Intrusion Detection for SCADA Systems



Similar documents
SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Securing Distribution Automation

Update On Smart Grid Cyber Security

Security Issues with Integrated Smart Buildings

Intrusion Detection: Game Theory, Stochastic Processes and Data Mining

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

NETWORK SECURITY (W/LAB) Course Syllabus

Introduction to Cyber Security / Information Security

DNP Serial SCADA to SCADA Over IP: Standards, Regulations Security and Best Practices

Missing the Obvious: Network Security Monitoring for ICS

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

!! "# $%!& $!$ +) * ', -./01.//1233/ "4, -./01.//12223 *, 565

Network Cyber Security. Presented by: Motty Anavi RFL Electronics

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Cybersecurity Risk Assessment in Smart Grids

Cyber Security and Privacy - Program 183

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

Deterrent and detection of smart grid meter tampering and theft of electricity, water, or gas

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Protecting Your Organisation from Targeted Cyber Intrusion

What is Really Needed to Secure the Internet of Things?

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Current and Future Research into Network Security Prof. Madjid Merabti

NERC CIP Version 5 and the PI System

IT Security and OT Security. Understanding the Challenges

Security Issues in SCADA Networks

The Importance of Cybersecurity Monitoring for Utilities

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Lessons Learned from AMI Pioneers Follow the Path to Success

SCADA Security: Challenges and Solutions

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

ISACA rudens konference

Defending Against Data Beaches: Internal Controls for Cybersecurity

Smart grid security analysis

Data Security Concerns for the Electric Grid

Smart Grid and Cyber Challenges

A Model-based Methodology for Developing Secure VoIP Systems

Are Second Generation Firewalls Good for Industrial Control Systems?

NIST Cyber Security Activities

Holistic View of Industrial Control Cyber Security

The Hillstone and Trend Micro Joint Solution

On-Premises DDoS Mitigation for the Enterprise

Ovation Security Center Data Sheet

Securing Smart City Platforms IoT, M2M, Cloud and Big Data

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

CYBER SECURITY. Novel Approaches for Security in Building Automation Systems. J. Kaur, C. Herdin, J. Tonejc, S. Wendzel, M. Meier, and S.

Compliance and Unified Communication

Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Cyber Security for SCADA/ICS Networks

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Defending Against Cyber Attacks with SessionLevel Network Security

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

First Line of Defense to Protect Critical Infrastructure

BlackRidge Technology Transport Access Control: Overview

SURVEY OF INTRUSION DETECTION SYSTEM

Chapter 9 Firewalls and Intrusion Prevention Systems

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Network Security 101 Multiple Tactics for Multi-layered Security

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Intro to Firewalls. Summary

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Security Coordination with IF-MAP

Enterprise Cybersecurity: Building an Effective Defense

Intrusion Detection System (IDS)

Keeping the Lights On

Cybersecurity considerations for electrical distribution systems

Cyber Security. Smart Grid

RAVEN, Network Security and Health for the Enterprise

Ovation Security Center Data Sheet

Jort Kollerie SonicWALL

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Cyber Security Health Test

Network/Internet Forensic and Intrusion Log Analysis

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Cybersecurity Health Check At A Glance

Airports and their SCADA Systems. Dr Leigh Armistead, CISSP. Peregrine Technical Solutions

Goals. Understanding security testing

Document ID. Cyber security for substation automation products and systems

Guidelines for Web applications protection with dedicated Web Application Firewall

1. OVERVIEW: IEC TC57 WG15 SECURITY FOR POWER SYSTEM COMMUNICATIONS DUAL INFRASTRUCTURES: THE POWER SYSTEM AND THE INFORMATION SYSTEM...

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

TRIPWIRE NERC SOLUTION SUITE

Effective Log Management

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

External Supplier Control Requirements

Cyber Security Seminar KTH

Chapter 9. IP Secure

Transcription:

Intrusion Detection for SCADA Systems Dr Kieran McLaughlin CSIT, Queen s University Belfast

Outline Background & Motivation Experience with IEC 60870-5-104 SCADA-IDS approach SPARKS mini-project targeting IEC 61850 Questions...

SCADA Communications Security SCADA protocols (particularly legacy protocols) designed without considering cyber security Cyber security based only on IT security principles ignores SCADA system characteristics Smart Grid systems are cyber-physical control systems Due to critical nature of SCADA control, cyber security must consider availability and integrity A brief history of SCADA protocols

SCADA Vulnerabilities Interconnected IT systems can provide beachhead for attacks Intruders with a foothold in the network can: Sniff, observe, learn, record, replay, tamper, launch man-in-themiddle attacks, exfiltrate Plaintext message transmission Authentication, encryption, etc. not commonly used Attacks on SCADA threaten: System availability Data and control integrity

Motivation for SCADA IDS Cyber security policies are derived from: Expert knowledge of physical system Communication requirements of SCADA network SCADA IDS technology Can be deployed to support policy enforcement Particularly policies beyond IT Support monitoring for breaches Provide enhanced security sensor data for event correlation

Experience with IEC 60870-5-104 Water, gas, electricity telecontrol operations Widely used in Europe Development of 104 Started life in 1990 s as a serial communication standard Released in 2000 as a TCP/IP standard Interconnection of IP networks raises risks Cyber security risk Control operation risk Business risk

Experience with IEC 60870-5-104 IP packet payload: 104 SCADA data... ASDU ASDU Field Start 68H Data Unit Identifier Data Unit Type Type Identification (TI) Variable Structure Qualifier Cause of Transmission (CoT) Common Adress Length APDU Length (max. 253) Control Field Octet 1 Control Field Octet 2 Control Field Octet 3 Control Field Octet 4 APCI APDU Information Object Information Object Address Information Object Time Tag ASDU defined in IEC 101 and IEC 104 ASDU ASDU structure APDU structure

Designing Custom-104 IDS Protocol-Based Models Cross-field data correlation ( ) { } ( ) P 104( I ) format TIField P 45, 46 lenfield P = 14 Stateful protocol analysis of all packets in a flow ( ) { } ( ) { } P 104Response TIField P = 45 48,100,101 CoTField P = 7,10 Benefits: Better situational awareness in SCADA network Increased visibility of attack steps being executed Use for traceability, forensic analysis Detects attacks standard IT cyber security tools cannot

SCADA IDS results (Left) Custom IDS rules developed for standard open source tools such as Snort (Right) Custom SCADA IDS tool incorporates custom Snort rules, plus stateful analysis which Snort cannot provide

SPARKS Mini-Project State of the art tools: Generally lack awareness of power systems properties Lack stateful analysis at SCADA application layer NIST recommends further research on above, as well as whitelist enforcement Our aims: Combine SCADA and power systems knowledge for protocol verification and correlation of temporal / physical data SCADA protocol verification, stateful analysis, and functional whitelisting Unified platform monitoring multiple security attributes

SPARKS Mini-Project Target is AIT SmartEST Lab demonstration Focus on IEC 61850 protocol Custom SCADA IDS Also develop attack use cases Development of a multi-attribute SCADA-IDS Identify permitted and non-permitted devices, connections, and protocols Enhanced payload inspection to detect permitted and nonpermitted operations and behaviours Whitelist, stateful and behavioural analysis based on 61850 features and SmartEST demo physical system attributes

Attack Demonstrations Build on previous experience attacking 104 (below) In SPARKS we will attack 61850 Data injection, Replay, Man-in-the-Middle

Questions Which SCADA protocols are currently in use within your networks? e.g. IEC 60870, IEC 61850, DNP3, etc. What information do you have regarding cyber-risks specific to such protocols? What are your sources? (e.g. from manufacturers, standards, risk analysis approaches) Do you believe cyber-attacks on SCADA communications to be: High probability low probability? High operational impact low operational impact? Security measures in place: Are these protocols implemented with any validation/authentication features? How do you defend/protect networks using these protocols? (e.g. firewalls, etc)? How do you monitor for attacks or anomalies in the SCADA communications? Have you carried out any penetration testing of related systems? How critical is the secure operation of SCADA communications to your overall systems? What are the consequences for system operations if there is corrupt / untrustworthy data, or deliberately manipulated sensor data?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information