Methodology to Determine the Device-Level Periodicity for Anomaly Detection in EtherCAT-Based Industrial Control Network

Continuous operation and monitoring of critical infrastructure networks are crucial to ensure their sustainability and security. To achieve these, industrial control system (ICS) networks and supervisory control and data acquisition (SCADA) systems are deployed in critical infrastructure assets. Many events in ICS networks present strong periodical patterns because of process repetition or cyclic communication. From the security viewpoint, inferring the periodicity primarily in the device-level communications where the actuator/sensor, field, and the cell-level transmissions are performed is important for detecting anomalies. The synchronization period and traffic pattern need to be known for anomaly detection. This article presents a novel periodicity detection approach specifically for Ethernet for control automation technology (EtherCAT) networks. It uses protocol-specific operations and fields for detecting device-level periodicity. Using the period, an anomaly detection method that uncovers traffic pattern statistics is also proposed. The periodicity can be detected with different precision, significance levels, and lag sizes. Four programmable logic controller (PLC) programs were developed to demonstrate the feasibility of the periodicity detection approach, and the periodicity was automatically obtained with high accuracy. As any malicious activity on the system causes variances in the periodic pattern, the approach was also tested on synthetic traffic traces that contain denial of service (DoS) and code-injection attacks. The traffic patterns were uncovered by an anomaly detection module, which was developed on a Snort intrusion detection/prevention system (IDS/IPS) and used the captured period. The tests demonstrated that intrusions that exploit communication patterns are fully flagged.