This paper describes an alternative design using an open-source PLC that was

modified to encrypt all data it sends over the network, independently of the protocol used. A machine learning-based IPS was added to the PLC network providing

a secure mechanism against network flood attacks.

This paper makes the assumption that ICS operational networks will be penetrated and therefore presents an embedded resiliency system that can defeat cyber-attacks after the penetration. Cyber-attacks from three categories are considered: interception, injection, and Denial of Service (DoS). 

The AES Encryption Layer stands between OpenPLC’s. Network Layer and the Intrusion Prevention System. The key scheme used is Pre-Shared Key (PSK). Every packet received is decrypted by the AES Encryption Layer using the PSK, and then sent to the Network Layer for further processing. If a response is needed, the AES Encryption Layer will encrypt message using PSK and then forward the ciphertext to the external network. The intrusion prevention system interfaces all packets received from the external network. It uses the implementation of an embedded unsupervised clustering algorithm to classify the incoming streaming data in real-time to detect network anomaly and DoS attacks. 

Two features were used for the training of the ML algorithm: packet interarrival time and packet processing time. K-Means which is used here is very sensitive to noise as the value of the cluster centers are distorted in the presence of outliers which are hence removed.

 It was possible to intercept the packets on the network, it was not possible to decipher its contents due to the AES-256. The injected messages were able to reach the PLC but could not inject the commands due to the AES-256. The embedded IPS quickly detected abnormal traffic and banned the attacker node. IPS restarted the socket to listen to recover from it.

Important points:

• Industrial Control Systems (ICS), also known as Supervisory Control and Data Acquisition(SCADA) systems, manage complex and potentially dangerous processes using peripheral devices such as Programmable Logic Controllers (PLC) that directly interface with the process plant or machinery.
• The work presented on this paper makes the assumption that ICS operational networks will be penetrated, and therefore presents an embedded resiliency system that can defeat cyber-attacks after the penetration. 
• Cyber-attacks from three categories are considered: interception, injection and Denial of Service(DoS).
• The AES Encryption Layer stands between OpenPLC’s Network Layer and the Intrusion Prevention System. The key scheme used is Pre-Shared Key (PSK).
• Every packet received is decrypted by the AES Encryption Layer using the PSK, and then sent to the Network Layer for further processing. If a response is needed from the Network Layer, the reverse process occurs, as the AES Encryption Layer will encrypt the message using the PSK and then forward the ciphertext to the external network.
• The encryption process is protocol independent, and therefore works with both Modbus and DNP3 implementations in the original OpenPLC.
• The intrusion prevention system interfaces all packets received from the external network. It boasts off implementation of an embedded unsupervised clustering algorithm to classify the incoming streaming data real-time to detect network anomaly and DoS attacks.
• Data collection and preprocessing: The IPS incorporates a TCP proxy server which acts as an intermediary client while interacting with the PLC and acts as a server while receiving command from the trusted nodes.  

            Hence, this module gives IPS the capability to receive and forward the incoming packets   

            to the PLC after filtering out the anomalous traffic. 

            This module allows the IPS to collect any data associated with the external network.   

            Two features were used for the training of the machine learning algorithm: packet   

            interarrival time and packet processing time.

• Deterministic clustering algorithms like bisecting K-Means are very sensitive to noise as the value of the cluster centers are distorted in the presence of outliers. Therefore, before training the algorithm, the outliers are removed from the training dataset.
• K-means clustering is an unsupervised algorithm to partition n number of samples into K number of clusters in which each observation belongs to cluster with the nearest mean.
• Interception Attack: On the water storage tank SCADA system, the information about current mode, defined setpoints and manual triggers for the pump and valve are stored in PLC registers accessed by Modbus or DNP3.
• Injection Attack: The same attack was performed with the modified Secure OpenPLC in place. Due to the fast pace of the injected messages, the embedded IPS detected an anomalous traffic and was able to quickly block the attacker node without causing any harm to the running system. 
• Therefore, it was not possible to DoS the system using injected messages. After slowing down the frequency for the injected messages, it was possible to go undetected through

the IPS. Although the injected messages were able to reach the PLC, it was still not possible to inject the commands due to the AES-256 encryption that was in place. Therefore, the messages were discarded, and no harm was caused to the system.

• Denial of Service (DoS) Attack: The same attack using LOIC was performed against the Secure OpenPLC. Due to the fast nature of the flood packets, the embedded IPS running alongside OpenPLC quickly detected abnormal traffic and banned the attacker node. 
• The attacker node was only able to attack the device for a few milliseconds before being banned. Although it was a short period of time, around 5,000 packets were sent to OpenPLC, which could cause slowdowns while processing the next legitimate packages. 
• In order to recover from this, right after banning the attacker, the IPS flushed the network interface and restarted the socket to listen for new connections. 
• The HMI was able to re-establish communication in a few seconds and no harm was caused to the OpenPLC application running the ladder logic program.