| Popis: |
Attacks on industrial control systems (ICS) have been intensively studied during the last decade. Malicious alternations of ICS can appear in several different ways, e.g. in changed network traffic patterns or in modified data stored on ICS components. While several heuristics and machine learning methods have been proposed to analyze different types of ICS data regarding anomalies, no work is known that uses the data of Totally Integrated Automation (TIA) Portal for anomaly detection. TIA Portal is a popular software system for organizing the ICS, with which configuration and programming data can be viewed, changed and deleted. By saving the single project datasets historically, old versions of the current system configurations can be restored. In this initial work, we propose heuristics that detect anomalies in the TIA Portal data. In particular do we analyze the historical modifications within TIA Portal data by investigating long-term backups. Our approach covers both, changes to the data caused by infiltrated attacks as well as malicious changes made by employees who have direct access to the machines. We therefore started to examine real TIA Portal project data of an automotive manufacturer’s production line, covering a period of about three years of historical data, for various features that may indicate anomalies. |
