Industrial control systems (ICS) are vital for countries' industrial facilities and critical infrastructures. However, there are not enough security assessments against cyber attacks carried out on ICS for not preventing business continuity. New attacks are being made every day against these systems. Threats and attacks against critical infrastructures must be detected for protecting human life and assets. For this reason, detection has become more important than the prevention of attacks. In this study, vulnerability and attack detection analysis was carried out on programmable logic controllers (PLCs), one of the most important components of ICS, in the testbed and a rule set was created to detect active start/stop attacks. In this case, with writing this rule table, similar attacks will be prevented without harming the critical systems. In the analysis, mirroring technique was used to prevent the detection system from imposing additional load to the existing system and affecting the operation of the system negatively. In the test environment, Siemens S-7 1200 (Firmware 2.2) PLC devices were used. Smoothsec system, which is not used in industrial systems, is used for detection and rule table. It is assessed that this novel approach will provide significant contributions to attract attention to vulnerabilities and the security analysis of industrial control systems. (C) 2018 Elsevier Ltd. All rights reserved.