For Publishers
DiscoveryMetadataPeer reviewHostingPublishing
For Researchers
JoinPublishReviewCollect
Register
Blog
About
Search
Advanced search
My ScienceOpen
Search
For Publishers
For Researchers
Blog
About
2,685
views
17
references
 Top references
cited by
0
    
0 reviews
 Review
0
comments
 Comment
0
recommends
+1 Recommend
1 collections
    4
    shares
      266
      similar
       All similar

      Celebrating 65 years of The Computer Journal - free-to-read perspectives - bcs.org/tcj65

      scite_
       
      • Record: found
      • Abstract: found
      • Conference Proceedings: found
      Is Open Access

      Bro in SCADA: dynamic intrusion detection policies based on a system model

      proceedings-article
      Author(s): 1 , 2 , 1
      Publication date (Print):
      Conference name: 5th International Symposium for ICS & SCADA Cyber Security Research 2018 (ICS-CSR 2018)
      Conference theme: ICS & SCADA Cyber Security Research
      Conference date: 29 - 30 August 2018
      Keywords: Intrusion Detection System, process-aware, SCADA, IDS, power distribution
      Bookmark

            Abstract

            We present an online monitoring tool for SCADA systems based on the network monitor Bro, which can be used locally at field stations. The tool generates alerts when suspicious and erroneous commands and sensor readings are detected. It can hence been seen as a local Intrusion Detection System, as well as an safety enhancement. It maintains a model of the local system, which is updated with incoming packets containing sensor readings and commands. Focusing on the protocol IEC-104, a parser was developed and the packet content was directly fed into the system model. Adaptive policies are implemented in Bro, which formulate physical constraints and safety requirements and allow to check whether SCADA traffic complies to these rules in real time. A case study with a real IEC-104 traffic trace shows the feasibility of our approach.

            Content

            Author and article information

            Contributors
            Justyna J. Chromik
            Anne Remke
            Boudewijn R. Haverkort
            Conference
            Publication date: August 2018
            Publication date (Print): August 2018
            Pages: 112-121
            Affiliations
            [1 ]University of Twente, the Netherlands
            [2 ]University of Twente, the Netherlands, University of Münster, Germany
            Article
            DOI: 10.14236/ewic/ICS2018.13
            SO-VID: 05dd453c-d988-4e81-b26b-1bce9d976263
            Copyright © © Chromik et al. Published by BCS Learning and Development Ltd. Proceedings of ICS & SCADA 2018
            License:

            This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

            Conference name: 5th International Symposium for ICS & SCADA Cyber Security Research 2018
            Conference acronym: ICS-CSR 2018
            Conference number: 5
            Conference location: University of Hamburg, Germany
            Conference date: 29 - 30 August 2018
            Conference sponsor: Electronic Workshops in Computing (eWiC)
            Conference theme: ICS & SCADA Cyber Security Research
            History
            Product

            1477-9358 BCS Learning & Development

            Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/ICS2018.13
            Self URI (journal page): https://ewic.bcs.org/
            Categories
            Series title: Electronic Workshops in Computing

            ScienceOpen disciplines: Applied computer science,Computer science,Security & Cryptology,Graphics & Multimedia design,General computer science,Human-computer-interaction
            Keywords: Intrusion Detection System,IDS,process-aware,power distribution,SCADA

            REFERENCES

            1. Associated Press (viewed 26.06.2017) Flights cancelled at Schiphol airport as power outage hits Amsterdam https://www.theguardian.com/world/2015/mar/27/flights-cancelled-schipholairport-power-outage-amsterdam

            2. 2013 Flow whitelisting in SCADA networks International journal of critical infrastructure protection 6 3-4 150 158

            3. 2011 Attacks against process control systems: risk assessment, detection, and response In Proceedings of the 6th ACM symposium on information, computer and communications security 355 366 ACM

            4. 2015 Sequence-aware intrusion detection in industrial control systems In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security 13 24 ACM

            5. CENELEC 1988 Harmonisation Document: Nominal voltage for low voltage public electricity supply systems, HD 472 S1

            6. 2016a Improving SCADA security of a local process with a power grid model In Proceedings of the 4th International Symposium for ICS&SCADA Cyber Security Research, Queen’s Belfast University, UK 114 123 BCS Learning & Development Ltd [Cross Ref]

            7. 2016b What’s under the hood? Improving SCADA security with process awareness In Proceedings of the Joint Workshop on Cyber- Physical Security and Resilience in Smart Grids Vienna, Austria 1 6 IEEE [Cross Ref]

            8. 2004 Practical modern SCADA protocols: DNP3, 60870.5 and related systems Newnes

            9. 2010 Modbus/DNP3 state-based intrusion detection system In Advanced Information Networking and Applications (AINA), 2010 24th IEEE International Conference on 729 736 IEEE

            10. 2012 A log mining approach for process monitoring in SCADA International Journal of Information Security 11 4 231 251

            11. 2014 Through the eye of the PLC: semantic security monitoring for industrial processes In Proceedings of the 30th Annual Computer Security Applications Conference 126 135 ACM.

            12. ICS-CERT (released February 25, 2016) Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure Available online: https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01 10 Mar 2018

            13. ICS-CERT (released September 29, 2010) Advisory (ICSA-10-272-01), Primary Stuxnet Advisory https://ics-cert.us-cert.gov/advisories/ICSA-10-272-01 10 Nov 2017

            14. IEC101 2003 IEC TS 60870-5-101:2003. Technical specification, TC 57 - Power systems management and associated information exchange Geneva

            15. IEC104 2013 IEC TS 60870-5-7:2013. Technical specification, TC 57 - Power systems management and associated information exchange Geneva

            16. 2013 Adapting Bro into SCADA: building a specification-based intrusion detection system for the DNP3 protocol In Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop 5 ACM

            17. 2013 Semantic security analysis of SCADA networks to detect malicious control commands in power grids Proceedings of the first ACM workshop on Smart energy grid security 29 34 ACM

            18. 2016a A SCADA Intrusion Detection Framework that Incorporates Process Semantics In Proceedings of the 11th Annual Cyber and Information Security Research Conference 6 ACM

            19. 2016b Dynamic rule generation for SCADA intrusion detection. In Technologies for Homeland Security (HST) 2016 IEEE Symposium on 1 5 IEEE

            20. 1999 Bro: a system for detecting network intruders in real-time Computer networks 31 23 2435 2463 [Cross Ref]

            21. 1999 Snort - Lightweight Intrusion Detection for Networks In Proceedings of the 13th USENIX Conference on System Administration, Seattle, WA, USA, LISA ’99 229 238 USENIX Association [Cross Ref]

            22. 2016 Spicy: a unified deep packet inspection framework for safely dissecting all your data In Proceedings of the 32nd Annual Conference on Computer Security Applications 558 569 ACM

            23. 2016 Exploiting bro for intrusion detection in a SCADA system In Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security 44 51 ACM

            24. 2013 Intrusion detection system for IEC 60870-5-104 based SCADA networks In Power and Energy Society General Meeting (PES), 2013 IEEE 1 5 IEEE

            Comments

            Comment on this article