The Tennessee Eastman Process (TEP) model consists of four main units. Gases interact exothermically inside the reactor. The products leave the reactor as vapors and are fed into the condenser, then into the vapor-liquid separator. The liquid enters the stripping column, where the fractions are separated. The output consists of two products. This is a chemical manufacturing process. However, such units are typical of many industrial environments.
Based on the TEP model, we implemented a mathematical model in Python to simulate physical processes, as well as control logic for the physical model in the form of a PLC program. To visualize the simulated processes, we implemented a 3D TEP model and linked it with the generated physical model and PLC telemetry data. To control the stand, we developed a dedicated iPad console that can be used to simulate a variety of cyberattack scenarios. The result was a highly realistic chemical production simulator.
The TEP simulator is deployed on one laptop also running the mathematical model of the Tennessee Eastman Process and its 3D visualization. A Schneider controller is used as the PLC. Using a network switch, a copy of the process traffic of the chemical production simulator is sent to Kaspersky Industrial CyberSecurity for Networks, which parses the traffic and transmits the telemetry values obtained from it to Kaspersky MLAD.
Our TEP simulator has many parameters that we can control: both sensors and commands, totaling approximately 60 tags. Business parameters are also set, which allows us to calculate an enterprise’s operating costs (on an hourly basis). This helps to assess the overall damage from a hacker attack: an enterprise can suffer financial losses, even if an attack does not result in the worst possible outcome (an explosion or some other disaster).
Experimental attacks on the simulator show that Kaspersky MLAD detects anomalies in technological processes in their early stages, and is capable of covering a much wider range of connections between industrial signals than a traditional rule-based protection system can. In a traditional specialized protection system, rules are often generalized to match different conditions. This slows the triggering of emergency protection. A more finely tuned system based on machine learning responds earlier to anomalous changes in processes.