Specification-based IDS for the DNP3 Protocol
Ameren Technology Applications Center
Modern SCADA systems are increasingly adopting Internet technology to control industrial processes. Because of security vulnerabilities and potential exposure to public networks, attackers can penetrate control systems to issue malicious control commands that drive remote facilities into an unsafe state, without exhibiting any obvious protocol-level red flags. While a few Intrusion Detection Systems (IDSes) are becoming available to investigate network traffic based on unique proprietary protocols, it is challenging to detect such attacks based solely on monitoring network activities. To overcome that challenge, we introduced a semantic analysis framework based on collaborating network IDSes. The framework exploits a power flow analysis algorithm adapted to accurately estimate the execution consequences of control commands with short latency, thus revealing a potential attacker’s malicious intentions. We augmented the Bro IDS with power flow assessment tools to perform run-time power flow analysis to predict the consequences of executing a control command (potentially maliciously crafted) that is transmitted over the underlying communication network. Our approach is based around 1) having a master IDS at the control center to distinguish critical commands from noncritical ones, collect measurements from multiple substations, and use the adapted power flow analysis algorithm to estimate the consequences of executing a given command; and 2) having slave IDSes at remote sites, with the local IDS being used to obtain trusted measurements directly from sensors. (We assume that physical tampering with a large number of distributed sensors is not practical for the attacker.) The deployed Bro IDS is able to detect malicious commands transmitted as network packets that are syntactically correct from the point of view of the communication protocol (DNP3 in our study). Experiments estimated the physical consequences of malicious control commands for power systems and demonstrated the good performance of the adapted power flow analysis algorithm in terms of short detection latency and low rate of false detections.
Presentation from 2014 Industry Workshop:
Specification-Based IDS for the DNP3 Protocol. Presented by Hui Lin, University of Illinois, at the 2014 TCIPG Industry Workshop held November 12-13, 2014 at the iHotel and Conference Center in Illinois. Slides for this presentation may be downloaded from the workshop archives.
Detection of a Man-in-the-middle Attack in SCADA Network: Presented by Hui Lin during the TCIPG Industry Workshop in October 2012.