Abstract
Industrial control systems are used to monitor and operate critical infrastructures. For decades, the security of industrial control systems was preserved by their use of proprietary hardware and software, and their physical separation from other networks. However, to reduce costs and enhance interconnectivity, modern industrial control systems increasingly use commodity hardware and software, and are connected to vendor and corporate networks, and even the Internet. These trends expose industrial control systems to risks that they were not designed to handle.
This chapter describes a novel approach for enhancing industrial control system security and forensics by adding monitoring and logging mechanisms to programmable logic controllers, key components of industrial control systems. A proof-of-concept implementation is presented using a popular Siemens programmable logic controller. Experiments were conducted to compare the accuracy and performance impact of the proposed method versus the conventional programmable logic controller polling method. The experimental results demonstrate that the new method yields increased anomaly detection coverage and accuracy with only a small performance impact. Additionally, the new method increases the speed of anomaly detection and reduces network overhead, enabling forensic investigations of programmable logic controllers to be conducted more efficiently and effectively.
Chapter PDF
Similar content being viewed by others
References
I. Ahmed, S. Obermeier, M. Naedele and G. Richard, SCADA systems: Challenges for forensic investigators, IEEE Computer, vol. 45(12), pp. 44–51, 2012.
B. Akyol, H. Kirkham, S. Clements and M. Hadley, A Survey of Wireless Communications for the Electric Power System, Technical Report PNNL-19084, Pacific Northwest National Laboratory, Richland, Washington, 2010.
D. Beresford, Exploiting Siemens Simatic S7 PLCs, presented at Black Hat USA, 2011.
R. Chan and K. Chow, Forensic analysis of a Siemens programmable logic controller, in Critical Infrastructure Protection X, M. Rice and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 117–130, 2016.
N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier, Version 1.4, Symantec, Mountain View, California, 2011.
L. Folkerth, Forensic Analysis of Industrial Control Systems, InfoSec Reading Room, SANS Institute, Bethesda, Maryland, 2015.
I. Garitano, R. Uribeetxeberria and U. Zurutuza, A review of SCADA anomaly detection systems, Proceedings of the Sixth International Conference on Soft Computing Models in Industrial and Environmental Applications, pp. 357–366, 2011.
D. Hadziosmanovic, D. Bolzoni and P. Hartel, A log mining approach for process monitoring in SCADA, International Journal of Information Security, vol. 11(4), pp. 231–251, 2012.
C. Hao, New PLC worm virus and its countermeasures (in Chinese), NSFOCUS, Santa Clara, California (blog.nsfocus.net/worm-plc-strategy), September 12, 2016.
T. Hergenhahn, libnodave (sourceforge.net/projects/libnodave), 2014.
C. Jones, STEP 7 Programming Made Easy in LAD, FBD and STL: A Practical Guide to Programming S7300/S7-400 Programmable Logic Controllers, Patrick-Turner Publishing, Atlanta, Georgia, 2013.
S. Karnouskos, Stuxnet worm impact on industrial cyber-physical system security, Proceedings of the Thirty-Seventh Annual Conference of the IEEE Industrial Electronics Society, pp. 4490–4494, 2011.
J. Klick, S. Lau, D. Marzin, J. Malchow and V. Roth, Internet-facing PLCs as a network backdoor, Proceedings of the IEEE Conference on Communications and Network Security, pp. 524–532, 2015.
Langner, A time bomb with fourteen bytes, Dover, Delaware (www.langner.com/2011/07/a-time-bomb-with-fourteen-bytes), July 21, 2011.
L. Lerner, Z. Franklin, W. Baumann and C. Patterson, Application-level autonomic hardware to predict and preempt software attacks on industrial control systems, Proceedings of the Forty-Fourth Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 136–147, 2014.
Mice Engineering, Yuen Long Sewage Treatment Works System, Hong Kong, China (www.miceeng.com/eng/project_id=yuenlong.htm), 2008.
Siemens, SITRAIN – Training for Industry Worldwide, Nuremberg, Germany (www.sitrain-learning.siemens.com), 2018.
Siemens, Totally Integrated Automation Portal, Nuremberg, Germany (www.siemens.com/global/en/home/products/automation/industry-software/automation-software/tia-portal.html), 2018.
R. Spenneberg, M. Bruggemann and H. Schwartke, PLC-blaster: A worm living solely in the PLC, presented at Black Hat USA, 2016.
T. Spyridopoulos, T. Tryfonas and J. May, Incident analysis and digital forensics of SCADA and industrial control systems, Proceedings of the Eighth IET International System Safety Conference Incorporating the Cyber Security Conference, 2013.
P. van Vliet, M. Kechadi and N. Le-Khac, Forensics in industrial control systems: A case study, Proceedings of the Workshop on the Security of Cyber-Physical Systems; Conference on Cybersecurity of Industrial Control Systems, pp. 147–156, 2016.
T. Wu and J. Nurse, Exploring the use of PLC debugging tools for digital forensic investigations of SCADA systems, Journal of Digital Forensics, Security and Law, vol. 10(4), pp. 79–96, 2015.
K. Yau and K. Chow, Detecting anomalous programmable logic controller events using machine learning, in Advances in Digital Forensics XIII, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 81–94, 2017.
K. Yau and K. Chow, Detecting anomalous programmable logic controller events using machine learning, in Advances in Digital Forensics XIII, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 81–94, 2017.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 IFIP International Federation for Information Processing
About this paper
Cite this paper
Chan, CF., Chow, KP., Yiu, SM., Yau, K. (2018). Enhancing the Security and Forensic Capabilities of Programmable Logic Controllers. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIV. DigitalForensics 2018. IFIP Advances in Information and Communication Technology, vol 532. Springer, Cham. https://doi.org/10.1007/978-3-319-99277-8_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-99277-8_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99276-1
Online ISBN: 978-3-319-99277-8
eBook Packages: Computer ScienceComputer Science (R0)