Control logic injection attack against Programmable Logic Controller (PLC) manipulate the physical process by tampering with the control program, thereby achieving the purpose of affecting the control process or destroying the physical facilities. Aiming at PLC control logic injection attacks, an intrusion detection method based on automatic whitelist rules generation was proposed, called PLCShield (Programmable Logic Controller Shield). Based on the fact that PLC control program carries comprehensive and complete physical process control information, the proposed method mainly includes two stages: firstly, by analyzing the PLC program’s configuration file, instruction function, variable attribute, execution path and other information, the detection rules such as program attribute, address, value range and structure were extracted; secondly, combining actively requesting a “snapshot” of the PLC’s running and passively monitoring network traffic was used to obtain real-time information such as the current running status of PLC and the operation and status in the traffic, and the attack behavior was identified by comparing the obtained information with the detection rules. Four PLCs of different manufacturers and models were used as research cases to verify the feasibility of PLCShield. Experimental results show that the attack detection accuracy of the proposed method can reach more than 97.71%. The above prove that the proposed method is effective.