+1 Recommend
1 collections

      Celebrating 65 years of The Computer Journal - free-to-read perspectives - bcs.org/tcj65

      • Record: found
      • Abstract: found
      • Conference Proceedings: found
      Is Open Access

      PLCBlockMon: Data Logging and Extraction on PLCs for Cyber Intrusion Detection

      1 , 1 , 2 , 2
      5th International Symposium for ICS & SCADA Cyber Security Research 2018 (ICS-CSR 2018)
      ICS & SCADA Cyber Security Research
      29 - 30 August 2018
      Industrial Control Systems, Cyber Security, Logging and Extraction, PLC, Intrusion Detection


            The threat landscape for industrial control systems is ever-expanding and these systems have proven to be attractive targets for cyber attackers. Programmable Logic Controllers are major components in ICSs and hence need to be well-protected and monitored. By examining the existing research in this field we found that there is a void in comprehensive analysis of data logging and extraction features on industrial devices. However, analysis of these features and evaluation of their applicability for cyber intrusion detection would significantly facilitate their adoption by intrusion detection tools. In order to close the gap, we analyzed the logging and extraction capabilities of the Siemens S7-1200 PLC and HMI panel. We implemented a PLC logic for data logging called PLCBlockMon. In this paper, we provide guidelines for its usage and demonstrate its applicability for cyber intrusion detection in selected scenarios.


            Author and article information

            August 2018
            August 2018
            : 102-111
            [1 ]AIT Austrian Institute of Technology Center for Digital Safety & Security Vienna, Austria
            [2 ]Queen’s University Belfast Center for Secure Information Technologies, Belfast, UK
            © Findrik et al. Published by BCS Learning and Development Ltd. Proceedings of ICS & SCADA 2018

            This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

            5th International Symposium for ICS & SCADA Cyber Security Research 2018
            ICS-CSR 2018
            University of Hamburg, Germany
            29 - 30 August 2018
            Electronic Workshops in Computing (eWiC)
            ICS & SCADA Cyber Security Research

            1477-9358 BCS Learning & Development

            Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/ICS2018.12
            Self URI (journal page): https://ewic.bcs.org/
            Electronic Workshops in Computing

            Applied computer science,Computer science,Security & Cryptology,Graphics & Multimedia design,General computer science,Human-computer-interaction
            Industrial Control Systems,PLC,Cyber Security,Intrusion Detection,Logging and Extraction


            1. Siemens Sending Emails over Secure Email Connections with S7-1500 and S7-1200 https://cache.industry.siemens.com/dl/files/803/46817803/att_926218/v2/46817803_EMail_with_CP1543-1_en.pdf

            2. Siemens SIMATIC HMI Comfort Panels https://cache.industry.siemens.com/dl/files/153/109476153/att 848919/v1/109476153_Remote_Panels_Webserver_DOKU_en.pdf

            3. Siemens Security with SIMATIC controllers https://cache.industry.siemens.com/dl/files/010/90885010/att_876214/v1/77431846_Security_SIMATIC_DOKU_V20_en.pdf

            4. Siemens Configuring Messages and Alarms in WinCC (TIA Portal) https://support.industry.siemens.com/cs/document/62121503/configuration-of-messages-and-alarms\penalty-\@M-in-wincc-(tia-portal)?dti= 0&lc=en-WW

            5. “Stuxnet: Dissecting a Cyberwarfare Weapon” IEEE Security & Privacy 9 3 49 51 May-June 2011

            6. E-ISAC Analysis of the Cyber Attack on the Ukrainian Power Grid Defense Use Case March 18 2016

            7. Dragos Crashoverride: Analysis of the Threat to Electrical Grid Operations https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

            8. SecMatters SilentDefence Datasheet https://www.secmatters.com/hubfs/SecurityMatters-March2017/PDF/SilentDefense-Datasheet.pdf

            9. Dragos Dragos Platform Datasheet https://dragos.com/media/Dragos_Platform_Data_Sheet.pdf

            10. Darktrace Industrial Immune System https://www.darktrace.com/resources/ds-iis.pdf

            11. Nozomi Networks SCADAGuardian Datasheet https://www.nozominetworks.com/downloads/US/Nozomi-Networks-SG-Data-Sheet.pdf

            12. “Standardsbased open-source PLC diagnostics monitoring,” Proceedings of ICALEPCS2015 Melbourne, Australia

            13. “Industrial Control System Network Intrusion Detection by Telemetry Analysis,” IEEE Transactions on Dependable and Secure Computing 13 2 252 260 March-April 1 2016

            14. “Secure Architecture for Industrial Control Systems,” https://www.sans.org/reading-room/whitepapers/ICS/securearchitecture-industrial-control-systems-3632

            15. Siemens SIMATIC S7-1200 System Manual Siemens Nrnberg 2014

            16. Kali Linux https://www.kali.org/

            17. Kali Tools, hping3 Package Description https://tools.kali.org/information-gathering/hping3

            18. Siemens Diagnostics in User Program with S7-1500 2014

            19. 2015 A Survey of Industrial Control System Testbeds Secure IT Systems. Lecture Notes in Computer Science 9417 Springer Cham

            20. Siemens Open User Communication with TSEND C and TRCV C https://cache.industry.siemens.com/dl/files/808/67196808/att_108115/v2/net_s7-1200_isoontcp_en.pdf

            21. Siemens Sending SYSLOG messages with a SIMATIC S7 CPU https://support.industry.siemens.com/cs/document/51929235/-sending-syslog-messages-with-a-simatic-s7-cpu?dti=0&lc=en-WW

            22. Siemens Siemens Security Bulletin Response to ICS Alert (ICSA-11-223-01A) https://www.industry.siemens.com/topics/global/en/industrial-security/news-alerts/Documents/Summary_on_ICS_Alert_ICSA-11-223-01A.pdf

            23. Exploiting Siemens Simatic S7 PLCs, in Black Hat USA+2011 Las Vegas, NV, USA 34 Aug. 2011 [Online]. https://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_WP.pdf

            24. The spear to break the security wall of S7CommPlus, in Black Hat EU 2017 [Online]. https://www.blackhat.com/docs/eu-17/materials/eu-17-Lei-The-Spear-To-Break%20-The-Security-Wall-Of-S7CommPlus-wp.pdf

            25. Sequence-aware Intrusion Detection in Industrial Control Systems In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security (CPSS ’15). ACM New York, NY, USA 13-24 http://dx.doi.org/10.1145/2732198.2732200

            26. “On Ladder Logic Bombs in Industrial Control Systems.” arXiv preprint arXiv:1702.05241 2017 https://arxiv.org/pdf/1702.05241.pdf

            27. US-CERT Alert (TA14-013A) NTP Amplification Attacks Using CVE-2013-5211 https://www.us-cert.gov/ncas/alerts/TA14-013A

            28. “Forensics in Industrial Control System: A Case Study.” 2016 https://arxiv.org/ftp/arxiv/papers/1611/1611.01754.pdf


            Comment on this article