Intrusion Detection and Resilient Control for SCADA Systems

Designed without cyber security in mind, most existing Supervisory Control And Data Acquisition (SCADA) systems make it a big challenge to modify the conventional Information Technology (IT) intrusion detection techniques, both to counter the threat of cyber attacks due to their standardization and connectivity to the Internet, and to achieve resilient control without fully retrofitting. The author presents a taxonomy and a set of metrics of SCAD-specific intrusion detection techniques by heightening their possible use in addition to explaining the nuance associated with such task and enumerating Intrusion Detection Systems (IDS) that have been proposed to undertake this endeavor. She identifies the deficits and voids in current research and offers recommendations on which strategies are most likely to succeed, in part through presenting a prototype of her efforts towards this goal. Specifically, she introduces an early anomaly detection and resilient estimation scheme consisting of a robust online recursive algorithm, which is based on the Kalman Filter in a state space model setting. This online window limited Robust Generalized Likelihood Ratio Test (RGLRT) that the author proposes identifies and detects outliers among real-time multidimensional measurements of dynamical systems without any a priori knowledge of the occurrence time or distribution of the outliers. It attains a low detection delay and an optimal stopping time that yields low rates in false alarm and miss detection while maintaining the optimal online estimation performance under normal conditions. The author proposes a set of qualitative and quantitative metric to measure its optimality in the context of cyber-physical systems. DOI: 10.4018/978-1-4666-2659-1.ch015

[1]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[2]  Stefano Zanero Behavioral Intrusion Detection , 2004, ISCIS.

[3]  Alexander G. Tartakovsky,et al.  Asymptotic Optimality of Change-Point Detection Schemes in General Continuous-Time Models , 2006 .

[4]  Chi-Ho Tsang,et al.  Multi-agent intrusion detection system in industrial network using ant colony clustering approach and unsupervised feature extraction , 2005, 2005 IEEE International Conference on Industrial Technology.

[5]  Wei Jiang,et al.  Spatiotemporal surveillance methods in the presence of spatial correlation , 2011, Statistics in medicine.

[6]  Deborah A. Frincke,et al.  Configurable middleware-level intrusion detection for embedded systems , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[7]  R. Mehra On the identification of variances and adaptive Kalman filtering , 1970 .

[8]  S. W. Roberts A Comparison of Some Control Chart Procedures , 1966 .

[9]  Christopher Krügel,et al.  Bayesian event classification for intrusion detection , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[10]  M. Pollak Optimal Detection of a Change in Distribution , 1985 .

[11]  S. Shankar Sastry,et al.  A Taxonomy of Cyber Attacks on SCADA Systems , 2011, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing.

[12]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[13]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[14]  G. Moustakides Optimal stopping times for detecting changes in distributions , 1986 .

[15]  Pham Xuan Quang,et al.  Robust Sequential Testing , 1985 .

[16]  S. Shankar Sastry,et al.  Revisit Dynamic ARIMA Based Anomaly Detection , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[17]  Stefan Schaal,et al.  A Kalman filter for robust outlier detection , 2007, 2007 IEEE/RSJ International Conference on Intelligent Robots and Systems.

[18]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[19]  Karl N. Levitt,et al.  Using Specification-Based Intrusion Detection for Automated Response , 2003, RAID.

[20]  A. Willsky,et al.  A generalized likelihood ratio approach to the detection and estimation of jumps in linear systems , 1976 .

[21]  T. Lewis Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation , 2006 .

[22]  Sukhan Lee,et al.  Outlier elimination method for robust visual servo control in complex environment , 2010, 2010 IEEE International Conference on Robotics and Biomimetics.

[23]  Ronald B. Crosier,et al.  Fast Initial Response for CUSUM Quality-Control Schemes: Give Your CUSUM A Head Start.: Give Your CUSUM A Head Start. , 2000 .

[24]  G. Lorden PROCEDURES FOR REACTING TO A CHANGE IN DISTRIBUTION , 1971 .

[25]  Tze Leung Lai,et al.  Information Bounds and Quick Detection of Parameter Changes in Stochastic Systems , 1998, IEEE Trans. Inf. Theory.

[26]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[27]  S. W. Roberts Control chart tests based on geometric moving averages , 2000 .

[28]  John McHugh,et al.  Intrusion and intrusion detection , 2001, International Journal of Information Security.

[29]  A. J. Willis Design of a modified sequential probability ratio test (SPRT) for pipeline leak detection , 2011, Comput. Chem. Eng..

[30]  S. Sangsuk-Iam,et al.  Analysis of discrete-time Kalman filtering under incorrect noise covariances , 1990 .

[31]  Kavé Salamatian,et al.  Combining filtering and statistical methods for anomaly detection , 2005, IMC '05.

[32]  L. Hutwagner,et al.  Using laboratory-based surveillance data for prevention: an algorithm for detecting Salmonella outbreaks. , 1997, Emerging infectious diseases.

[33]  Michel Mandjes,et al.  M/G/∞ transience, and its applications to overload detection , 2011, Perform. Evaluation.

[34]  David E. Bakken,et al.  A configurable middleware framework with multiple quality of service properties for small embedded systems , 2003, Second IEEE International Symposium on Network Computing and Applications, 2003. NCA 2003..

[35]  Thomas P. Ryan,et al.  Statistical Methods for Quality Improvement: Ryan/Quality Improvement 3E , 2011 .

[36]  A. Shiryaev On Optimum Methods in Quickest Detection Problems , 1963 .

[37]  P. J. Huber The 1972 Wald Lecture Robust Statistics: A Review , 1972 .

[38]  S. Mitter,et al.  Robust Recursive Estimation in the Presence of Heavy-Tailed Observation Noise , 1994 .

[39]  Stefan Axelsson A Preliminary Attempt to Apply Detection and Estimation Theory to Intrusion Detection , 2007 .

[40]  Sean W. Smith,et al.  YASIR: A Low-Latency, High-Integrity Security Retrofit for Legacy SCADA Systems , 2008, SEC.

[41]  Kevin A. Kwiat,et al.  A Workflow-Based Non-intrusive Approach for Enhancing the Survivability of Critical Infrastructures in Cyber Environment , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[42]  Lihua Xie,et al.  Robust Kalman Filter Design for Discrete Time-Delay Systems , 2002 .

[43]  Thomas P. von Hoff,et al.  Security for Industrial Communication Systems , 2005, Proceedings of the IEEE.

[44]  Paul W. Oman,et al.  Intrusion Detection and Event Monitoring in SCADA Networks , 2007, Critical Infrastructure Protection.

[45]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[46]  Ronald K. Pearson,et al.  Outliers in process modeling and identification , 2002, IEEE Trans. Control. Syst. Technol..

[47]  E. S. Page CONTINUOUS INSPECTION SCHEMES , 1954 .

[48]  R. Fitzgerald Divergence of the Kalman filter , 1971 .

[49]  P. J. Huber A Robust Version of the Probability Ratio Test , 1965 .

[50]  D. Thomson,et al.  Robust-resistant spectrum estimation , 1982, Proceedings of the IEEE.

[51]  Kevin Tomsovic,et al.  Topology error identification using a two-stage DC state estimator , 2005 .

[52]  T. Lai SEQUENTIAL ANALYSIS: SOME CLASSICAL PROBLEMS AND NEW CHALLENGES , 2001 .