Industrial control system (ICS) operations use trusted endpoints like human machine interfaces (HMIs) and workstations to relay commands to programmable logic controllers (PLCs). Because most PLCs lack layered defenses, compromise of a trusted endpoint can drive unsafe actuator commands and risk safety-critical operation. This research presents an embedded intrusion detection system that runs inside the controller and uses header-level telemetry to detect and respond to network attacks. The system combines a semi-supervised anomaly detector and a supervised attack classifier. We evaluate the approach on a midstream oil-terminal testbed using three datasets collected during tanker-truck loading. The anomaly detector achieves zero missed attacks, corresponding to 0.998 Matthews correlation. The supervised stage attains 97.37 percent hold-out accuracy and 97.03 percent external accuracy. The embedded design adds a median of 2,031 microseconds of end-to-end latency and does not impact PLC's cycle time. The proposed architecture provides a multi-layer embedded security that meets the real-time requirements of an industrial system.

翻译：工业控制系统（ICS）操作依赖人机界面（HMI）和工作站等可信端点向可编程逻辑控制器（PLC）传递指令。由于大多数PLC缺乏分层防御机制，可信端点一旦被攻破，可能引发不安全的执行器命令，危及安全关键操作。本研究提出一种嵌入式入侵检测系统，该系统运行于控制器内部，利用报文头部遥测数据检测并响应网络攻击。该系统结合了半监督异常检测器与监督式攻击分类器。我们在中游石油终端测试平台上，使用油罐车装载过程中采集的三组数据集对该方法进行评估。异常检测器实现了零漏报攻击，对应马修斯相关系数为0.998；监督检测阶段在保留测试集上达到97.37%的准确率，在外部数据集上达到97.03%的准确率。该嵌入式设计仅增加2,031微秒的中值端到端延迟，且不影响PLC的循环周期。所提出的架构提供了满足工业系统实时性要求的多层嵌入式安全防护。