Runtime Enforcement of Programmable Logic Controllers

TL;DR

This paper introduces a formal runtime enforcement method for programmable logic controllers in industrial systems, ensuring security and correct behavior even when controllers are compromised by malware.

Contribution

It presents a novel synthesis algorithm for monitors that enforce correctness properties on controllers, including in the presence of colluding malware, with proven scalability and safety guarantees.

Findings

Effective enforcement of correctness properties in industrial controllers

Monitors correct, suppress, or autonomously emit actions to ensure safety

Successful case study on malware-infected water treatment controllers

Abstract

With the advent of Industry 4.0, industrial facilities and critical infrastructures are transforming into an ecosystem of heterogeneous physical and cyber components, such as programmable logic controllers, increasingly interconnected and therefore exposed to cyber-physical attacks, i.e., security breaches in cyberspace that may adversely affect the physical processes underlying industrial control systems. In this paper, we propose a formal approach based on runtime enforcement to ensure specification compliance in networks of controllers, possibly compromised by colluding malware that may tamper with actuator commands, sensor readings, and inter-controller communications. Our approach relies on an ad-hoc sub-class of Ligatti et al.'s edit automata to enforce controllers represented in Hennessy and Regan's Timed Process Language. We define a synthesis algorithm that, given an alphabet $P$ of observable actions and a timed correctness property $e$, returns a monitor that enforces the property $e$ during the execution of any (potentially corrupted) controller with alphabet $P$, and complying with the property $e$. Our monitors correct and suppress incorrect actions coming from corrupted controllers and emit actions in full autonomy when the controller under scrutiny is not able to do so in a correct manner. Besides classical requirements, such as transparency and soundness, the proposed enforcement enjoys deadlock- and diverge-freedom of monitored controllers, together with scalability when dealing with networks of controllers. Finally, we test the proposed enforcement mechanism on a non-trivial case study, taken from the context of industrial water treatment systems, in which the controllers are injected with different malware with different malicious goals.