Cyberthreats, Attacks and Intrusion Detection in Supervisory Control and Data Acquisition Networks

Supervisory Control and Data Acquisition (SCADA) systems are computer-based process control systems that interconnect and monitor remote physical processes. There have been many real world documented incidents and cyber-attacks affecting SCADA systems, which clearly illustrate critical infrastructure vulnerabilities. These reported incidents demonstrate that cyber-attacks against SCADA systems might produce a variety of financial damage and harmful events to humans and their environment. This dissertation documents four contributions towards increased security for SCADA systems. First, a set of cyber-attacks was developed. Second, each attack was executed against two fully functional SCADA systems in a laboratory environment; a gas pipeline and a water storage tank. Third, signature based intrusion detection system rules were developed and tested which can be used to generate alerts when the aforementioned attacks are executed against a SCADA system. Fourth, a set of features was developed for a decision tree based anomaly based intrusion detection system. The features were tested using the datasets developed for this work. This dissertation documents cyber-attacks on both serial based and Ethernet based SCADA networks. Four categories of attacks against SCADA systems are discussed: reconnaissance, malicious response injection, malicious command injection and denial of service. In order to evaluate performance of data mining and machine learning algorithms for intrusion detection systems in SCADA systems, a network dataset to be used for benchmarking intrusion detection systemswas generated. This network dataset includes different classes of attacks that simulate different attack scenarios on process control systems. This dissertation describes four SCADA network intrusion detection datasets; a full and abbreviated dataset for both the gas pipeline and water storage tank systems. Each feature in the dataset is captured from network flow records. This dataset groups two different categories of features that can be used as input to an intrusion detection system. First, network traffic features describe the communication patterns in a SCADA system. This research developed both signature based IDS and anomaly based IDS for the gas pipeline and water storage tank serial based SCADA systems. The performance of both types of IDS were evaluates by measuring detection rate and the prevalence of false positives

Detection techniques in operational technology infrastructure

In previous decades, cyber-attacks have not been considered a threat to critical infrastructure. However, as the Information Technology (IT) and Operational Technology (OT) domains converge, the vulnerability of OT infrastructure is being exploited. Nation-states, cyber criminals and hacktivists are moving to benefit from economic and political gains. The OT network, i.e. Industrial Control System (ICS) is referred to within OT infrastructure as Supervisory Control and Data Acquisition (SCADA). SCADA systems were introduced primarily to optimise the data transfer within OT network infrastructure. The introduction of SCADA can be traced back to the 1960’s, a time where cyber-attacks were not considered. Hence SCADA networks and associated systems are highly vulnerable to cyber-attacks which can ultimately result in catastrophic events. Historically, when deployed, intrusion detection systems in converged IT/OT networks are deployed and monitor the IT side of the network. While academic research into OT specific intrusion detection is not a new direction, application to real systems are few and lack the contextual information required to make intrusion detection systems actionable. This paper provides an overview of cyber security in OT SCADA networks. Through evaluating the historical development of OT systems and protocols, a range of current issues caused by the IT/OT convergence is presented. A number of publicly disclosed SCADA vulnerabilities are outlined, in addition to approaches for detecting attacks in OT networks. The paper concludes with a discussion of what the future of interconnected OT systems should entail, and the potential risks of continuing with an insecure design philosophy

Tunkeutumisenesto ja havainnointi käytönvalvontajärjestelmissä

Tässä insinöörityössä tutkittiin tunkeutumisenesto- ja havainnointijärjestelmien soveltuvuutta nykyaikaisiin käytönvalvontajärjestelmiin. Työ tehtiin Helsingin Energialle, joka on merkittävä energiapalveluita tarjoava yritys Suomessa. Työssä perehdyttiin ensin teoreettisella tasolla käytönvalvontajärjestelmien arkkitehtuuriin, komponentteihin ja tietoturvavaatimuksiin. Lisäksi tutustuttiin yleisimpiin käytössä oleviin käytönvalvontaprotokolliin ja niiden rakenteisiin. Tämän jälkeen työssä selvitettiin tunkeutumisenesto- ja havainnointitekniikoiden toimintaa sekä suunnittelun perusteita. Tämä insinöörityö tuotti myös käytönvalvontajärjestelmiin suunnitellun tunkeutumisenesto- ja havainnointijärjestelmän vaatimusmäärittelyn ja toteutussuunnitelman. Työn tuloksena todettiin tunkeutumisenesto- ja havainnointijärjestelmien protokollakuvauksien tarjonnan olevan niukkaa Pohjoismaissa käytetyille käytönvalvontaprotokollille. Lisäksi kuvausten käyttöönottoon tulee suhtautua varauksella järjestelmien kriittisyyden vuoksi. IDPS-järjestelmien todettiin kuitenkin nostavan käytönvalvontajärjestelmien tieto-turvatasoa muilla ominaisuuksillaan. Työssä painotettiin lisäksi tunkeutumisenesto- ja havainnointijärjestelmän integroinnin tärkeyttä ylläpito- ja hallintaprosesseihin, sekä elinkaaresta huolehtimista.The purpose of this study was to research possibilities for implementing intrusion prevention and detection systems into modern SCADA networks. This study was carried out for Helsinki Energy, a significant energy service provider in Finland. The first part discusses the architecture of SCADA networks, its components and data security requirements on a theoretical level, as well as the most common SCADA protocols and structures. The second part studies the function of intrusion prevention and detection and the basis for its design. This study also defined the requirements as well as laid out an implementation plan for intrusion prevention and detection in SCADA networks. The results of this study show that the supply of intrusion prevention and detection protocol filters is insufficient for SCADA networks used in the Nordic countries. Furthermore, the implementation of protocol filters must be viewed critically. Nevertheless, the IDPS systems still seem to raise the data security level of SCADA networks. It was concluded that the integration of intrusion prevention and detection into maintenance and management practice is as important as the lifecycle. This study was successful in defining the requirements as well as in creating an implementation plan for intrusion prevention and detection in SCADA networks

A survey of intrusion detection system technologies

This paper provides an overview of IDS types and how they work as well as configuration considerations and issues that affect them. Advanced methods of increasing the performance of an IDS are explored such as specification based IDS for protecting Supervisory Control And Data Acquisition (SCADA) and Cloud networks. Also by providing a review of varied studies ranging from issues in configuration and specific problems to custom techniques and cutting edge studies a reference can be provided to others interested in learning about and developing IDS solutions. Intrusion Detection is an area of much required study to provide solutions to satisfy evolving services and networks and systems that support them. This paper aims to be a reference for IDS technologies other researchers and developers interested in the field of intrusion detection

Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

Time is of the Essence: Machine Learning-based Intrusion Detection in Industrial Time Series Data

The Industrial Internet of Things drastically increases connectivity of devices in industrial applications. In addition to the benefits in efficiency, scalability and ease of use, this creates novel attack surfaces. Historically, industrial networks and protocols do not contain means of security, such as authentication and encryption, that are made necessary by this development. Thus, industrial IT-security is needed. In this work, emulated industrial network data is transformed into a time series and analysed with three different algorithms. The data contains labeled attacks, so the performance can be evaluated. Matrix Profiles perform well with almost no parameterisation needed. Seasonal Autoregressive Integrated Moving Average performs well in the presence of noise, requiring parameterisation effort. Long Short Term Memory-based neural networks perform mediocre while requiring a high training- and parameterisation effort.Comment: Extended version of a publication in the 2018 IEEE International Conference on Data Mining Workshops (ICDMW