), pp. 59–68, 2015.
K. Yau and K. Chow, Detecting anomalous programmable logic controller events using machine learning, in Advances in Digital Forensics XIII, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 81–94, 2017.
K. Yau, K. Chow and S. Yiu, A forensic logging system for Siemens programmable logic controllers, in Advances in Digital Forensics XIV, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 331–349, 2018.
K. Yau, K. Chow, S. Yiu and C. Chan, Detecting anomalous behavior of a PLC using semi-supervised machine learning, Proceedings of the IEEE Conference on Communications and Network Security, pp. 580–585, 2017.
W. Yew, PLC Device Security – Tailoring Needs, White Paper, SANS Institute, Bethesda, Maryland (sansorg.egnyte.com/dl/aN9oVirLPG), 2021.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Yau, K., Chow, KP., Yiu, SM. (2022). Detecting Anomalous Programmable Logic Controller Events Using Process Mining. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XV. ICCIP 2021. IFIP Advances in Information and Communication Technology, vol 636. Springer, Cham. https://doi.org/10.1007/978-3-030-93511-5_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-93511-5_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93510-8
Online ISBN: 978-3-030-93511-5
eBook Packages: Computer ScienceComputer Science (R0)
