Through the eye of the PLC

Hadžiosmanović, Dina; Sommer, Robin; Zambon, Emmanuele; Hartel, Pieter H.

doi:10.1145/2664243.2664277

Cited by 148 publications

(34 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The data-driven methods proposed in the literature are based on various techniques including state-space model identification [20], auto-regression [8], singular spectrum analysis [2], machine learning [7,12], and data mining [13]. These methods have been evaluated through (i) simulation of, e.g., a chemical process (Tennessee-Eastman) [5], electric power flow (MATPOWER) [21], and water distribution piping systems (EPANET) [18]; (ii) physical testbeds, including water boilers [8] and the SWaT testbed [9]; and (iii) offline experiments on data extracted from real ICS, such as water purification plants [8], water distribution plants [2], and gas pipeline systems [7].…”

Section: Related Workmentioning

confidence: 99%

“…Simulation platforms (e.g., the Tennessee-Eastman process [5]) and physical testbeds (e.g., the SWaT testbed [9]) allow for crafting attacks and evaluating the detection capabilities of the proposed methods under various attack scenarios. Using datasets extracted from real systems (e.g., pipeline SCADA systems [12] and water treatment plants [8]) adds some degree of realism to the evaluation. However, in absence of documented live experiments in real environments, a complete and global understanding of the applicability and efficiency of process-level monitoring is still lacking.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

The Nuts and Bolts of Deploying Process-Level IDS in Industrial Control Systems

Almgren

Aoudi

Gustafsson

et al. 2018

Proceedings of the 4th Annual Industrial Control System Security Workshop

View full text Add to dashboard Cite

Much research effort has recently been devoted to securing Industrial Control Systems (ICS) in response to the increasing number of adverse incidents targeting nationwide critical infrastructures. Leveraging the static and regular nature of the behavior of control systems, various data-driven methods that monitor the processlevel network have been proposed as a defensive measure. Although these methods have been evaluated through offline analysis of ICSrelated datasets, in absence of documented live experiments in real environments, a complete and global understanding of the applicability and efficiency of process-level monitoring is still lacking. In this work, we describe our experience of running a fully fledged intrusion detection system in an operational paper factory for 75 days. We discuss the nuts and bolts of running such systems in real environments and underline several practical challenges in meeting ICS-specific requirements. This work essentially aims at bridging the gap between ICS intrusion detection research and practice, and empirically validating the increasingly adopted data-driven approach to process-level monitoring.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

The Nuts and Bolts of Deploying Process-Level IDS in Industrial Control Systems

Almgren

Aoudi

Gustafsson

et al. 2018

Proceedings of the 4th Annual Industrial Control System Security Workshop

View full text Add to dashboard Cite

show abstract

“…Hoyos et al [8] describe a message authentication attack on a network operating with the IEC-61850 standard and running the GOOSE protocol. Several examples of attacks feasible on Programmable Logic Controllers (PLCs) that run a Modbus protocol are described in the literature [7]. Moving on to smart grid infrastructures we see descriptions of potential attacks on smart grids and how the dynamics of such networks differ in terms of timing characteristics compared to traditional ones [15].…”

Section: Related Workmentioning

confidence: 99%

Exploiting Bro for Intrusion Detection in a SCADA System

Udd

Asplund

Nadjm‐Tehrani

et al. 2016

Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security

View full text Add to dashboard Cite

Supervisory control and data acquisition (SCADA) systems that run our critical infrastructure are increasingly run with Internet-based protocols and devices for remote monitoring. The embedded nature of the components involved, and the legacy aspects makes adding new security mechanisms in an efficient manner far from trivial. In this paper we study an anomaly detection based approach that enables detecting zero-day malicious threats and benign malconfigurations and mishaps. The approach builds on an existing platform (Bro) that lends itself to modular addition of new protocol parsers and event handling mechanisms. As an example we have shown an application of the technique to the IEC-60870-5-104 protocol and tested the anomaly detector with mixed results. The detection accuracy and false positive rate, as well as real-time response was adequate for 3 of our 4 created attacks. We also discovered some additional work that needs to be done to an existing protocol parser to extend its reach.

show abstract

“…In a SCADA environment the attacks are infrequent and likely to be unique to the specific environment under attack, therefore rule sets built from the analysis of one attack are unlikely to detect future attacks (Hadžiosmanović et al 2014). …”

Section: Vulnerabilitiesmentioning

confidence: 99%

“…There have been previous works on incorporating SCADA traffic monitoring into firewalls and IDS (Intrusion Detection Systems), such as the VIKING project by Giani et al (2009), which suggests using an application-level module in the IDS to detect data anomalies and suspicious traffic. Hadžiosmanović et al (2014) used a network tap to capture and inspect raw network packets at the PLC interface. Their approach inspects the content of messages and categorised them as (1) control, (2) reporting, (3) measurement and (4) program state.…”

Section: Firewall and Intrusion Detection Systemsmentioning

confidence: 99%

Towards a Distributed Runtime Monitor for ICS/SCADA Systems

Wain

Reiff-Marganiec

Jones

et al. 2016

Electronic Workshops in Computing

View full text Add to dashboard Cite

Industrial Control Systems (ICS) and SCADA (Supervisory Control and Data Acquisition) systems are typically used in industries such as electricity generation and supply, gas supply, logistics, manufacturing and hospitals and are considered critical national infrastructure. The evolution of these systems from isolated environments into internet connected ones, in combination with their long service life and real-time nature have raised severe security concerns in the event of a cyber-attack. In this paper, we review the current literature surrounding the threats, vulnerabilities, exploits and existing approaches to securing vulnerable SCADA systems. We then focus specifically on the development of a distributed online runtime monitor to detect violations of safety properties. We conclude with suggestions for further research needed to progress the state of the art in the area of distributed online runtime verification of SCADA systems.

show abstract

Through the eye of the PLC

Cited by 148 publications

References 28 publications

The Nuts and Bolts of Deploying Process-Level IDS in Industrial Control Systems

The Nuts and Bolts of Deploying Process-Level IDS in Industrial Control Systems

Exploiting Bro for Intrusion Detection in a SCADA System

Towards a Distributed Runtime Monitor for ICS/SCADA Systems

Contact Info

Product

Resources

About