Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

SCADA Intrusion Detection System Test Framework

Master's thesis Information- and communication technology IKT590 - University of Agder 2017Supervisory control and data acquisition (SCADA) systems play an important role in our critical infrastructure (CI). Several of the protocols used in SCADA communication are old and lack of security mechanisms. This master thesis presents a SCADA Intrusion Detection System Test Framework that can be used to simulate SCADA traffic and detect malicious network activity. The framework uses a signature-based approach and utilize two different IDS engines, Suricata and Snort. The IDS engines include rule-sets for the IEC 60870-5-104, DNP3 and Modbus protocols. The IDS engines ships detected events to a distributed cluster and visualize them using a web interface. The experiments carried out in this project show that there generally is little difference between Suricata and Snort's ability to detect malicious traffic. Suricata is compatible with signatures written in snort lightweight rules description language. I did however, discover some compatibility issues. The purposed framework applies additional latency to the analysis of IDS events. The perceived latency was generally higher for Snort events than for Suricata events. The reason for this is probably the additional processing time applied by the implemented log conversion tool. Keywords: SCADA, IDS, SIE

A Survey on Industrial Control System Testbeds and Datasets for Security Research

The increasing digitization and interconnection of legacy Industrial Control Systems (ICSs) open new vulnerability surfaces, exposing such systems to malicious attackers. Furthermore, since ICSs are often employed in critical infrastructures (e.g., nuclear plants) and manufacturing companies (e.g., chemical industries), attacks can lead to devastating physical damages. In dealing with this security requirement, the research community focuses on developing new security mechanisms such as Intrusion Detection Systems (IDSs), facilitated by leveraging modern machine learning techniques. However, these algorithms require a testing platform and a considerable amount of data to be trained and tested accurately. To satisfy this prerequisite, Academia, Industry, and Government are increasingly proposing testbed (i.e., scaled-down versions of ICSs or simulations) to test the performances of the IDSs. Furthermore, to enable researchers to cross-validate security systems (e.g., security-by-design concepts or anomaly detectors), several datasets have been collected from testbeds and shared with the community. In this paper, we provide a deep and comprehensive overview of ICSs, presenting the architecture design, the employed devices, and the security protocols implemented. We then collect, compare, and describe testbeds and datasets in the literature, highlighting key challenges and design guidelines to keep in mind in the design phases. Furthermore, we enrich our work by reporting the best performing IDS algorithms tested on every dataset to create a baseline in state of the art for this field. Finally, driven by knowledge accumulated during this survey's development, we report advice and good practices on the development, the choice, and the utilization of testbeds, datasets, and IDSs

Intrusion Detection System of industrial control networks using network telemetry

Industrial Control Systems (ICSs) are designed, implemented, and deployed in most major spheres of production, business, and entertainment. ICSs are commonly split into two subsystems - Programmable Logic Controllers (PLCs) and Supervisory Control And Data Acquisition (SCADA) systems - to achieve high safety, allow engineers to observe states of an ICS, and perform various configuration updates. Before wide adoption of the Internet, ICSs used air-gap security measures, where the ICS network was isolated from other networks, including the Internet, by a physical disconnect [1]. This level of security allowed ICS protocol designers to concentrate on the availability and safety of operation of physical systems while decreasing the need for many cyber security implementations. As the price of networking devices fell, and the Internet received global adoption, many businesses became interested in the benefits of attaching ICSs to wide and global area networks. However, since ICS network protocols were originally designed for an air-gapped environment, it did not include any of the security measures needed for a proper operation of a critical protocol that exposes its packets to the Internet. This dissertation designs, implements, and evaluates a telemetry based Intrusion Detection System (IDS). The designed IDS utilizes aggregation and analysis of the traffic telemetry features to classify the incoming packets as malicious or benign. An IDS that uses network telemetry was created, and it achieved a high classification accuracy, protecting nodes from malicious traffic. Such an IDS is not vulnerable to address or encryption spoofings, as it does not utilize the content of the packets to differentiate between malicious and benign traffic. The IDS uses features of timing and network sessions to determine whether the machine that sent a particular packet and its software is, in fact, a combination that is benign, as well as whether or not it resides on a network that is benign. The results of the experiments conducted for this dissertation establish that such system is possible to create and use in an environment of ICS networks. Several features are recognized and selected as means for fingerprinting the hardware and software characteristics of the SCADA system that can be used in pair with machine learning algorithms to allow for a high accuracy detection of intrusions into the ICS network. The results showed a classification accuracy of at least 95% is possible, and as the differences between machines increase, the accuracy increases too

Distributed intrusion detection/prevention system design and implementation for secure SCADA communication in smart grid

Cybersecurity, one of the expanding research area has tremendous importance towards critical infrastructures. Organizations like power, oil, and gas use SCADA communication to manage and control their outstations across a wide area. Some of the standard SCADA protocols used are DNP3, Modbus, IEC 61850 to control, share, and exchange real-time information. The communication involves both cyber-physical system processes and requires high availability and integrity of the data. DNP3, a TCP based protocol, is widely used in these infrastructures. With the involvement of the cyber, the systems are susceptible to network-based intrusions and cyber attacks. Since the communication is between the control center and its vast network of outstations, it becomes a challenge to monitor and control the network activity of the whole system. It creates a demand in the visualization of different network areas and a need to monitor their network activity from a single console. This work presents a framework to bring the distributed setup of the Intrusion detection system and provide an optimal solution to detect network intrusions and abnormal behavior. The main focus of the work is to provide a single dashboard view to monitor the network activities of different outstations. Further, the design and implementation of the distributed setup are explained in various architectures. Different types of IDS rules based on packet payload, packet flow, and time threshold are generated to show how an attack surface of the system can be reduced and detect different types of cyber attacks. Then IDS testing and evaluation is performed with a set of rules in different sequences. The detection time is measured for different IDS rules, and the results are plotted. All the experiments are conducted in Power Cyber Lab, ISU using two-area and 39-Bus power model and presented in CPS and Grid-Ex based training. After successful testing and evaluation, the knowledge and implementation are transferred to field deployment. In the last section, the conclusion of the work is summarized, a possible extension of future work is discussed

Modelling the IEC 61850 and DNP3 Protocol Using OPNET in an Electrical Substation Communication Network

Communication protocols are a composite of supervisory control and data acquisition (SCADA) and they are used by the devices connected on the SCADA network. In this paper the distributed network protocol (DNP3) and International Electrotechnical Commission IEC 61850 communication protocols were modelled in OPNET. The simulation of DNP3 and IEC 61850 communication protocol is done in different scenarios and the traffic behavior is analyzed. The DNP3 protocol is modelled as the medium protocol of communication during the maintenance of a 400kV Transformer at an Electrical Substation. Its network traffic behavior is then analyzed for this operation. The IEC 61850 protocol is then used as a medium of communication in the same Electrical Substation communication network (SCN) when a faulty backbone switch is present. In this scenario the network traffic behavior is again analyzed. The DNP3 simulation during the maintenance of the 400 kV Transformer shows that the model is working since the throughput is consistent without dropped packets at the Substation RTU end and the 400kV Transformer IED end. The IEC 61850 simulation when a faulty backbone switch is present shows that the model is working in this scenario since the throughput is again consistent. When the IEC 61850 protocol is modelled on the SCN, the time delay is 80 μs during normal operation and with a faulty switch the delay is 100 μs for this protocol. This shows that for the IEC 61850 model the time delay increases when there is a faulty backbone switch but not exceedingly since there is a backup switch in the structure. In the DNP3 model during the maintenance of the 400kV Transformer the time delay is approximately 160 μs. The IEC 61850 protocol performs approximately twice as fast as the DNP3 protocol during normal operation in an SCN.University of South AfricaElectrical and Mining Engineerin

Enhancing Cyber-Resiliency of DER-based SmartGrid: A Survey

The rapid development of information and communications technology has enabled the use of digital-controlled and software-driven distributed energy resources (DERs) to improve the flexibility and efficiency of power supply, and support grid operations. However, this evolution also exposes geographically-dispersed DERs to cyber threats, including hardware and software vulnerabilities, communication issues, and personnel errors, etc. Therefore, enhancing the cyber-resiliency of DER-based smart grid - the ability to survive successful cyber intrusions - is becoming increasingly vital and has garnered significant attention from both industry and academia. In this survey, we aim to provide a systematical and comprehensive review regarding the cyber-resiliency enhancement (CRE) of DER-based smart grid. Firstly, an integrated threat modeling method is tailored for the hierarchical DER-based smart grid with special emphasis on vulnerability identification and impact analysis. Then, the defense-in-depth strategies encompassing prevention, detection, mitigation, and recovery are comprehensively surveyed, systematically classified, and rigorously compared. A CRE framework is subsequently proposed to incorporate the five key resiliency enablers. Finally, challenges and future directions are discussed in details. The overall aim of this survey is to demonstrate the development trend of CRE methods and motivate further efforts to improve the cyber-resiliency of DER-based smart grid.Comment: Submitted to IEEE Transactions on Smart Grid for Publication Consideratio

Power Utility Automation Cybersecurity: IEC 61850 Specification of an Intrusion Detection Function

International audienceThe IEC 61850 standard defines a global framework for designing power utility automation systems. The main goal of IEC 61850 being interoperability, it brings information and tools for both system modelling and communication architecture. But cybersecurity measures and propositions are scarce. They should be a priority. To help fill this lack of cybersecurity, we specify a fully IEC 61850-compatible intrusion detection function. This paper explains the procedure of defining functions and necessary model objects consistent with the standard requirements. We then detail our intrusion detection function