Using a Specification-based Intrusion Detection System to Extend the DNP3 Protocol with Security Functionalities

Modern SCADA systems are increasingly adopting Inte rnet technologies to control distributed industrial asse t . As proprietary communication protocols are increasingly being used over public networks without efficient protection mechanisms, i t is increasingly easier for attackers to penetrate into the communication networks of companies that operate el ectrical power grids, water plants, and other critical infra st ucture systems. To provide protection against such attacks without changing legacy configurations, SCADA systems requi re an intrusion detection technique that can understand i nformation carried by network traffic based on proprietary SCA DA protocols. To achieve that goal, we adapted Bro, a specificati on-based intrusion detection system, for SCADA protocols in our previous work [13]. In that work, we built into Bro a new pa rser to support DNP3, a complex proprietary network protocol that i s widely used in SCADA systems for electrical power grids [4 ]. The builtin parser provides clear visibility of network even ts related to SCADA systems. The semantics associated with the ev nts provide us with a fine-grained operational context of he SCADA system, including types of operations and their par ameters. Based on such information, we propose in this work two se curity policies to perform authentication and integrity ch e king on observed SCADA network traffic. To evaluate the pro posed security policies, we simulated SCADA-specific atta ck scenarios in a test-bed, including real proprietary devices u sed in an electrical power grid. Experiments showed that the proposed intrusion detection system with the security polici es can work efficiently in a large industry control environment that can include approximately 4000 devices.

[1]  Pieter H. Hartel,et al.  MELISSA: Towards Automated Detection of Undesirable User Actions in Critical Infrastructures , 2011, 2011 Seventh European Conference on Computer Network Defense.

[2]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[3]  Timothy Grance,et al.  Guide to Supervisory Control and Data Acquisition (SCADA) and Other Industrial Control System Security , 2006 .

[4]  Ravishankar K. Iyer,et al.  Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol , 2013, CSIIRW '13.

[5]  Vern Paxson,et al.  Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context , 2005, DIMVA.

[6]  Milos Manic,et al.  Neural Network based Intrusion Detection System for critical infrastructures , 2009, 2009 International Joint Conference on Neural Networks.

[7]  Timothy M. Yardley,et al.  Exploring convergence for SCADA Networks , 2011, ISGT 2011.

[8]  Alfonso Valdes,et al.  Communication pattern anomaly detection in process control systems , 2009, 2009 IEEE Conference on Technologies for Homeland Security.

[9]  Larry L. Peterson,et al.  binpac: a yacc for writing application protocol parsers , 2006, IMC '06.

[10]  L. Tong,et al.  Malicious Data Attacks on Smart Grid State Estimation: Attack Strategies and Countermeasures , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[11]  Francesco Parisi-Presicce,et al.  DNPSec: Distributed Network Protocol Version 3 (DNP3) Security Framework , 2007 .

[12]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[13]  Robert J. Turk Cyber Incidents Involving Control Systems , 2005 .

[14]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[15]  Klara Nahrstedt,et al.  Detecting False Data Injection Attacks on DC State Estimation , 2010 .

[16]  Vern Paxson,et al.  A high-level programming environment for packet trace anonymization and transformation , 2003, SIGCOMM '03.

[17]  William H. Sanders,et al.  Specification-Based Intrusion Detection for Advanced Metering Infrastructures , 2011, 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing.