Anomaly Detection in SCADA Systems A Network Based Approach

Supervisory Control and Data Acquisition (SCADA) networks are commonly deployed to aid the operation of large industrial facilities, such as water treatment and distribution facilities, and electricity and gas providers. Historically, SCADA networks were composed by special-purpose embedded devices communicating through proprietary protocols. However, three main trends can be observed in modern deployments: (i) SCADA networks are becoming increasingly interconnected, allowing communication with corporate networks, remote access from engineers and system administrators, and even communication with the Internet; (ii) the use of commercial off-the-shelf devices, such as Windows desktops; and (iii) the adoption of the TCP/IP protocol stack. As a result, these networks become vulnerable to cyber attacks, being exposed to the same threats that plague traditional IT systems. In our view, measurements play an essential role in validating results in network research, and can sometimes lead to surprising insights. Therefore, the first objective of this thesis is to understand how SCADA networks are utilized in practice. To this end, we provide the first comprehensive analysis of real-world SCADA traffic. We analyze five network packet traces collected at four different critical infrastructures: two water treatment facilities, one gas utility, and one (mixed) electricity and gas utility. We show exiting network traffic models developed for traditional IT networks cannot be directly applied to SCADA network traffic. In particular, SCADA networks do not present daily patterns of activity and self-similarity. We also validate two commonly held assumptions regarding SCADA traffic. First, we show that the SCADA connectivity matrix is stable, that is, the list of “who is communicating with whom” typically presents few and small changes. Second, we provide evidence that a large number of SCADA hosts, in particular all Programmable Logic Controllers (PLCs) in our datasets, generate traffic periodically. Based on our analysis of real-world SCADA network traffic, the second objective of this thesis is to exploit the stable connection matrix and the traffic periodicity to perform anomaly detection. In order to exploit the stable connec-