Date of Award
Doctor of Philosophy (PhD)
David J. Coe
J. Iwan D. Alexander
Process control., Computer security., Cyberterrorism -- Prevention.
Highly notable cyber-attacks, such as Stuxnet  and the Marocchi attack , have targeted critical infrastructure with the goal of affecting physical processes to cause harm. This work presents a payload analysis-based Intrusion Prevention System (IPS) to detect similar attacks by predicting what harm the attacks could cause to the physical process. The IPS developed is called the Embedded Process Prediction Intrusion Prevention System (EPPIPS). EPPIPS will examine incoming command packets and programs that are destined for a Programmable Logic Controller (PLC) that interacts with a physical process. If EPPIPS predicts these packets or programs to be harmful, EPPIPS can potentially prevent or limit the harm. EPPIPS consists of a module that examines the packets that would alter settings or actuators and incorporates a model of the physical process to aid in predicting the effect of processing the command. Specifically, EPPIPS determines whether a safety violation would occur for critical variables in the physical system. Simulation of both the physical system model and a process running a copy of real PLC ladder logic is performed in EPPIPS. Uploaded programs will be evaluated to determine whether the programs would cause a safety violation, laying the groundwork for later research into malware analysis in cyber-physical systems. EPPIPS resides inside the PLC itself as a proxy process between the actual PLC process and the network. This placement and implementation is similar to the “on the edge” approach for an IPS . The purpose of this approach is to serve as the innermost layer of defense relative to the PLC for cyber-attacks in a defense in depth strategy. Defenses on the outer layers may include mitigations such as encryption and firewalls. EPPIPS acts as a last line of defense against cyber-attacks that affect a physical process under the PLC’s control. Since EPPIPS incorporates a PLC process to make predictions within the PLC hardware, this work’s unique approach encompasses a PLC model within a PLC. This work seeks to eliminate or minimize the number of manual specifications through system identification and machine learning to generate models. This allows the IPS to be more generic and deployable. Another contribution of this work is a broader and more general understanding of the threat model that causes unsafe or inefficient consequences in cyber-physical systems. The metrics used when evaluating the results in this work included latency and the accuracy of the predictions.
Werth, Aaron W., "Evaluation of an embedded process prediction intrusion prevention system for industrial control systems" (2020). Dissertations. 230.