The ICS security monitoring system based on side channel analysis

Introduction



Industrial control system (ICS) is widely used in critical infrastructures, which makes it a popular target for attacks to cause catastrophic physical damage. As one of the most critical components in ICS, programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. Meanwhile, the number of attacks targeted at PLCs has increased noticeably during last few years, showing the vulnerability of PLC and the importance of PLC protection.



This work focuses on analyzing the side channel signals while PLC is running, such as power consumption, EMI, acoustic, thermal and so on. Through analyzing those side channel signals, we are able to detect the malicious software execution in PLC with a non-invasive manner. Besides, we can detect both existing attacks and the ones that may emerge overtime with side channel signals. Thus, we can augment the security of ICS effectively with little effect on the original systems.

We have already achieved a high detection accuracy through power analysis. We measured the power consumption through inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions, and then we extract a discriminative feature set from the power trace, and train a long short-term memory (LSTM) neural network with the features of normal samples to achieve anomaly detection. Thus, we can detect the attacks against ICS. Below is a GUI for real time PLC monitoring.



Publications

The PLC security monitor system based on side-channel information (in Chinese).

NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers. (accepted by Frontiers of Information Technology & Electronic Engineering)