Enhancing PLC logging and abnormality detection through machine learning and process mining

Abstract

Industrial control systems (ICS) serve as the backbone of contemporary infrastructure, making their protection against cyber-attacks of the utmost importance. Among the various components of ICS, Programmable Logic Controllers (PLCs) play a critical role in controlling and supervising industrial processes. However, PLCs are vulnerable to cyber-attacks that can inflict significant damage on industrial processes and even threaten human life. Consequently, accurate identification of abnormal behaviours in PLCs is essential to enhance their cybersecurity. The primary objective of this thesis is to reinforce the cybersecurity of industrial control systems by improving the logging capability of PLCs and utilizing the obtained higher-quality data to improve the accuracy of analysis through the application of advanced machine learning and process mining algorithms. To achieve this aim, the thesis provides a comprehensive review of existing research on abnormality detection in PLCs and their security concerns. It further identifies the inadequacies of current methods for data collection and abnormal behaviour detection in PLCs. To address these limitations, the thesis introduces three contributions: 1) a novel framework for enhancing PLC’s logging and introduces a new data pre-processing methodology that includes data selection, collection, filtering, and conversion. 2) Subsequently, an unsupervised machine learning model is trained using the extracted data to detect abnormal behaviours in the PLC system with precision. 3) Furthermore, the study explores the use of process mining techniques to visualize the detected anomalies and identify their impact on the system. The proposed framework is evaluated using two case studies, namely a simulated memory injection attack and a simulated time bomb attack. The results demonstrate that the proposed framework can accurately identify abnormal behaviours with high precision and recall rates, while ensuring the extraction of consistent data from PLCs for forensic investigations. (286 words)