Using Application Layer Metrics to Detect Advanced SCADA Attacks

Current state-of-the-art intrusion detection and network monitoring systems have a tendency to focus on the ‘Five-Tuple’ features (protocol, IP src/dst and port src/dest). As a result there is a gap in visibility of security at an application level. We propose a collection of network application layer metrics to provide a greater insight into SCADA communications. These metrics are devised from an analysis of the industrial control system (ICS) threat landscape and the current state-of-the-art detection systems. Our metrics are able to detect a range of adversary capabilities which goes beyond previous literature in the SCADA domain.

[1]  Shirley C. Payne,et al.  A Guide to Security Metrics , 2007 .

[2]  Barry Irwin,et al.  Dridex: Analysis of the traffic and automatic generation of IOCs , 2016, 2016 Information Security for South Africa (ISSA).

[3]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[4]  Ichiro Koshijima,et al.  Cyber-Attack Detection for Industrial Control System Monitoring with Support Vector Machine Based on Communication Profile , 2017, 2017 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[5]  Lori Homsher Gathering Security Metrics and Reaping the Rewards , 2009 .

[6]  Michael Robinson The SCADA Threat Landscape , 2013, ICS-CSR.

[7]  Lingfeng Wang,et al.  Power System Reliability Evaluation With SCADA Cybersecurity Considerations , 2015, IEEE Transactions on Smart Grid.

[8]  Christian Doerr,et al.  Last Line of Defense: A Novel IDS Approach Against Advanced Threats in Industrial Control Systems , 2017, DIMVA.

[9]  Vincent Naessens,et al.  A logic-based framework for the security analysis of Industrial Control Systems , 2017, Automatic Control and Computer Sciences.

[10]  Pieter H. Hartel,et al.  Challenges and opportunities in securing industrial control systems , 2012, 2012 Complexity in Engineering (COMPENG). Proceedings.

[11]  José M. Fernandez,et al.  A Modbus command and control channel , 2016, 2016 Annual IEEE Systems Conference (SysCon).

[12]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[13]  Avishai Wool,et al.  Stealthy Deception Attacks Against SCADA Systems , 2017, CyberICPS/SECPRE@ESORICS.

[14]  Sylvain Frey,et al.  SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection , 2016, CPS-SPC '16.

[15]  Zahir Tari,et al.  An Efficient Data-Driven Clustering Technique to Detect Attacks in SCADA Systems , 2016, IEEE Transactions on Information Forensics and Security.

[16]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[17]  Sushil Jajodia,et al.  Network Diversity: A Security Metric for Evaluating the Resilience of Networks Against Zero-Day Attacks , 2016, IEEE Transactions on Information Forensics and Security.

[18]  Marcus Pendleton,et al.  A Survey on Systems Security Metrics , 2016, ACM Comput. Surv..

[19]  Mauricio Papa,et al.  On the use of open-source firewalls in ICS/SCADA systems , 2016, Inf. Secur. J. A Glob. Perspect..

[20]  Max Mühlhäuser,et al.  Multi-stage attack detection and signature generation with ICS honeypots , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[21]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[22]  Mauricio Papa,et al.  Passive Scanning in Modbus Networks , 2007, Critical Infrastructure Protection.