Adapting Bro into SCADA: Building Specification-based Intrusion Detection System for DNP3 Protocol
نویسندگان
چکیده
Modern SCADA systems are increasingly adopting Internet technology to control industry processes. With their security vulnerabilities exposed to public networks, an attacker is able to penetrate into these control systems to put remote facilities in danger. To detect such attacks, SCADA systems require an intrusion detection technique that can monitor network traffic based on proprietary network protocols. To achieve this goal, we adapt Bro, a network traffic analyzer widely used for intrusion detection, for use with SCADA systems. A built-in parser in Bro supports DNP3, a network protocol that is widely used in SCADA systems for electrical power grids. By exploiting Bro’s intrusion detection features, we apply a specification-based technique to analyze the parsed traffic. This built-in parser provides high visibility of network events in SCADA systems. Instead of exploiting an attack signature or a statistical normal pattern, SCADA-specific semantics related to each event are analyzed. Such analyses are made in terms of defined security policies which can be included at runtime. Our experiments are carried out in a laboratory-scale SCADA system environment with well-formatted but malicious network traffic. The detection capability and performance of the Broadapted intrusion detection system revealed in experiments show its potential applicability in the real SCADA system environment.
منابع مشابه
Using a Specification-based Intrusion Detection System to Extend the DNP3 Protocol with Security Functionalities
Modern SCADA systems are increasingly adopting Internet technologies to control distributed industrial assets. As proprietary communication protocols are increasingly being used over public networks without efficient protection mechanisms, it is increasingly easier for attackers to penetrate into the communication networks of companies that operate electrical power grids, water plants, and othe...
متن کاملBuilding Small-Scale Testbed for DNP3 Protocol in SCADA system
SCADA is a type of industrial control systems which monitor and control the industrial device. To adjust the smart-grid, a new method is needed which improves security to SCADA system. But a difficulty for small laboratory happens to research SCADA system in a large scale, because of building own testbed. In this paper, a testbed in a lab environment is suggested to attack and defence DNP3 prot...
متن کاملFormal Security Analysis of the DNP3-Secure Authentication Protocol
Supervisory Control and Data Acquisition (SCADA) systems are one of the key foundations of many utility industries and critical infrastructures. The Distributed Network Protocol Version 3 (DNP3) is one of the non-proprietary protocols used to facilitate substation communications within SCADA networks via serial-lines or TCP/IP protocols. DNP3 is the defacto standard for powergrid automation, ho...
متن کاملSimulated Attack on DNP3 Protocol in SCADA System
Supervisory Control and Data Acquisition (SCADA) system monitors and controls industrial process in physical critical Infrastructures. It is thus of vital importance that any vulnerabilities of SCADA system must be identified and mitigated. DNP3 is and open SCADA network protocol that is mainly used in electrical utilities. However, the security mechanisms of DNP3 were neglected at its design s...
متن کاملA Hybrid Framework for Building an Efficient Incremental Intrusion Detection System
In this paper, a boosting-based incremental hybrid intrusion detection system is introduced. This system combines incremental misuse detection and incremental anomaly detection. We use boosting ensemble of weak classifiers to implement misuse intrusion detection system. It can identify new classes types of intrusions that do not exist in the training dataset for incremental misuse detection. As...
متن کامل