Abstract
Supervisory control and data acquisition systems have been employed for decades to communicate with and coordinate industrial processes. These systems incorporate numerous programmable logic controllers that manage the operations of industrial equipment based on sensor information. Due to the important roles that programmable logic controllers play in industrial facilities, these microprocessor-based systems are exposed to serious cyber threats.
This chapter describes an innovative methodology that leverages unsupervised machine learning to monitor the states of programmable logic controllers to uncover latent defects and anomalies. The methodology, which employs a one-class support vector machine, is able to detect anomalies without being bound to specific scenarios or requiring detailed knowledge about the control logic. A case study involving a traffic light simulation demonstrates that anomalies are detected with high accuracy, enabling the prompt mitigation of the underlying problems.
Chapter PDF
Similar content being viewed by others
References
C. Chan, K. Chow, S. Yiu and K. Yau, Enhancing the security and forensic capabilities of programmable logic controllers, in Advances in Digital Forensics XIV, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 351-367, 2018.
I. Garitano, R. Uribeetxeberria and U. Zurutuza, A review of SCADA anomaly detection systems, Proceedings of the Sixth International Conference on Soft Computing Models in Industrial and Environmental Applications, pp. 357–366, 2011.
T. Hergenhahn, libnodave (sourceforge.net/projects/libnodave), 2014.
J. Hsu, D. Mudd and Z. Thornton, Project Report – SCADA Anomaly Detection, Department of Electrical and Computer Engineering, Mississippi State University, Mississippi State, Mississippi (www.ece.uah.edu/~thm0009/icsdatasets/MSU_SCADA_Final_Report.pdf), 2014.
S. Karnouskos, Stuxnet worm impact on industrial cyber-physical system security, Proceedings of the Thirty-Seventh Annual Conference of the IEEE Industrial Electronics Society, pp. 4490–4494, 2011.
J. Klick, S. Lau, D. Marzin, J. Malchow and V. Roth, Internet-facing PLCs as a network backdoor, Proceedings of the IEEE Conference on Communications and Network Security, pp. 524–532, 2015.
Langner, A time bomb with fourteen bytes, Dover, Delaware (www.langner.com/2011/07/a-time-bomb-with-fourteen-bytes), July 21, 2011.
D. Nardella, Step 7 Open Source Ethernet Communications Suite, Bari, Italy (snap7.sourceforge.net), 2016.
S. Nazir, S. Patel and D. Patel, Assessing and augmenting SCADA cyber security: A survey of techniques, Computers and Security, vol. 70, pp. 436-454, 2017.
F. Schuster, F. Kopp, A. Paul and H. Konig, Attack and fault detection in process control communications using unsupervised machine learning, Proceedings of the Sixteenth International Conference on Industrial Informatics, pp. 433–438, 2018.
Scikit-learn Project, scikitlearn.metrics: Metrics (scikit-learn.org/stable/modules/classes.html#sklearn-metrics-metrics), 2016.
Scikit-learn Project, Novelty and Outlier Detection (http://scikit-learn.org/stable/modules/outlier_detection.html#outlier-detection), 2017.
Scikit-learn Project, sklearn.svm.OneClassSVM (scikit-learn.org/stable/modules/generated/sklearn.svm.OneClassSVM.html), 2017.
Scikit-learn Project, An Introduction to Machine Learning with scikitlearn (scikit-learn.org/stable/tutorial/basic/tutorial.html), 2018.
Siemens, Totally Integrated Automation Portal, Nuremberg, Germany, 2019.
R. Spenneberg, M. Bruggemann and H. Schwartke, PLC-blaster: A worm living solely in the PLC, presented at Black Hat USA, 2016.
Wikipedia, One-Class Classification (http://www.en.wikipedia.org/wiki/One-class_classification), 2018.
T. Wu and J. Nurse, Exploring the use of PLC debugging tools for digital forensic investigations of SCADA systems, Journal of Digital Forensics, Security and Law, vol. 10(4), pp. 79–96, 2015.
K. Yau and K. Chow, PLC forensics based on control program logic change detection, Journal of Digital Forensics, Security and Law, vol. 10(4), pp. 59–68, 2015.
K. Yau and K. Chow, Detecting anomalous programmable logic controller events using machine learning, in Advances in Digital Forensics XIII, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 81–94, 2017.
K. Yau, K. Chow, S. Yiu and C. Chan, Detecting anomalous behavior of PLCs using semi-supervised machine learning, Proceedings of the IEEE Conference on Communications and Network Security, pp. 580–585, 2017.
E. Yilmaz and S. Gonen, Attack detection/prevention system against cyber attacks on industrial control systems, Computers and Security, vol. 77, pp. 94–105, 2018.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 IFIP International Federation for Information Processing
About this paper
Cite this paper
Chan, CF., Chow, P., Mak, C., Chan, R. (2019). Detecting Anomalies in Programmable Logic Controllers Using Unsupervised Machine Learning. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XV. DigitalForensics 2019. IFIP Advances in Information and Communication Technology, vol 569. Springer, Cham. https://doi.org/10.1007/978-3-030-28752-8_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-28752-8_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-28751-1
Online ISBN: 978-3-030-28752-8
eBook Packages: Computer ScienceComputer Science (R0)