Embedded intrusion prevention system for industrial controllers
Inventors
Werth, Aaron W. • Morris, Thomas H.
Assignees
University of Alabama in Huntsville
Publication Number
US-12238120-B1
Publication Date
2025-02-25
Expiration Date
2041-12-10
Interested in licensing this patent?
MTEC can help explore whether this patent might be available for licensing for your application.
Abstract
An intrusion prevention system can be embedded in an industrial controller to detect possible attacks on the corresponding physical system of the industrial controller. The intrusion prevention system can analyze the payload of network packets received at the industrial controller and predict what harm the payload of the network packet could cause to the physical system if executed by the industrial controller. To predict how the payload of a network packet may affect the physical system, the intrusion prevention system can perform a simulation with the payload of the network packet. The simulation can incorporate a model of the physical system, a copy of the logic used by the industrial controller and information relating to the current state of the system. The result of the simulation can be new predicted states for the physical system that can be evaluated to determine if a safety violation has occurred.
Core Innovation
The invention describes an intrusion prevention system (IPS) that can be embedded directly into an industrial controller, such as a programmable logic controller (PLC), for an industrial control system. The IPS analyzes the payload of network packets received by the industrial controller, performing a simulation using a model of the physical system, a copy of the control logic, and information about the current state of the system to predict how the payload could affect the physical system if executed. Based on the simulation results, the IPS can evaluate whether executing the packet would result in a safety violation and can prevent execution if a violation is detected.
This approach directly addresses the problem where industrial control systems rely solely on intrusion detection systems located at main computers. If the main computer is compromised, attackers may gain access to edge controllers that typically lack security features. By embedding the IPS in the edge controllers, the system provides an additional and innermost defense layer against cyberattacks, aiming to prevent possible harm to the physical system and processes controlled by the industrial controller.
The IPS functions as a proxy process within the controller, intercepting all incoming packets, reconstructing current system states in a shadow memory, and running predictive simulations before allowing or blocking potentially dangerous commands. The models used can include trained auto regressive moving average (ARMA) models to represent the physical system and modified versions of the controller’s logic to simulate the effect of incoming commands. The system evaluates predicted outcomes against defined safety specifications and takes preventative action, such as blocking, delaying execution, or alerting users if imminent danger is detected.
Claims Coverage
There are two independent claims covering distinct inventive features related to an embedded intrusion prevention system in industrial controllers.
Intrusion prevention system with predictive simulation in industrial controller
The industrial controller comprises: - A processor and memory with process logic configured to control and monitor a physical system. - A communication interface for communication with nodes in the industrial control system. - An intrusion prevention system including: - A first submodule with communication logic to evaluate received packets and identify those containing commands for the process logic that affect settings. - A second submodule that receives commands from the first submodule and uses a model of the physical system to simulate execution of the command, predicting a future state. - Communication logic that evaluates the predicted future state to determine if a safety violation would occur and controls whether the process logic may execute the command, preventing execution if a violation is detected.
Iterative simulation method for attack detection on controllers
A method comprising: 1. Receiving a packet intended for a controller's process logic which controls and monitors a physical system. 2. Determining if the packet includes a command that changes settings in the process logic. 3. Simulating execution of the command using a model of the physical system to predict a future state. 4. Evaluating whether the predicted future state indicates a safety violation. 5. Controlling whether the process logic is allowed to execute the command based on the evaluation, including preventing execution if a violation is detected. Additional aspects cover use of a modified version of process logic for simulation, use of shadow memory for current state input, and iterative prediction over multiple cycles.
The claims protect the core concepts of an embedded intrusion prevention system that intercepts, simulates, and evaluates the effects of incoming control packets in industrial controllers to prevent unsafe actions, utilizing predictive modeling and real-time state monitoring.
Stated Advantages
Provides an innermost layer of defense by embedding intrusion prevention within the industrial controller itself, enhancing protection against cyberattacks targeting industrial control systems.
Enables prediction and prevention of harmful effects on physical systems and processes by simulating the outcome of commands before execution.
Detects safety violations and can block or delay potentially dangerous commands, reducing risk of damage or disruption to critical infrastructure.
Maintains continuous situational awareness using a shadow memory, allowing for accurate evaluation of the current state during packet analysis.
Supports rapid, high-speed simulation to avoid adverse impact on controller response time.
Documented Applications
Protection of industrial control systems involved in critical infrastructures such as power generation/distribution, oil and gas production/distribution, water distribution/wastewater treatment, communication systems, building management systems, and transportation systems.
Interested in licensing this patent?