PLC-Sleuth: Detecting and Localizing PLC Intrusions Using Control Invariants

Authors: 

Zeyu Yang, Zhejiang University; Liang He, University of Colorado Denver; Peng Cheng and Jiming Chen, Zhejiang University; David K.Y. Yau, Singapore University of Technology and Design; Linkang Du, Zhejiang University

Abstract: 

Programmable Logic Controllers (PLCs) are the ground of control systems, which are however, vulnerable to a variety of cyber attacks, especially for networked control systems. To mitigate this issue, we design PLC-Sleuth, a novel non-invasive intrusion detection/localization system for PLCs, grounding on a set of control invariants — i.e., the correlations between sensor readings and the concomitantly triggered PLC commands — that exist pervasively in all control systems. Specifically, taking the system’s Supervisory Control and Data Acquisition log as input, PLC-Sleuth abstracts/identifies the system’s control invariants as a control graph using data-driven structure learning, and then monitors the weights of graph edges to detect anomalies thereof, which is in turn, a sign of intrusion. We have implemented and evaluated PLC-Sleuth using both a prototype of Secure Ethanol Distillation System (SEDS) and a realistically simulated Tennessee Eastman (TE) process.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {259689,
author = {Zeyu Yang and Liang He and Peng Cheng and Jiming Chen and David K.Y. Yau and Linkang Du},
title = {{PLC-Sleuth}: Detecting and Localizing {PLC} Intrusions Using Control Invariants},
booktitle = {23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020)},
year = {2020},
isbn = {978-1-939133-18-2},
address = {San Sebastian},
pages = {333--348},
url = {https://www.usenix.org/conference/raid2020/presentation/yang},
publisher = {USENIX Association},
month = oct
}