Professional Documents
Culture Documents
SCAD@COPS
AHybridNetworkIntrusionDetectionSystem
LisaMALIPHOL
April2015
Introduction
Supervisory control and data acquisition systems (SCADA) are one type ofindustrialcontrol
system (ICS) put in place for monitoringandcontrollingindustrialprocesses.Originally,these
systems were isolatedandusedproprietaryprotocols, whosesecurity reliedpredominantlyon
obscurity. As SCADA systems move towards open standards and become more
interconnected to traditionalITsystems,thesecriticalsystemshavealsobecomeincreasingly
exposedandtargetedtocyberattacks.[1][2]
To secure SCADA systems, intrusion detection systems (IDS) are put into place with the
purpose of observing, analyzing and detecting any malicious activity, which are typically
alerted to, and reviewed by, security analysts. Most IDSs found in the marketplace are
commonly network, signaturebased IDSs. Anomalybased detection systems are relatively
immature, however, they provide a greater possibility of detecting unknown attacks. As
signaturebasedsystemscan only detect known and identifiedsignatures of attacks,andare
they themselves exposed to the same security issues,Diateamhasproposedanarchitecture
andimplementedaprototypeofahybridIDSundertheprojectSCAD@COPS.
Based on contributions of [4] and [5], the prototype integrates the architectural and
signaturebasedaspects outlined,andwherethefollowingwerealsoconsideredinthedesign
ofSCAD@COPS:
networkbased
passiveonlytheIDSshouldnotinterferewith,normodifytheSCADAsystem
onlyTCP/IPandEthernetdataanalyzed.
SCADA Systems
A Supervisory Control and Data Acquisition (SCADA) system is an industrial control system
(ICS)used formonitoringequipmentandcontrolling processesin industriessuchaselectrical,
water, and oil. The various components of a SCADA system is shown (Figure1).Historically,
SCADA systems resided on their own internal networks and were not connected to other
networks and used proprietary protocols, and therefore less vulnerable to network attacks.
However, over time as the systems adopted open standards and leveraged traditional
enterprise systems to lower costs, and increase functionality and productivity, SCADA
systemsarealsonowincreasinglyexposedtointernalandexternalattacks.
Figure1SCADAcomponents[1]
TherearetwotypesofIDSs,whicharedescribedasfollows:
Host IDS
Hostbased IDSs are placed directly on each individual host to be monitoredand has direct
accesstothetheresourcesonthehost.
Network IDS
Networkbased IDSs are placed at various strategic points on the network andthetrafficthat
occurbetweenhostsisinspectedbylisteningtoandanalyzingnetworkevents.
Threatsmaybeidentifiedbythefollowingmeans:
Signature-based
The data captured by the NIDS is examined andcompared toanexistingsignaturedatabase
that have attributesofknownattacks.Althoughthismethodprovidesforhigheraccuracy(less
number of false positives) in detecting known threats, the signature database needs to be
continuallymaintainedandupdatedfrequently.
Anomaly-based
In an anomalybased NIDS (ANIDS), any deviation from normal activity is flagged as an
alarm. An initial (normal) profile of the system is first created where normal activity is
observed. Once established, the ANIDS collects data from network events and based on
different measures,looksforactivitythatdifferssignificantlyfromthenormalprofile andraises
an alarm. The advantage of an ANIDS is that no apriori knowledge is required ofprevious
known attacks and can be used to define signatures for malicious behaviour, however it
cannot determine a specific attack and has a greater number offalsealarms(falsepositives)
thansignaturebasedIDS.
Figure2FunctionalarchitectureofanANIDS[3]
Statistical
Statistical approaches are based on either setting thresholds and applying them to specific
variables, or are based on changes in distributions overaperiodoftimeobserved.Inthefirst
case, an upper and lower bound are established todefine an appropriate rangeofvaluesfor
the individual variables measured. Earlier methods began by using the univariate model
where single variables are analyzed, and later, multivariate models were applied, in which
highly correlated metrics were used, as they were considered to be more effective at
distinguishing anomalies.Inthesecondcase,consideredasatimeseriesmodel,awindowof
dataisusedtocomputethemeanofitsdistributioninordertodeterminethethresholds.[5]
Data Mining
Data mining, also known as knowledge discovery in databases (KDD),is the the processof
extracting information and detecting interesting patterns from data. A good deal of work is
involved prior to the mining process in understanding and preparing the data for the mining
process and analysis. Some data mining techniques are association rules based, language
processing,anddecisiontrees.
Machine Learning
In the machine learning approach an algorithm is trained to learn against a set of data that
has been previously identified, or labeled, and as more data becomes available, the greater
the accuracy of the model. Prominent methods of machine learning are Bayesianandneural
networks,SVM,kNN,clusteringandoutlierdetection.
Prototype
The SCAD@COPS prototype incorporatesthemethodsasoutlinedin[6],[7],whichdefinethe
architectural and signaturebased detection system, and the last component being the
anomalybaseddetectionsystem.
Architecture
To address the security concerns of the IDS itself, the architecture in [6] recommends to
partition the various components and isolate each IDS instance from one another. All
resources are set to readonly mode, with limited authorized access. For maintenance,
updates aredepositedinadedicatedareaandthencopiedovertoanotherreservedareathat
are either executed by a scheduled job or by via trigger. AMiraboxisusedastheembedded
system running the latest stable version of Debian and virtual private networks to
communicatebetweentheinternalIDSandthesupervisorysystem.
Figure2ArchitectureofsecureIDS[6]
Signature-based IDS
In [6] and [7], the signaturebased IDS is described and the use oftheSuricataIDSsoftware
with Modbus protocol are proposed. Rules are configured that conform to, and verify the
correctandnormalbehaviourofaSCADAsystem.
[7] also recommends the strategic placement of the monitoring devices throughout the
SCADA system on a dedicated network for supervision, and presents the two different
approachesofacentralizedoradistributedsystem.
Anomaly-based IDS
InthescopeoftheSCAD@COPSproject,theanomalybasedcomponentwillbecarriedout
withastatisticalbasedstudy.Possiblefurtherstudiesmaybedoneusingdataminingand
machinelearningbasedtechniques.
Summary
SCADA systems have typically been isolated and less prone to cyber threats, but as they
continue to increasingly use traditional IT infrastructure in order to minimize costs and
increase efficiencyandfunctionality,theybecomemore and morevulnerabletocyberattacks.
IDSs offer a solution to provide supervision and protection to SCADA systems, which are
implemented as either host or networkbased IDSs. Most commercial IDSs offered are
typically signaturebased, which are only able to detect previously identified threats and
defined rules of behaviour. As the nature of ICSs is also such that their topology tends to
remain static, their protocols simple,andthe traffic fairly regular, and with the needfor more
robust and flexible detection of new threats and attacks grow, there is more research and
advancements in anomaly detection applying methods such as statistical, data mining and
machinelearningtechniquestofindintelligentwaysofanomalydetection.
DiateamhasproposedaprototypeSCAD@COPS,whichwillbeahybridIDSthatistohavea
signaturebased, as well as incorporate an anomalybased IDS. This paper broaches the
different techniques in order to achieve this and further studies will be conductedtoexamine
the data and ascertain a viable and effective method for anomaly detection. It will also be
important to focus the analysis onnetwork dataattheTCP/IPandEthernetlayers,aswellas
maintainingapassivemodesoasnottoperturbtheSCADAsystem.
References
[1] B. Zhu andS.Sastry.Scadaspecificintrusiondetection/preventionsystems:Asurveyand
taxonomy. In Proceedings of the First Workshop on Secure Control Systems (SCS10),
Stockholm,Sweden,2010.
[2] BonnieZhu,AnthonyJoseph,andShankarSastry. 2011.ATaxonomyofCyberAttackson
SCADA Systems. In Proceedings of the2011 International Conference on Internet of Things
and 4th International Conference on Cyber, Physical and Social Computing
(ITHINGSCPSCOM'11).IEEEComputerSociety,Washington,DC,USA,380388.
[3] P. GarcaTeodoro, J. DazVerdejo, G. MaciFernndez, and E. Vzquez. 2009.
Anomalybased network intrusion detection: Techniques, systems and challenges. Comput.
Secur.28,12(February2009),1828.
[4]Yasakethu,Jiang.IntrusionDetectionviaMachine LearningforSCADASystemProtection.
Proceedings of the 1st International Symposium for ICS &SCADACyberSecurityResearch
2013
[5] Chengwei Wang Viswanathan, K. Choudur, L. Talwar, V. Satterfield, W. Schwan, K.,
"Statistical techniques for online anomaly detection in data centers,"Integrated Network
Management(IM), 2011 IFIP/IEEEInternational Symposium on , vol.,no.,pp.385,392,2327
May2011
[6] P. Chifflier and A. Fontaine. Architecture systme scurise de sonde IDS rseau.
C&ESAR2014
[7] David Diallo andM. Feuillet. Dtection dintrusion dans lessystmes industriels:Suricata
etlecasModbus.
C&ESAR2014