Files in this item

FilesDescriptionFormat

application/pdf

application/pdfUILU-ENG-12-2207.pdf (2MB)
(no description provided)PDF

Description

Title:Using a Specification-based Intrusion Detection System to Extend the DNP3 Protocol with Security Functionalities
Author(s):Lin, Hui; Slagell, Adam; Kalbarczyk, Zbigniew; Iyer, Ravishankar K.
Subject(s):SCADA
DNP3
Bro
Specification-based intrusion detection system
Authentication
Abstract:Modern SCADA systems are increasingly adopting Internet technologies to control distributed industrial assets. As proprietary communication protocols are increasingly being used over public networks without efficient protection mechanisms, it is increasingly easier for attackers to penetrate into the communication networks of companies that operate electrical power grids, water plants, and other critical infrastructure systems. To provide protection against such attacks without changing legacy configurations, SCADA systems require an intrusion detection technique that can understand information carried by network traffic based on proprietary SCADA protocols. To achieve that goal, we adapted Bro, a specification-based intrusion detection system, for SCADA protocols in our previous work. In that work, we built into Bro a new parser to support DNP3, a complex proprietary network protocol that is widely used in SCADA systems for electrical power grids. The built-in parser provides clear visibility of network events related to SCADA systems. The semantics associated with the events provide us with a fine-grained operational context of the SCADA system, including types of operations and their parameters. Based on such information, we propose in this work two security policies to perform authentication and integrity checking on observed SCADA network traffic. To evaluate the proposed security policies, we simulated SCADA-specific attack scenarios in a test-bed, including real proprietary devices used in an electrical power grid. Experiments showed that the proposed intrusion detection system with the security policies can work efficiently in a large industry control environment that can include approximately 4000 devices.
Issue Date:2012-11
Publisher:Coordinated Science Laboratory. University of Illinois at Urbana-Champaign.
Series/Report:Coordinated Science Laboratory Report no. UILU-ENG-12-2207
Genre:Technical Report
Type:Text
Language:English
URI:http://hdl.handle.net/2142/90434
Sponsor:DE-OE0000097 (DOE); OCI-1032889 (NSF); Infosys Limited; The Boeing Company
Date Available in IDEALS:2016-07-07


This item appears in the following Collection(s)

Item Statistics