On Cyber Attacks and Signature Based Intrusion Detection for Modbus Based Industrial Control Systems

Industrial control system communication networks are vulnerable to reconnaissance, response injection, command injection, and denial of service attacks. Such attacks can lead to an inability to monitor and control industrial control systems and can ultimately lead to system failure. This can result in financial loss for control system operators and economic and safety issues for the citizens who use these services. This paper describes a set of 28 cyber attacks against industrial control systems which use the MODBUS application layer network protocol. The paper also describes a set of standalone and state based intrusion detection system rules which can be used to detect cyber attacks and to store evidence of attacks for post incident analysis. All attacks described in this paper were validated in a laboratory environment. The detection rate of the intrusion detection system rules presented by attack class is also presented.

[1]  G. Manimaran,et al.  Data integrity attacks and their impacts on SCADA control system , 2010, IEEE PES General Meeting.

[2]  Rayford B. Vaughn,et al.  A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems , 2012, 2012 45th Hawaii International Conference on System Sciences.

[3]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2011, TSEC.

[4]  S. Shankar Sastry,et al.  Understanding the physical and economic consequences of attacks on control systems , 2009, Int. J. Crit. Infrastructure Prot..

[5]  Kalyan Pavurapu,et al.  A retrofit network transaction data logger and intrusion detection system for transmission and distribution substations , 2010, 2010 IEEE International Conference on Power and Energy.

[6]  Rayford B. Vaughn,et al.  Deterministic Intrusion Detection Rules for MODBUS Protocols , 2013, 2013 46th Hawaii International Conference on System Sciences.

[7]  Matt Bishop,et al.  Digital Forensics: Defining a Research Agenda , 2009 .

[8]  Craig Valli SCADA Forensics with Snort IDS , 2009 .

[9]  Salim Hariri,et al.  A testbed for analyzing security of SCADA control systems (TASSCS) , 2011, ISGT 2011.

[10]  Chen-Ching Liu,et al.  Cyber intrusion of wind farm SCADA system and its impact analysis , 2011, 2011 IEEE/PES Power Systems Conference and Exposition.

[11]  Wei Gao,et al.  A control system testbed to validate critical infrastructure protection concepts , 2011, Int. J. Crit. Infrastructure Prot..

[12]  Jill Slay,et al.  Lessons Learned from the Maroochy Water Breach , 2007, Critical Infrastructure Protection.

[13]  Himanshu Khurana,et al.  Towards A Taxonomy Of Attacks Against Energy Control Systems , 2008, Critical Infrastructure Protection.

[14]  Sujeet Shenoi,et al.  Attack taxonomies for the Modbus protocols , 2008, Int. J. Crit. Infrastructure Prot..

[15]  Bruno Sinopoli,et al.  False Data Injection Attacks in Electricity Markets , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[16]  Xavier Litrico,et al.  Cyber Security of Water SCADA Systems—Part I: Analysis and Experimentation of Stealthy Deception Attacks , 2013, IEEE Transactions on Control Systems Technology.

[17]  Bradley Reaves,et al.  Analysis and mitigation of vulnerabilities in short-range wireless communications for industrial control systems , 2012, Int. J. Crit. Infrastructure Prot..

[18]  Sujeet Shenoi,et al.  Security Strategies for SCADA Networks , 2007, Critical Infrastructure Protection.