Adapting Bro into SCADA: Building Specification-based Intrusion Detection System for DNP3 Protocol

Lin, H., Kalbarczyk, Z., Iyer, R.K.
Citation:

Coordinated Science Laboratory Technical Report UILU-ENG-12-2206, July 2012.

Visit Publisher Online Entry:
Abstract:

Modern SCADA systems are increasingly adopting Internet technology to control industry processes. With their security vulnerabilities exposed to public networks, an attacker is able to penetrate into these control systems to put remote facilities
in danger. To detect such attacks, SCADA systems require an intrusion detection technique that can monitor network traffic based on proprietary network protocols.

To achieve this goal, we adapt Bro, a network traffic analyzer widely used for intrusion detection, for use with SCADA systems. A built-in parser in Bro supports DNP3, a network protocol that is widely used in SCADA systems for electrical power grids. By exploiting Bro’s intrusion detection features, we apply a specification-based technique to analyze the parsed traffic. This built-in parser provides high visibility of network events in SCADA systems. Instead of exploiting an attack signature or a statistical normal pattern, SCADA-specific semantics related to each event are analyzed. Such analyses are made in terms of defined security policies which can be included at runtime. Our experiments are carried out in a laboratory-scale SCADA system environment with well-formatted but malicious network traffic. The detection capability and performance of the Bro-adapted intrusion detection system revealed in experiments show its potential applicability in the real SCADA system environment.

Publication Status:
Published
Publication Type:
Technical Report
Publication Date:
07/01/2012
Copyright Notice:

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

  1. The following copyright notice applies to all of the above items that appear in IEEE publications: "Personal use of this material is permitted. However, permission to reprint/publish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from IEEE."

  2. The following copyright notice applies to all of the above items that appear in ACM publications: "© ACM, effective the year of publication shown in the bibliographic information. This file is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in the journal or proceedings indicated in the bibliographic data for each item."

  3. The following copyright notice applies to all of the above items that appear in IFAC publications: "Document is being reproduced under permission of the Copyright Holder. Use or reproduction of the Document is for informational or personal use only."