A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems

MODBUS RTU/ASCII Snort is software to retrofit serial based industrial control systems to add Snort intrusion detection and intrusion prevention capabilities. This article discusses the need for such a system by describing 4 classes of intrusion vulnerabilities (denial of service, command injection, response injection, and system reconnaissance) which can be exploited on MODBUS RTU/ASCII industrial control systems. The article provides details on how Snort rules can detect and prevent such intrusions. Finally, the article describes the MODBUS RTU/ASCII Snort implementation, provides details on placement of a MODBUS RTU/ASCII Snort host within a control system to maximize intrusion detection and prevention capabilities, and discusses the system's validation.

[1]  Alfonso Valdes,et al.  Communication pattern anomaly detection in process control systems , 2009, 2009 IEEE Conference on Technologies for Homeland Security.

[2]  Sean W. Smith,et al.  YASIR: A Low-Latency, High-Integrity Security Retrofit for Legacy SCADA Systems , 2008, SEC.

[3]  Liam O’Murchu,et al.  Last Minute Paper: An In-depth Look into Stuxnet , 2010 .

[4]  Bradley Reaves,et al.  Discovery, infiltration, and denial of service in a process control system wireless network , 2009, 2009 eCrime Researchers Summit.

[5]  Jeffrey Posluns,et al.  Snort 2.0 Intrusion Detection , 2003 .

[6]  Alfonso Valdes,et al.  Intrusion Monitoring in Process Control Systems , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[7]  Siew Hooi Tan,et al.  Kuala Lumpur, Malaysia , 2012 .

[8]  Ulf Lindqvist,et al.  An intrusion detection system for wireless process control systems , 2008, 2008 5th IEEE International Conference on Mobile Ad Hoc and Sensor Systems.

[9]  Kyoung-Don Kang,et al.  Detecting Anomalies in Process Control Networks , 2009, Critical Infrastructure Protection.

[10]  Wei Gao,et al.  On SCADA control system command and response injection and intrusion detection , 2010, 2010 eCrime Researchers Summit.

[11]  Kalyan Pavurapu,et al.  A retrofit network transaction data logger and intrusion detection system for transmission and distribution substations , 2010, 2010 IEEE International Conference on Power and Energy.

[12]  Dale Peterson,et al.  Quickdraw: Generating Security Log Events for Legacy SCADA and Control System Devices , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.