A SCADA Intrusion Detection Framework that Incorporates Process Semantics

Nivethan, Jeyasingam; Papa, Mauricio

doi:10.1145/2897795.2897814

Cited by 16 publications

(12 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is in contrast with commonly used terms in literature, such as "process-related", or "process-oriented". Rather than simply capturing and monitoring one process variable (such as temperature) related to an ICS device as what has been done in existing work [8,9], our approach proposed in this article looks beyond changes in a particular variable; instead, it looks at the way in which various sequences of "events" were executed and detect those deviant sequences. This approach allows a more comprehensive assessment of the potential problems (and by extension, security attacks) within the system.…”

Section: Accepted Manuscriptmentioning

confidence: 99%

Anomaly detection for industrial control systems using process mining

Myers

Suriadi

Radke

et al. 2018

Computers & Security

View full text Add to dashboard Cite

Industrial control systems (ICS) are moving from dedicated communications to switched and routed corporate networks, exposing them to the Internet and placing them at risk of cyber-attacks. Existing methods of detecting cyberattacks, such as intrusion detection systems (IDSs), are commonly implemented in ICS and SCADA networks. However, these devices do not detect more complex threats that manifest themselves gradually over a period of time through a combination of unusual sequencing of activities, such as process-related attacks. During the normal operation of ICSs, ICS devices record device logs, capturing their industrial processes over time. These logs are a rich source of information that should be analysed in order to detect such process-related attacks. In this paper, we present a novel process mining anomaly detection method for identifying anomalous behaviour and cyber-attacks using ICS data logs and the conformance checking analysis technique from the process mining discipline. A conformance checking analysis uses logs captured from production systems with a process model (which captures the expected behaviours of a system) to determine the extent to which real behaviours (captured in the logs) matches the expected behaviours (captured in the process model). The contributions of this paper include an experimentally derived recommendation for logging practices on ICS devices, for the purpose of process miningbased analysis; a formalised approach for pre-processing and transforming device logs from ICS systems into event logs suitable for process mining analysis; guidance on how to create a process model for ICSs and how to apply the created process model through a conformance checking analysis to identify anomalous behaviours. Our anomaly detection method has been successfully applied in detecting ICS cyber-attacks, which the widely used IDS Snort does not detect, using logs derived from industry standard ICS devices.

show abstract

Section: Accepted Manuscriptmentioning

confidence: 99%

Anomaly detection for industrial control systems using process mining

Myers

Suriadi

Radke

et al. 2018

Computers & Security

View full text Add to dashboard Cite

show abstract

“…Sequences of packets are modeled as a discrete-time Markov chain and compared to a pre-computed reference model, which represents normal traffic behavior. Nivethan and Papa (2016a) propose a SCADA IDS framework that incorporates process semantics, by implementing extra warning notifications in case process variables exceed some threshold values. A system description language and a mapper for turning requirements into actual Bro policies is also provided.…”

Section: Process-aware Monitoringmentioning

confidence: 99%

An integrated testbed for locally monitoring SCADA systems in smart grids

2018

View full text Add to dashboard Cite

A testbed for evaluating if and how process-aware monitoring may increase the security of decentralized SCADA networks in power grids is presented. The testbed builds on the co-simulation framework Mosaik, and co-simulates in an integrated way, the power distribution network on different voltage levels, as well as the control network (Modbus/TCP). The existing simulators were extended to allow topology changes, and a controller (RTU) simulator connected to a SCADA server enabling remote control was implemented. Using the developed testbed, a recently proposed local monitoring approach was investigated. The results show that for so-called interlocks the proposed monitoring approach prevents the execution of 33.3% of the commands, that would result in an unsafe state of the power distribution grid. Furthermore, it is shown that unsafe transformer tap positions can also be avoided. To illustrate the relevance and importance of the proposed testbed, a detailed comparison of related work on process-aware intrusion detection approaches and testbeds combining (parts of) the control network and the power grid is provided.

show abstract

“…However, they do not incorporate process information into the decision process. Nivethan and Papa (2016a) propose to incorporate process semantics by mapping the monitoring requirements to the respective PLC registers. The proposed mechanism issues alerts when, e.g., process variables are not within the requested bounds.…”

Section: Related Workmentioning

confidence: 99%

“…However, this complicates security mechanisms as proposed e.g. by Nivethan and Papa (2016a), while process-aware policies, as proposed in this paper, facilitates the use of normalized values.…”

Section: Process Variables In Iec-104mentioning

confidence: 99%

“…The concept of process-aware monitoring has recently been investigated in the context of industrial control systems and electricity transmission and distribution systems (Nivethan and Papa (2016a); ; Fovino et al (2010); Hadžiosmanović et al (2014); Cárdenas et al (2011)). It usually involves deep-packet inspection and processing that content, e.g., by comparing process variables to predefined thresholds ensuring system safety.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Bro in SCADA: dynamic intrusion detection policies based on a system model

Chromik

Remke

Haverkort

2018

Electronic Workshops in Computing

View full text Add to dashboard Cite

We present an online monitoring tool for SCADA systems based on the network monitor Bro, which can be used locally at field stations. The tool generates alerts when suspicious and erroneous commands and sensor readings are detected. It can hence been seen as a local Intrusion Detection System, as well as an safety enhancement. It maintains a model of the local system, which is updated with incoming packets containing sensor readings and commands. Focusing on the protocol IEC-104, a parser was developed and the packet content was directly fed into the system model. Adaptive policies are implemented in Bro, which formulate physical constraints and safety requirements and allow to check whether SCADA traffic complies to these rules in real time. A case study with a real IEC-104 traffic trace shows the feasibility of our approach.

show abstract

A SCADA Intrusion Detection Framework that Incorporates Process Semantics

Cited by 16 publications

References 13 publications

Anomaly detection for industrial control systems using process mining

Anomaly detection for industrial control systems using process mining

An integrated testbed for locally monitoring SCADA systems in smart grids

Bro in SCADA: dynamic intrusion detection policies based on a system model

Contact Info

Product

Resources

About