A log mining approach for process monitoring in SCADA

Abstract: SCADA (supervisory control and data acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water t… Show more

“…For the data modelling of continuous series, we build the autoregressive model and derive process control limits. We leverage an open source implementation of the autoregressive model 1 . To derive control limits, we implement Shewart control limits following the description in [116].…”

“…Finally, we discus promising approaches for detecting the identified threats. This work has appeared as a journal article [1] and a refereed workshop paper [6].…”

“…Guideword Deviation / Potential threat add a user adds a valve to the group Valve modify a user modifies the name of a valve (topology) 1 delete a user deletes a valve from the group add no Tanks modify a user modifies the capacity of tank (e.g., the presumed capacity of tank is increased by double) (operational parameters) 2 delete no add a user adds action type to the allowed actions (e.g., a user adds "inserting setpoint" and/or "changing pump status" to the list of allowed operator actions on a pump) Pumps modify no (access settings) 3 delete a user deletes action type from allowed actions (e.g., a user deletes "inserting setpoint" and/or "changing pump status" from operator actions on a pump) example, depending on the context (i.e., the specific software control implementation), some combinations of keywords and guidewords do not apply (e.g., acidity parameters cannot be deleted) or are not considered as severe (e.g., add tank). To this end, the focus group selected 35 user actions that represent a potential threat.…”

Process matters: cyber security in industrial control systems

“…For the data modelling of continuous series, we build the autoregressive model and derive process control limits. We leverage an open source implementation of the autoregressive model 1 . To derive control limits, we implement Shewart control limits following the description in [116].…”

“…Finally, we discus promising approaches for detecting the identified threats. This work has appeared as a journal article [1] and a refereed workshop paper [6].…”

“…Guideword Deviation / Potential threat add a user adds a valve to the group Valve modify a user modifies the name of a valve (topology) 1 delete a user deletes a valve from the group add no Tanks modify a user modifies the capacity of tank (e.g., the presumed capacity of tank is increased by double) (operational parameters) 2 delete no add a user adds action type to the allowed actions (e.g., a user adds "inserting setpoint" and/or "changing pump status" to the list of allowed operator actions on a pump) Pumps modify no (access settings) 3 delete a user deletes action type from allowed actions (e.g., a user deletes "inserting setpoint" and/or "changing pump status" from operator actions on a pump) example, depending on the context (i.e., the specific software control implementation), some combinations of keywords and guidewords do not apply (e.g., acidity parameters cannot be deleted) or are not considered as severe (e.g., add tank). To this end, the focus group selected 35 user actions that represent a potential threat.…”

Process matters: cyber security in industrial control systems

“…At times, a continuous range of IP addresses have their address 71. We observe telnet commands being issued to perform the address change, but not to all hosts.…”

“…As an intrusion detection system, flow whitelisting presents several advantages over deep packet inspection [37] and host level [71] IDS. The most obvious advantages are simplicity and efficiency [21].…”

Anomaly detection in SCADA systems : a network based approach

Digital Transformation in Accounting: The Nexus Between Technology, Leadership, and Beyond