An Anomaly Detection Mechanism for IEC 60870-5-104

Radoglou-Grammatikis, Panagiotis; Sarigiannidis, Panagiotis; Sarigiannidis, Antonios; Margounakis, Dimitrios; Tsiakalos, Apostolos; Efstathopoulos, Georgios

doi:10.1109/mocast49295.2020.9200285

Cited by 18 publications

(5 citation statements)

References 13 publications

(9 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An IEC 104 intrusion detection approach similar to Udd et al (2016) can be seen in a recent publication (Grammatikis et al 2020). In the latest work, an access control mechanism is enforced initially to filter unknown ports, Internet Protocol, and Media Access Control addresses.…”

Section: Anomaly Detection In Scada Communication Networkmentioning

confidence: 99%

Improving anomaly detection in SCADA network communication with attribute extension

2022

View full text Add to dashboard Cite

Network anomaly detection for critical infrastructure supervisory control and data acquisition (SCADA) systems is the first line of defense against cyber-attacks. Often hybrid methods, such as machine learning with signature-based intrusion detection methods, are employed to improve the detection results. Here an attempt is made to enhance the support vector-based outlier detection method by leveraging behavioural attribute extension of the network nodes. The network nodes are modeled as graph vertices to construct related attributes that enhance network characterisation and potentially improve unsupervised anomaly detection ability for SCADA network. IEC 104 SCADA protocol communication data with good domain fidelity is utilised for empirical testing. The results demonstrate that the proposed approach achieves significant improvements over the baseline approach (average $$F_{1}$$ F 1 score increased from 0.6 to 0.9, and Matthews correlation coefficient (MCC) from 0.3 to 0.8). The achieved outcome also surpasses the unsupervised scores of related literature. For critical networks, the identification of attacks is indispensable. The result shows an insignificant missed-alert rate ($$0.3\%$$ 0.3 % on average), the lowest among related works. The gathered results show that the proposed approach can expose rouge SCADA nodes reasonably and assist in further pruning the identified unusual instances.

show abstract

Section: Anomaly Detection In Scada Communication Networkmentioning

confidence: 99%

Improving anomaly detection in SCADA network communication with attribute extension

2022

View full text Add to dashboard Cite

show abstract

“…There are no security procedures in IEC104. TCP port 2404 is used by the protocol [24]. The IEC 101/104 interaction between the controlled station and the controlling station [25] can be one the following:…”

Section: Honeypots Overviewmentioning

confidence: 99%

Protecting IEC 60870-5-104 ICS/SCADA Systems with Honeypots

Grigoriou¹,

Liatifis

Radoglou-Grammatikis

et al. 2022

2022 IEEE International Conference on Cyber Security and Resilience (CSR)

Self Cite

View full text Add to dashboard Cite

Both signature-based and anomaly-based Intrusion Detection and Prevention System (IDPS) have already demonstrated their efficiency towards recognising and mitigating various intrusions. However, the first category cannot detect zero-day attacks, while the second one lacks the presence of appropriate datasets. Therefore, the presence of additional cybersecurity mechanisms is necessary, especially in the area of the Industrial Internet of Things (IIoT), including critical infrastructures, such as the smart electrical grid. Thus, honeypots are used to hide and protect critical assets. IEC 60870-5-104 (IEC104) is a widely used telemetry protocol in Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA). However, IEC104 lacks critical security features, such as encryption, integrity protection and authentication. This work presents the IEC104 honeypot, which is capable of hiding the actual IEC104 assets and detecting potential intrusions and anomalies. The experimental results demonstrate the effectiveness of our work.

show abstract

“…Regarding the anomaly detection methods for IEC-104, some multivariate access control and outlier detection approaches have been proposed using extracted packet information and communication statistics through Scapy [35] and CICFlowMeter [36] for anomaly detection [37]. In the area of statistically based anomaly detection on IEC-104, the work in [38] presents a 3-value detection method that independently compares the number of packets transmitted in three consecutive time windows against a statistical profile and reports anomalies when a deviation from the specified range is detected.…”

Section: Related Workmentioning

confidence: 99%

On specification-based cyber-attack detection in smart grids

et al. 2022

View full text Add to dashboard Cite

The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication flows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.

show abstract

An Anomaly Detection Mechanism for IEC 60870-5-104

Cited by 18 publications

References 13 publications

Improving anomaly detection in SCADA network communication with attribute extension

Improving anomaly detection in SCADA network communication with attribute extension

Protecting IEC 60870-5-104 ICS/SCADA Systems with Honeypots

On specification-based cyber-attack detection in smart grids

Contact Info

Product

Resources

About