SCADA System Testbed for Cybersecurity Research Using Machine Learning Approach

This paper presents the development of a Supervisory Control and Data Acquisition (SCADA) system testbed used for cybersecurity research. The testbed consists of a water storage tank's control system, which is a stage in the process of water treatment and distribution. Sophisticated cyber-attacks were conducted against the testbed. During the attacks, the network traffic was captured, and features were extracted from the traffic to build a dataset for training and testing different machine learning algorithms. Five traditional machine learning algorithms were trained to detect the attacks: Random Forest, Decision Tree, Logistic Regression, Naive Bayes and KNN. Then, the trained machine learning models were built and deployed in the network, where new tests were made using online network traffic. The performance obtained during the training and testing of the machine learning models was compared to the performance obtained during the online deployment of these models in the network. The results show the efficiency of the machine learning models in detecting the attacks in real time. The testbed provides a good understanding of the effects and consequences of attacks on real SCADA environmentsComment: E-Preprin

Can Intrusion Detection Implementation be Adapted to End-User Capabilities?

In an environment where technical solutions for securing networked systems are commonplace, there still exist problems in implementation of such solutions f or home and small business users. One component of this protection is the use of intrusion detection systems. Intrusion detection monitors network traffic for suspicious activity, performs access blocking and alerts the system administrator or user of potential attacks. This paper reviews the basic function of intrusion detection systems and maps them to an existing end-llser capability framework. Using this framework, implementation guidance and systematic improvement in implementation of this security measure are defined

Detection techniques in operational technology infrastructure

In previous decades, cyber-attacks have not been considered a threat to critical infrastructure. However, as the Information Technology (IT) and Operational Technology (OT) domains converge, the vulnerability of OT infrastructure is being exploited. Nation-states, cyber criminals and hacktivists are moving to benefit from economic and political gains. The OT network, i.e. Industrial Control System (ICS) is referred to within OT infrastructure as Supervisory Control and Data Acquisition (SCADA). SCADA systems were introduced primarily to optimise the data transfer within OT network infrastructure. The introduction of SCADA can be traced back to the 1960’s, a time where cyber-attacks were not considered. Hence SCADA networks and associated systems are highly vulnerable to cyber-attacks which can ultimately result in catastrophic events. Historically, when deployed, intrusion detection systems in converged IT/OT networks are deployed and monitor the IT side of the network. While academic research into OT specific intrusion detection is not a new direction, application to real systems are few and lack the contextual information required to make intrusion detection systems actionable. This paper provides an overview of cyber security in OT SCADA networks. Through evaluating the historical development of OT systems and protocols, a range of current issues caused by the IT/OT convergence is presented. A number of publicly disclosed SCADA vulnerabilities are outlined, in addition to approaches for detecting attacks in OT networks. The paper concludes with a discussion of what the future of interconnected OT systems should entail, and the potential risks of continuing with an insecure design philosophy

Can intrusion detection implementation be adapted to end-user capabilities?

In an environment where technical solutions for securing networked systems are commonplace, there still exist problems in implementation of such solutions for home and small business users. One component of this protection is the use of intrusion detection systems. Intrusion detection monitors network traffic for suspicious activity, performs access blocking and alerts the system administrator or user of potential attacks. This paper reviews the basic function of intrusion detection systems and maps them to an existing end-user capability framework. Using this framework, implementation guidance and systematic improvement in implementation of this security measure are defined

Improving intrusion detection systems using data mining techniques

Recent surveys and studies have shown that cyber-attacks have caused a lot of damage to organisations, governments, and individuals around the world. Although developments are constantly occurring in the computer security field, cyber-attacks still cause damage as they are developed and evolved by hackers. This research looked at some industrial challenges in the intrusion detection area. The research identified two main challenges; the first one is that signature-based intrusion detection systems such as SNORT lack the capability of detecting attacks with new signatures without human intervention. The other challenge is related to multi-stage attack detection, it has been found that signature-based is not efficient in this area. The novelty in this research is presented through developing methodologies tackling the mentioned challenges. The first challenge was handled by developing a multi-layer classification methodology. The first layer is based on decision tree, while the second layer is a hybrid module that uses two data mining techniques; neural network, and fuzzy logic. The second layer will try to detect new attacks in case the first one fails to detect. This system detects attacks with new signatures, and then updates the SNORT signature holder automatically, without any human intervention. The obtained results have shown that a high detection rate has been obtained with attacks having new signatures. However, it has been found that the false positive rate needs to be lowered. The second challenge was approached by evaluating IP information using fuzzy logic. This approach looks at the identity of participants in the traffic, rather than the sequence and contents of the traffic. The results have shown that this approach can help in predicting attacks at very early stages in some scenarios. However, it has been found that combining this approach with a different approach that looks at the sequence and contents of the traffic, such as event- correlation, will achieve a better performance than each approach individually

A Cognitive Framework to Secure Smart Cities

The advancement in technology has transformed Cyber Physical Systems and their interface with IoT into a more sophisticated and challenging paradigm. As a result, vulnerabilities and potential attacks manifest themselves considerably more than before, forcing researchers to rethink the conventional strategies that are currently in place to secure such physical systems. This manuscript studies the complex interweaving of sensor networks and physical systems and suggests a foundational innovation in the field. In sharp contrast with the existing IDS and IPS solutions, in this paper, a preventive and proactive method is employed to stay ahead of attacks by constantly monitoring network data patterns and identifying threats that are imminent. Here, by capitalizing on the significant progress in processing power (e.g. petascale computing) and storage capacity of computer systems, we propose a deep learning approach to predict and identify various security breaches that are about to occur. The learning process takes place by collecting a large number of files of different types and running tests on them to classify them as benign or malicious. The prediction model obtained as such can then be used to identify attacks. Our project articulates a new framework for interactions between physical systems and sensor networks, where malicious packets are repeatedly learned over time while the system continually operates with respect to imperfect security mechanisms