Inventors at Georgia Tech have developed a security framework involving software that functions as a network monitoring and intrusion detection system, with use for ICS networks and connected devices like programmable logic controllers (PLCs). The system monitors network traffic, parses control system specific network protocols, raises alerts, and changes to the network communication patterns. This information displays in a web-based GUI. Included in this system are methods for detecting a program change, accidentally or maliciously, using the variation of the PLCs scan cycle times. The proposed work also embodies a passive fingerprinting technique, using the control messages in the ICS networks to infer the device type or a device’s operating condition. The variations in physical characteristics will produce a unique physical response and behavior from each device, thus creating a unique fingerprint.
- Versatile - has many potential applications
- Immediate Feedback - changes to system can be identified in real time
- Power generation, transmission, and distribution
- Oil and gas distribution
- Water treatment
- Navy ships’ industrial control systems
- Army refueling centers
- Supervisory control and data acquisition (SCADA)
Cyber-based compromises can lead to loss of life, widespread blackouts, and environmental disasters. To secure these networks, you must know what devices have access and if malware is on critical industrial control system (ICS). Another important element is the ability to quickly restore critical software when an attack occurs. ICSs have several constraints that make securing them very challenging, including the inability to upgrade to legacy equipment, components located remotely with little physical security, and the necessity to be online at all times. This necessitates novel, but practical, techniques that can serve as an overlay on existing ICS networks to improve their security.