Accurate Modeling of the Siemens S7 SCADA Protocol for Intrusion Detection and Digital Forensics

Kleinmann, Amit; Wool, Avishai

doi:10.15394/jdfsl.2014.1169

Cited by 47 publications

(39 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In one of the first papers on the topic, Goldenberg & Wool [16] developed a model-based approach (the GW model) using a Deterministic Finite Automata (DFA) to represent the cyclic nature of the commands exchanged in Modbus traffic. Subsequently Kleinmann et al [18] demonstrated that this methodology is also successful in other network industrial protocols like Siemens S7.…”

Section: A Backgroundmentioning

confidence: 99%

Temporal Phase Shifts in SCADA Networks

Markman

Wool

Cárdenas

2018

Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy

Self Cite

View full text Add to dashboard Cite

In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Previous work showed that in many cases, it is possible to create an automatabased model of the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server, and to use the model to detect anomalies in the traffic. When testing the validity of previous models, we noticed that overall, the models have difficulty in dealing with communication patterns that change over time. In this paper we show that in many cases the traffic exhibits phases in time, where each phase has a unique pattern, and the transition between the different phases is rather sharp. We suggest a method to automatically detect traffic phase shifts, and a new anomaly detection model that incorporates multiple phases of the traffic. Furthermore we present a new sampling mechanism for training set assembly, which enables the model to learn all phases during the training stage with lower complexity. The model presented has similar accuracy and much less permissiveness compared to the previous general DFA model. Moreover, the model can provide the operator with information about the state of the controlled process at any given time, as seen in the traffic phases.

show abstract

Section: A Backgroundmentioning

confidence: 99%

Temporal Phase Shifts in SCADA Networks

Markman

Wool

Cárdenas

2018

Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy

Self Cite

View full text Add to dashboard Cite

show abstract

“…[14] developed a model-based approach (the GW model) for Network Intrusion Detection based on the normal traffic pattern in Modbus SCADA Networks using a DFA to represent the cyclic traffic. Subsequently, [18] demonstrated that a similar methodology is successful also in SCADA systems running the Siemens S7 protocol. [6] proposed a methodology to model sequences of SCADA protocol messages as Discrete Time Markov Chains (DTMCs).…”

Section: Related Workmentioning

confidence: 96%

Automatic Construction of Statechart-Based Anomaly Detection Models for Multi-Threaded Industrial Control Systems

Kleinmann

Wool

2017

ACM Trans. Intell. Syst. Technol.

Self Cite

View full text Add to dashboard Cite

Traffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network traffic patterns of multiplexed ICS streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA, and a high false-alarm rate. In this paper we introduce a new modeling approach that addresses this gap. Our Statechart DFA modeling includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs. We demonstrate how to automatically construct the statechart from a captured traffic stream. Our unsupervised learning algorithms first build a Discrete-Time Markov Chain (DTMC) from the stream. Next we split the symbols into sets, one per multiplexed cycle, based on symbol frequencies and node degrees in the DTMC graph. Then we create a sub-graph for each cycle, and extract Euler cycles for each sub-graph. The final statechart is comprised of one DFA per Euler cycle. The algorithms allow for non-unique symbols, that appear in more than one cycle, and also for symbols that appear more than once in a cycle.We evaluated our solution on traces from a production ICS using the Siemens S7-0x72 protocol. We also stress-tested our algorithms on a collection of synthetically-generated traces that simulated multiplexed ICS traces with varying levels of symbol uniqueness and time overlap. The algorithms were able to split the symbols into sets with 99.6% accuracy. The resulting statechart modeled the traces with a median false-alarm rate of as low as 0.483%. In all but the most extreme scenarios the Statechart model drastically reduced both the false-alarm rate and the learned model size in comparison with the naive single-DFA model.

show abstract

“…Siemens S7 is used in SCADA systems for communications between a HMI and the Programmable Logic Controllers (PLCs). In (Kleinmann and Wool, 2014), Intrusion Detection system (IDS) model is designed for S7 networks which analyzes the traffic to and from a specific PLC. A unique Deterministic Finite Automata (DFA) is used to model the HMI-PLC channel traffic whether it is highly periodic or not.…”

Section: Fig 15: Forensics Model For Scada Systemsmentioning

confidence: 99%

Digital Forensics for IoT and WSNs

Karabiyik

Akkaya

2019

Studies in Systems, Decision and Control

View full text Add to dashboard Cite

In the last decade, wireless sensor networks (WSNs) and Internet-of-Things (IoT) devices are proliferated in many domains including critical infrastructures such as energy, transportation and manufacturing. Consequently, most of the daily operations now rely on the data coming from wireless sensors or IoT devices and their actions. In addition, personal IoT devices are heavily used for social media applications, which connect people as well as all critical infrastructures to each other under the cyber domain. However, this connectedness also comes with the risk of increasing number of cyber attacks through WSNs and/or IoT. While a significant research has been dedicated to secure WSN/IoT, this still indicates that there needs to be forensics mechanisms to be able to conduct investigations and analysis. In particular, understanding what has happened after a failure is crucial to many businesses, which rely on WSN/IoT applications. Therefore, there is a great interest and need for understanding digital forensics applications in WSN and IoT realms. This chapter fills this gap by providing an overview and classification of digital forensics research and applications in these emerging domains in a comprehensive manner. In addition to analyzing the technical challenges, the chapter provides a survey of the existing efforts from the device level to network level while also pointing out future research opportunities.

show abstract

Accurate Modeling of the Siemens S7 SCADA Protocol for Intrusion Detection and Digital Forensics

Cited by 47 publications

References 16 publications

Temporal Phase Shifts in SCADA Networks

Temporal Phase Shifts in SCADA Networks

Automatic Construction of Statechart-Based Anomaly Detection Models for Multi-Threaded Industrial Control Systems

Digital Forensics for IoT and WSNs

Contact Info

Product

Resources

About