Increasing Visibility of IEC 104 Communication in the Smart Grid

Matoušek, Petr; Ryšavý, Ondřej; Gregr, Matej

doi:10.14236/ewic/icscsr19.3

Cited by 5 publications

(3 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A SCADA architecture to monitor inside and outside network traffic is presented in Mahmood et al (2010). A similar course of action is proposed in Matousek et al (2019) where the research highlights gaining visibility of the network characteristics and operations (such as transmission data, connected nodes, malfunctioning nodes, etc.) through analysing network traffic.…”

Section: Anomaly Detection In Scada Communication Networkmentioning

confidence: 99%

“…Regular analysis of the internal SCADA communication can enrich the operators to get visibility of the SCADA traffic which in turn can aid in understanding the routine network behavior, thus, enabling outlier identification (Mahmood et al 2010;Matousek et al 2019). A SCADA architecture to monitor inside and outside network traffic is presented in Mahmood et al (2010).…”

Section: Anomaly Detection In Scada Communication Networkmentioning

confidence: 99%

See 1 more Smart Citation

Improving anomaly detection in SCADA network communication with attribute extension

2022

View full text Add to dashboard Cite

Network anomaly detection for critical infrastructure supervisory control and data acquisition (SCADA) systems is the first line of defense against cyber-attacks. Often hybrid methods, such as machine learning with signature-based intrusion detection methods, are employed to improve the detection results. Here an attempt is made to enhance the support vector-based outlier detection method by leveraging behavioural attribute extension of the network nodes. The network nodes are modeled as graph vertices to construct related attributes that enhance network characterisation and potentially improve unsupervised anomaly detection ability for SCADA network. IEC 104 SCADA protocol communication data with good domain fidelity is utilised for empirical testing. The results demonstrate that the proposed approach achieves significant improvements over the baseline approach (average $$F_{1}$$ F 1 score increased from 0.6 to 0.9, and Matthews correlation coefficient (MCC) from 0.3 to 0.8). The achieved outcome also surpasses the unsupervised scores of related literature. For critical networks, the identification of attacks is indispensable. The result shows an insignificant missed-alert rate ($$0.3\%$$ 0.3 % on average), the lowest among related works. The gathered results show that the proposed approach can expose rouge SCADA nodes reasonably and assist in further pruning the identified unusual instances.

show abstract

Section: Anomaly Detection In Scada Communication Networkmentioning

confidence: 99%

Section: Anomaly Detection In Scada Communication Networkmentioning

confidence: 99%

Improving anomaly detection in SCADA network communication with attribute extension

2022

View full text Add to dashboard Cite

show abstract

“…IEC 104 standards use Application Protocol Data Units, a frame with three formats. The formats distinguish the purpose of transmission: information transfer (I-format), supervisory activities (S-format), and unnumbered control (U-format) (Matoušek, 2017). Each frame has a fixed-length header of Application Protocol Control Information (APCI) and a payload of the Application Service Data Unit (ASDU).…”

Section: The Iec 104 Protocolmentioning

confidence: 99%

Creating Synthetic Attacks with Evolutionary Algorithms for Proactive Defense of Industrial Control Systems

Haynes,

Nguyen,

Rowe

2023

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Industrial control systems (ICS) play an important role in critical infrastructure. Cybersecurity defenders can use honeypots (decoy systems) to capture and study malicious ICS traffic. A problem with existing ICS honeypots is their low interactivity, causing intruders to quickly abandon the attack attempts. This research aims to improve ICS honeypots by feeding them realistic artificially generated packets and examining their behavior to proactively identify functional gaps in defenses. Our synthetic attack generator (SAGO) uses an evolutionary algorithm on known attack traffic to create new variants of Log4j exploits (CVE-2021-44228) and Industroyer2 malware. We tested over 5,200 and 256 unique Log4j and IEC 104 variations respectively, with success rates up to 70 percent for Log4j and 40 percent for IEC 104. We identified improvements to our honeypot's interactivity based on its responses to these attacks. Our technique can aid defenders in hardening perimeter protection against new attack variants.

show abstract