Industrial Control Systems (ICS) have played a catalytic role in enabling the 4th Industrial Revolution. ICS devices like Programmable Logic Controllers (PLCs), automate, monitor, and control critical processes in industrial, energy, and commercial environments. The convergence of traditional Operational Technology (OT) with Information Technology (IT) has opened a new and unique threat landscape. This has inspired defense research that focuses heavily on Machine Learning (ML) based anomaly detection methods that run on external IT hardware, which means an increase in costs and the further expansion of the threat landscape. To remove this requirement, we introduce the ICS machine learning inference framework (ICSML) which enables executing ML model inference natively on the PLC. ICSML is implemented in IEC 61131-3 code and provides several optimizations to bypass the limitations imposed by the domain-specific languages. Therefore, it works on every PLC without the need for vendor support. ICSML provides a complete set of components for creating full ML models similarly to established ML frameworks. We run a series of benchmarks studying memory and performance, and compare our solution to the TFLite inference framework. At the same time, we develop domain-specific model optimizations to improve the efficiency of ICSML. To demonstrate the abilities of ICSML, we evaluate a case study of a real defense for process-aware attacks targeting a desalination plant.
翻译:工业控制系统(ICS)在推动第四次工业革命方面发挥了催化作用。可编程逻辑控制器(PLC)等ICS设备可自动化、监控和控制工业、能源和商业环境中的关键流程。传统运营技术(OT)与信息技术(IT)的融合打开了一个新的唯一性威胁领域。这激励了重点关注基于机器学习(ML)的异常检测方法的防御研究,这些方法在外部IT硬件上运行,这意味着增加成本并进一步扩大威胁面,为了消除这一要求,我们引入了工业控制系统机器学习推断框架(ICSML),它使得能够在PLC上本地执行ML模型推断。ICSML是使用IEC 61131-3代码实现的,并提供了几种优化,以绕过领域专用语言所施加的限制。因此,它可在没有供应商支持的情况下在每个PLC上工作。ICSML提供一整套组件,用于创建完整的ML模型,类似于已经建立的ML框架。我们进行了一系列基准测试,研究内存和性能,并将我们的解决方案与TFLite推断框架进行了比较。同时,我们开发了领域专用的模型优化,以提高ICSML的效率。为了展示ICSML的能力,我们评估了一个真实的防御案例,针对淡化处理厂的面向过程的攻击。