Intrusion Detection in SCADA Networks

Supervisory Control and Data Acquisition (SCADA) sys- tems are a critical part of large industrial facilities, such as water dis- tribution infrastructures. With the goal of reducing costs and increas- ing efficiency, these systems are becoming increasingly interconnected. However, this has also exposed them to a wide range of network security problems. Our research focus on the development of a novel flow-based intrusion detection system. Based on the assumption that SCADA net- works are well-behaved, we believe that it is possible to model the normal traffic by establishing relations between network flows. To improve ac- curacy and provide more information on the anomalous traffic, we will also research methods to derive a flow-based model for anomalous flows

Using Bloom Filters to Ensure Access Control and Authentication Requirements for SCADA Field Devices

Part 2: CONTROL SYSTEMS SECURITYInternational audienceThe critical infrastructure cannot operate without SCADA systems; this has made the task of securing SCADA systems a national security priority. While progress has been made in securing control networks, security at the field device level is still lacking. Field devices present unique security challenges and these challenges are compounded by the presence of legacy devices. This paper describes a technique that uses Bloom filters to implement challenge-response authentication and role-based access control in field devices. The approach, which is implemented in an in-line security pre-processor, provides for rapid and constant access check times. Experiments involving a prototype device demonstrate that the false positive rate can be kept arbitrarily low and that the real-time performance is acceptable for many SCADA applications

A Two-level Intrusion Detection System for Industrial Control System Networks using P4

The increasing number of attacks against Industrial Control Systems (ICS) have shown the vulnerability of these systems. Many ICS network protocols have no security mechanism and the requirements on high availability and real-time communication make it challenging to apply intrusive security measures. In this paper, we propose a two-level intrusion detection system for ICS networks based on Software Defined Networking (SDN). The first level consists of flow and Modbus whitelists, leveraging P4 for efficient real- time monitoring. The second level is a deep packet inspector communicating with a SDN controller to update the whitelist of the first level. We show by experiments in an emulated environment that our design has only a small impact on communication latencies in the ICS and is efficient against Modbus/TCP oriented attacks