Since 2010, multiple cyber incidents on industrial infrastructure, such as Stuxnet and CrashOverride, have exposed the vulnerability of Industrial Control Systems (ICS) to cyber threats. The industrial systems are commissioned for longer duration amounting to decades, often resulting in non-compliance to technological advancements in industrial cybersecurity mechanisms. The unavailability of network infrastructure information makes designing the security policies or configuring the cybersecurity countermeasures such as Network Intrusion Detection Systems (NIDS) challenging. An empirical solution is to self-learn the network infrastructure information of an industrial system from its monitored network traffic to make the network transparent for downstream analyses tasks such as anomaly detection. In this work, a Python-based industrial communication paradigm-aware framework, named PROFINET Operations Enumeration and Tracking (POET), that enumerates different industrial operations executed in a deterministic order of a PROFINET-based industrial system is reported. The operation-driving industrial network protocol frames are dissected for enumeration of the operations. For the requirements of capturing the transitions between industrial operations triggered by the communication events, the Finite State Machines (FSM) are modelled to enumerate the PROFINET operations of the device, connection and system. POET extracts the network information from network traffic to instantiate appropriate FSM models (Device, Connection or System) and track the industrial operations. It successfully detects and reports the anomalies triggered by a network attack in a miniaturized PROFINET-based industrial system, executed through valid network protocol exchanges and resulting in invalid PROFINET operation transition for the device.

翻译：自2010年以来，Stuxnet和CrashOverride等针对工业基础设施的网络攻击事件，暴露了工业控制系统（ICS）在网络安全威胁面前的脆弱性。工业系统通常持续运行数十年，往往导致其无法符合工业网络安全机制的技术进步要求。网络基础设施信息的缺失使得安全策略设计或网络入侵检测系统（NIDS）等网络安全对抗措施的配置面临挑战。一种经验性解决方案是通过监测网络流量自主学习工业系统的网络基础设施信息，从而使网络对异常检测等下流分析任务透明化。本文报道了一种基于Python的工业通信范式感知框架——PROFINET操作枚举与追踪（POET），该框架能够枚举基于PROFINET的工业系统中按确定性顺序执行的不同工业操作。通过解析驱动操作的工业网络协议帧，实现对工业操作的枚举。为捕获通信事件触发的工业操作状态转换，本文采用有限状态机（FSM）对设备、连接和系统的PROFINET操作进行建模。POET从网络流量中提取信息以实例化相应的FSM模型（设备、连接或系统），并追踪工业操作。该框架成功检测并报告了小型化PROFINET工业系统中由网络攻击触发的异常——此类攻击通过有效协议交互执行，却导致设备出现无效的PROFINET操作转换。