Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol

When SCADA systems are exposed to public networks, attackers can more easily penetrate the control systems that operate electrical power grids, water plants, and other critical infrastructures. To detect such attacks, SCADA systems require an intrusion detection technique that can understand the information carried by their usually proprietary network protocols. To achieve that goal, we propose to attach to SCADA systems a specification-based intrusion detection framework based on Bro [7][8], a runtime network traffic analyzer. We have built a parser in Bro to support DNP3, a network protocol widely used in SCADA systems that operate electrical power grids. This built-in parser provides a clear view of all network events related to SCADA systems. Consequently, security policies to analyze SCADA-specific semantics related to the network events can be accurately defined. As a proof of concept, we specify a protocol validation policy to verify that the semantics of the data extracted from network packets conform to protocol definitions. We performed an experimental evaluation to study the processing capabilities of the proposed intrusion detection framework.

[1]  Robert J. Turk Cyber Incidents Involving Control Systems , 2005 .

[2]  Alfonso Valdes,et al.  Intrusion Monitoring in Process Control Systems , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[3]  Alfonso Valdes,et al.  Communication pattern anomaly detection in process control systems , 2009, 2009 IEEE Conference on Technologies for Homeland Security.

[4]  Timothy M. Yardley,et al.  Exploring convergence for SCADA Networks , 2011, ISGT 2011.

[5]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.

[6]  Klara Nahrstedt,et al.  Detecting False Data Injection Attacks on DC State Estimation , 2010 .

[7]  Francesco Parisi-Presicce,et al.  DNPSec: Distributed Network Protocol Version 3 (DNP3) Security Framework , 2007 .

[8]  A. G. Expósito,et al.  Power system state estimation : theory and implementation , 2004 .

[9]  Ulf Lindqvist,et al.  Detection, correlation, and visualization of attacks against critical infrastructure systems , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[10]  S. Mauw,et al.  Specification-based intrusion detection for advanced metering infrastructures , 2022 .

[11]  Andrea Carcano,et al.  Modbus/DNP3 state-based filtering system , 2010, 2010 IEEE International Symposium on Industrial Electronics.

[12]  Vern Paxson,et al.  Bro Intrusion Detection System , 2006 .

[13]  Pieter H. Hartel,et al.  MELISSA: Towards Automated Detection of Undesirable User Actions in Critical Infrastructures , 2011, 2011 Seventh European Conference on Computer Network Defense.

[14]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[15]  Timothy Grance,et al.  Guide to Supervisory Control and Data Acquisition (SCADA) and Other Industrial Control System Security , 2006 .

[16]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[17]  L. Tong,et al.  Malicious Data Attacks on Smart Grid State Estimation: Attack Strategies and Countermeasures , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[18]  Larry L. Peterson,et al.  binpac: a yacc for writing application protocol parsers , 2006, IMC '06.

[19]  Mark Fabro,et al.  Control Systems Cyber Security: Defense-in-Depth Strategies , 2006 .

[20]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[21]  Ning Lu,et al.  Safeguarding SCADA Systems with Anomaly Detection , 2003, MMM-ACNS.

[22]  Anja Feldmann,et al.  Operational experiences with high-volume network intrusion detection , 2004, CCS '04.

[23]  Igor Nai Fovino,et al.  State-Based Network Intrusion Detection Systems for SCADA Protocols: A Proof of Concept , 2009, CRITIS.

[24]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[25]  William H. Sanders,et al.  Specification-Based Intrusion Detection for Advanced Metering Infrastructures , 2011, 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing.