On Cyber Attacks and Signature Based Intrusion Detection for Modbus Based Industrial Control Systems

Industrial control system communication networks are vulnerable to reconnaissance, response injection, command injection, and denial of service attacks. Such attacks can lead to an inability to monitor and control industrial control systems and can ultimately lead to system failure. This can result in financial loss for control system operators and economic and safety issues for the citizens who use these services. This paper describes a set of 28 cyber attacks against industrial control systems which use the MODBUS application layer network protocol. The paper also describes a set of standalone and state based intrusion detection system rules which can be used to detect cyber attacks and to store evidence of attacks for post incident analysis. All attacks described in this paper were validated in a laboratory environment. The detection rate of the intrusion detection system rules presented by attack class is also presented

Improving SIEM for critical SCADA water infrastructures using machine learning

Network Control Systems (NAC) have been used in many industrial processes. They aim to reduce the human factor burden and efficiently handle the complex process and communication of those systems. Supervisory control and data acquisition (SCADA) systems are used in industrial, infrastructure and facility processes (e.g. manufacturing, fabrication, oil and water pipelines, building ventilation, etc.) Like other Internet of Things (IoT) implementations, SCADA systems are vulnerable to cyber-attacks, therefore, a robust anomaly detection is a major requirement. However, having an accurate anomaly detection system is not an easy task, due to the difficulty to differentiate between cyber-attacks and system internal failures (e.g. hardware failures). In this paper, we present a model that detects anomaly events in a water system controlled by SCADA. Six Machine Learning techniques have been used in building and evaluating the model. The model classifies different anomaly events including hardware failures (e.g. sensor failures), sabotage and cyber-attacks (e.g. DoS and Spoofing). Unlike other detection systems, our proposed work helps in accelerating the mitigation process by notifying the operator with additional information when an anomaly occurs. This additional information includes the probability and confidence level of event(s) occurring. The model is trained and tested using a real-world dataset

Detection of cyber-attacks in systems with distributed control based on support vector regression

Concept of Industry 4.0 and implementation of Cyber Physical Systems (CPS) and Internet of Things (IoT) in industrial plants are changing the way we manufacture. Introduction of industrial IoT leads to ubiquitous communication (usually wireless) between devices in industrial control systems, thus introducing numerous security concerns and opening up wide space for potential malicious threats and attacks. As a consequence of various cyber-attacks, fatal failures can occur on system parts or the system as a whole. Therefore, security mechanisms must be developed to provide sufficient resilience to cyber-attacks and keep the system safe and protected. In this paper we present a method for detection of attacks on sensor signals, based on e insensitive support vector regression (e-SVR). The method is implemented on publicly available data obtained from Secure Water Treatment (SWaT) testbed as well as on a real-world continuous time controlled electro-pneumatic positioning system. In both cases, the method successfully detected all considered attacks (without false positives)

The security robustness of Modbus/TCP protocol in industrial control systems

Since most of Industrial Control Systems (ICS) systems have been isolated from public networks, there have not been a colossal needs to secure them. However, in most of today\u27s applications such as Experimental Physics and Industrial Control Systems (EPICS), Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS) and Programmable Logic Controllers (PLCs) system are getting connected to the internet without paying attention to the security robustness of these devices. Industrial Control Systems (ICS) such as SCADA, DCS, PLCs are communicating with industrial equipment such as actuators, sensors, motors, and pumps using a special communication protocol called Modbus. For remote applications, multiple PLCs can be connected to each other to form a controlling network that uses Modbus / TCP communication protocol utilizing private/public networks. This research focuses on examining the security vulnerability of the Modbus/TCP protocol. To achieve this goal the researcher utilizes Modbus PLC simulator to simulate different cyber attacks through the local network. The cyber attacks have been formed using the MBTGET Perl script and Metasploit module, in Kali Linux penetration testing operating system. Our research shows some of the major security vulnerability in the Modbus/TCP protocol, which is one of the main communication protocols ICS system.https://ecommons.udayton.edu/stander_posters/2667/thumbnail.jp