A digital twin internal to a PLC to detect malicious commands and ladder logic that potentially cause safety violations

This work presents an Intrusion Prevention System (IPS) called the Embedded Process Prediction Intrusion Prevention System (EPPIPS) to detect cyber-attacks by predicting what harm the attacks could cause to the physical process in critical infrastructure. EPIPPS is a digital twin internal to a Programmable Logic Controller (PLC). EPPIPS examines incoming command packets and programs sent to the PLC. If EPPIPS predicts these packets or programs to be harmful, EPPIPS can potentially prevent or limit the harm. EPPIPS consists of a module that examines the packets that would alter settings or actuators and incorporates a model of the physical process to aid in predicting the effect of processing the command. Specifically, EPPIPS determines whether a safety violation would occur for critical variables in the physical system. Experiments were performed on virtual testbeds involving a water tank and pipeline with a variety of command-injection attacks to determine the classification accuracy of EPPIPS. Also, uploaded programs including time and logic bombs are evaluated on whether the programs were unsafe. The results show EEPIPS is effective in predicting effects of setting changes in the PLC. EPPIPS’s accuracy is 98% for the water tank and 96% for the pipeline.