Modern Industrial Control System (ICS) can provide vast functions as the introduction of IT technology is established along with the introduction of the IoT environment. Engineering Workstation (EWS) used by ICS is widely used to efficiently manage and control industrial devices including smart IoT devices. However, the DLL injection attack in ICS is not high in difficulty compared to the risk, but it can cause fatal malfunction. If an attack is carried out targeting the EWS, it may cause erroneous operation in many control devices, including IoT devices, cause fatal accidents throughout the Supervisory Control and Data Acquisition (SCADA) system. In this paper, we present a method to detect DLL injection attacks by specializing in EWS used in ICS in IoT environment and purpose a method to detect data changes due to DLL injection attacks by analyzing and utilizing PEB-LDR data. Also, we purpose a method to detect and block execution when a malicious DLL is suspected to be loaded by DLL injection.

Industrial Control System (ICS), Internet of Things (IoT), Engineering Workstation (EWS), Process Environment Block (PEB), Dynamic Link Library (DLL), Injection