Intrusion detection in SCADA systems by traffic periodicity and telemetry analysis

Supervisory control and data acquisition (SCADA) system is a vital component of critical infrastructures (CIs). However, most protocols in SCADA systems lack either authentication or integrity checking mechanisms, which makes them extremely vulnerable to cyber attacks when increasingly more SCADA systems are connected with external networks. Intrusion detection systems (IDSs) have been proposed to enhance the system security, but few of them can effectively resist response injection and denial of service attacks at the same time. In this paper we present an IDS named PT-IDS to fill this gap by investigating the periodicity and telemetry patterns of network traffic within typical SCADA systems. Firstly, we analyze the periodicity characteristics in SCADA networks and classify them into four categories through designing an analyzer algorithm. Furthermore, in order to effectively detect response injection attacks, we design an auxiliary module to analyze the network telemetry pattern. Results from both modules are considered simultaneously to promote the accuracy of intrusion detection, especially for denial of service attacks. Beyond that, our proposed system can give alarm reports including both warnings and matching severity information. The time complexity of both analyzer algorithms is polynomial and simulations demonstrate the effectiveness and efficiency of our IDS mechanism.

[1]  Andrei V. Gurtov,et al.  A layered encryption mechanism for networked critical infrastructures , 2013, IEEE Network.

[2]  Dayu Yang,et al.  Anomaly-Based Intrusion Detection for SCADA Systems , 2006 .

[3]  Stanislav Ponomarev,et al.  Industrial Control System Network Intrusion Detection by Telemetry Analysis , 2016, IEEE Transactions on Dependable and Secure Computing.

[4]  Aiko Pras,et al.  Flow whitelisting in SCADA networks , 2013, Int. J. Crit. Infrastructure Prot..

[5]  Stanislav Ponomarev,et al.  Detection of SSH host spoofing in control systems through network telemetry analysis , 2014, CISR '14.

[6]  Pieter H. Hartel,et al.  A log mining approach for process monitoring in SCADA , 2010, International Journal of Information Security.

[7]  Kan Chen,et al.  A Collaborative Intrusion Detection Mechanism Against False Data Injection Attack in Advanced Metering Infrastructure , 2015, IEEE Transactions on Smart Grid.

[8]  Adriano Valenzano,et al.  Review of Security Issues in Industrial Networks , 2013, IEEE Transactions on Industrial Informatics.

[9]  Wei Gao,et al.  On Cyber Attacks and Signature Based Intrusion Detection for MODBUS Based Industrial Control Systems , 2014, J. Digit. Forensics Secur. Law.

[10]  Avishai Wool,et al.  Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems , 2015, Int. J. Crit. Infrastructure Prot..

[11]  Rafael Ramos Regis Barbosa,et al.  Anomaly Detection in SCADA Systems - A Network Based Approach , 2014 .

[12]  Avishai Wool,et al.  Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems , 2013, Int. J. Crit. Infrastructure Prot..

[13]  Barry E. Mullins,et al.  Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices , 2014, Int. J. Crit. Infrastructure Prot..

[14]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[15]  Sherali Zeadally,et al.  Critical Control System Protection in the 21st Century , 2013, Computer.