Physics Reasoning for Intrusion Detection in Industrial Networks

Industrial control systems (ICS) exchange network traffic carrying payloads that are closely related to the physics of industrial equipment and processes. We leverage this factor to develop a machine reasoning approach that inspects network packet payloads in terms of their relationship to physics. We found that exploits and malware are unambiguously detected, since they inject machine instructions, addresses, and other data that clearly depart from physics. We developed an ontology integrated with the knowledge of physics, which we tested against exploits of a large number of public vulnerabilities that affect industrial control systems. We also ran our approach in several case studies that involved ICS control of an electrical motor, which we describe in the paper.