Goosewolf: An Embedded Intrusion Detection System for Advanced Programmable Logic Controllers

Critical infrastructures are making increasing use of digital technology for process control. While there are benefits, such as increased efficiency and new functionality, digitalization also introduces the risk of cyber-attacks to systems that support critical functions. A valuable target in these Industrial Control Systems (ICSs) are the Programmable Logic Controllers (PLCs) controlling the machinery that manages a physical process. PLCs have proven to be vulnerable to a range of cyber-attacks in the past; however, newer technologies such as embedded servers and virtualization have the potential to improve this situation and be used to monitor a PLC’s function. In this article, the implementation of a Host-based Intrusion Detection System (HIDS) for a modern PLC is described. This method uniquely makes use of native technologies on the PLC to monitor a dynamic simulated process in real time. Both the PLC’s integrity (checksum, file size, etc.) and the process control are monitored to determine whether the PLC has been compromised in a cyber-attack. The proposed solution detects a range of attacks, even when the PLC’s control logic is compromised and—unlike previous PLC HIDS methods—requires no modification of the underlying PLC technology.