PRoCeeD: Process State Prediction for CRITIS Using Process Inherent Causal Data and Discrete Event Models

  • Christian HornEmail author
  • Jörg Krüger
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8985)


It is getting harder for operators to secure their Critical Infrastructures (CRITIS). The reasons are a higher complexity and vulnerability of infrastructures in combination with the pressure of being cost-effective, as well as the availability of more evolving attack techniques. New and sophisticated Advanced Persistent Threats cannot be detected using common security measures like signature-based detection. New techniques for detection in CRITIS are necessary. As one part of a comprehensive detection framework for CRITIS we introduce PRoCeeD – Process secuRity by using Causal Data. Our approach combines methodologies from control theory, distributed computing and automata theory. The goal is to create a mathematical model of the nodes, i.e. Programmable Logic Controller or other control systems. Furthermore this is done in an automated fashion using existing information like the Source Code, input and output values like network traffic and process variables and data models. The generated model can be simulated in conjunction with on-line data of a running process to predict probable process states. A combination of this prediction with an anomaly detection framework can reveal attacks, misuses or errors that cannot be detected using common security measures.


Cyber security in CRITIS Anomaly detection (attacks, misuse, errors) in CRITIS Industrial process security Automation security 



The authors would like to acknowledge the funding of the research project STEUERUNG by the senate of the state Berlin and the European Regional Development Fund. Furthermore we would like to thank our students Stefanie Teinz, Miklòs Tolnai, Max Klein and Marco Schwabe for their contribution to our research.

The Authors

The authors are working at the department of Industrial Automation Technology, which is an integral part of the Institute for Machine Tools and Factory Management at the School of Mechanical Engineering and Transport Systems of the Technische Universität Berlin.


  1. 1.
    Johnson, R.E.: Survey of SCADA security challenges and potential attack vectors. In: International Conference for Internet Technology and Secured Transactions (ICITST), vol. 1, no. 5, pp. 8–11 (2010)Google Scholar
  2. 2.
    Igure, V.M., Laughter, S.A., Williams, R.D.: Security issues in SCADA networks. Comput. Secur. 25(7), 498–506 (2010). ISSN 0167–4048CrossRefGoogle Scholar
  3. 3.
    Nicholson, A., Webber, S., Dyer, S., Patel, T., Janicke, H.: SCADA security in the light of Cyber-Warfare. Comput. Secur. 31(4), 418–436 (2012). ISSN 0167–4048CrossRefGoogle Scholar
  4. 4.
    Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet Dossier. Symantec Security Response, Version 1.4, February 2011. Online:
  5. 5.
    Virvilis, N., Gritzalis, D.: The Big Four - What we did wrong in Advanced Persistent Threat detection? In: Proceeding of the 8th International Conference on Availability, Reliability and Security (ARES-) (2013)Google Scholar
  6. 6.
    MacKinnon, L., et al.: Cyber security countermeasures to combat cyber terrorism. In: Akhar, B., Yates, S. (eds.) Strategic Intelligence Management, Chap. 20, pp. 234–261 (2013)Google Scholar
  7. 7.
    Stouffer, K., Falco, J., Scarfone, K.: Guide to Industrial Control Systems (ICS) Security. NIST Special Publication 800–82.
  8. 8.
    European Union Agency for Network and Information Security (ENISA). Protecting Industrial Control Systems - Recommendations for Europe and Member States. Deliverable 09 December 2011.
  9. 9.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: Proceedings of CCS 2008. ACM Press, October 2008Google Scholar
  10. 10.
    Chen, S., Wang, R., Wang, X., Zhang, K.: . Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: IEEE Symposium on Security & Privacy 2010, May 2010Google Scholar
  11. 11.
    Stewin, P., Seifert, J.-P.: In God we trust all others we monitor. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (2010)Google Scholar
  12. 12.
    The Metasploit Framework.
  13. 13.
    The Shodan Computer Search Engine.
  14. 14.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), 15 (2009)CrossRefGoogle Scholar
  15. 15.
    Chandola, V., et al.: Anomaly detection for discrete sequences: a survey. IEEE Trans. Knowl. Data Eng. 24(5), 823–839 (2012)CrossRefGoogle Scholar
  16. 16.
    Kriegel, H.-P., Kröger, P., Zimek, A.: Outlier detection techniques. In: Proceedings of the Thirteenth Pacific-Asia Conference on Knowledge Discovery and Data Mining (2009)Google Scholar
  17. 17.
    Marnerides, A.K., et al.: Multi-level network resilience: traffic analysis. anomaly detection & simulation. ICTACT J. 2(2) (2011). Special Issue on Next Generation Wireless Networks and ApplicationsGoogle Scholar
  18. 18.
    Genge, B., Rusu, D.A., Haller, P.: A connection pattern-based approach to detect network traffic anomalies in critical infrastructures. In: ACM European Workshop on System Security (EuroSec), Amsterdam, The Netherlands. pp. 1–6 (2014)Google Scholar
  19. 19.
    Ashouri, A., Jalilvand, A., Noroozian, R., Bagheri, A.: A new approach for fault detection in digital relays-based power system using Petri nets. In: Joint International Conference on Power Electronics, Drives and Energy Systems (PEDES), pp. 1–8 (2010)Google Scholar
  20. 20.
    He, X.: A comprehensive survey of Petri net modeling. In: Software Engineering, International Journal of Software Engineering and Knowledge Engineering, pp. 589–625 (2013)Google Scholar
  21. 21.
    Liao, H., et al.: Concurrency bugs in multithreaded software: modeling and analysis using Petri nets. Discrete Event Dyn. Syst. 23(2), 157–195 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Hanisch, H.-M., Thieme, J., Luder, A., Wienhold, O.: Modeling of PLC behavior by means of timed net condition/event systems. In: 6th IEEE International Conference on Emerging Technologies and Factory Automation Proceedings (ETFA), Los Angeles (1997)Google Scholar
  23. 23.
    Heiner, M., Menzel, T.: A Petri Net Semantics for the PLC Language Instruction List. In: Proceeding of the Fourth Workshop on Discrete Event Systems (WODES), Cagliari (1998)Google Scholar
  24. 24.
    Michael Westergaard, H.M.W., (Eric) Verbeek.: Eindhoven University of Technology. CPN Tools.
  25. 25.
    Horn, C., Hempel, L., Chemnitz, M., Stewin, P., Krüger, J.: STEUERUNG: advanced information security for critical infrastructures. In: Proceeding of the 9th Future Security Conference, Berlin (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Department of Industrial Automation TechnologyTechnische Universität BerlinBerlinGermany

Personalised recommendations