Intrusion Detection on SCADA
Added on 2023-03-24
39 Pages12934 Words83 Views
|
|
|
Intrusion
Detection on
SCADA
Detection on
SCADA
Abstract
This report will use a new SCADA system to monitor and control industrial control
systems in many industries as well as economic sectors. There is a rise in the security concerns
due to this new found connectivity. To researchers and industry this thesis makes one primary
contribution. For SCADA system two datasets have been introduced. This has been introduced to
support the intrusion detection system. The network traffic captured on gas pipeline is included
in the dataset. In order to train and test proposed algorithms, IDS researcher lack in a common
framework.
This report will use a new SCADA system to monitor and control industrial control
systems in many industries as well as economic sectors. There is a rise in the security concerns
due to this new found connectivity. To researchers and industry this thesis makes one primary
contribution. For SCADA system two datasets have been introduced. This has been introduced to
support the intrusion detection system. The network traffic captured on gas pipeline is included
in the dataset. In order to train and test proposed algorithms, IDS researcher lack in a common
framework.
Table of Contents
Abstract............................................................................................................................................2
CHAPTER 1: INTRODUCTION....................................................................................................1
1.1 Background............................................................................................................................1
1.2 Research Contributions..........................................................................................................3
1.3 Organisation...........................................................................................................................4
CHAPTER 2: LITERATURE REVIEW.........................................................................................6
2.1 SCADA System Threats........................................................................................................6
2.2 Intrusion Detection................................................................................................................7
2.3 SCADA Datasets and test beds............................................................................................11
CHAPTER 3: GAS PIPELINE DATASET..................................................................................13
3.1 Introduction..........................................................................................................................13
3.2 Previous work......................................................................................................................13
3.3 Gas pipeline system.............................................................................................................14
3.4 Dataset Collection Methodology.........................................................................................15
3.5 Dataset Description..............................................................................................................17
3.5.1 Raw Dataset......................................................................................................................17
3.5.2 ARFF dataset....................................................................................................................19
CONCLUSION..............................................................................................................................33
REFERENCES..............................................................................................................................34
Abstract............................................................................................................................................2
CHAPTER 1: INTRODUCTION....................................................................................................1
1.1 Background............................................................................................................................1
1.2 Research Contributions..........................................................................................................3
1.3 Organisation...........................................................................................................................4
CHAPTER 2: LITERATURE REVIEW.........................................................................................6
2.1 SCADA System Threats........................................................................................................6
2.2 Intrusion Detection................................................................................................................7
2.3 SCADA Datasets and test beds............................................................................................11
CHAPTER 3: GAS PIPELINE DATASET..................................................................................13
3.1 Introduction..........................................................................................................................13
3.2 Previous work......................................................................................................................13
3.3 Gas pipeline system.............................................................................................................14
3.4 Dataset Collection Methodology.........................................................................................15
3.5 Dataset Description..............................................................................................................17
3.5.1 Raw Dataset......................................................................................................................17
3.5.2 ARFF dataset....................................................................................................................19
CONCLUSION..............................................................................................................................33
REFERENCES..............................................................................................................................34
CHAPTER 1: INTRODUCTION
1.1 Background
The utilities that act very critical are being managed and controlled by the Supervisory
Control and Data Acquisitions (SCADA). There are various controlled systems involved which
includes the railroads, pipelines, power plants etc. Sometime before, these all systems were
excluded from the other various networks but now have been desegregated with the corporate
networks and the Internet. This integration with the various networks have maximized the
control of the organisations, thus savings have been also accounted up for the same. Various
security concerns are also needed to be analysed because of these new connections. The
susceptibility may exist in any of the system, if so, then it will permit the attackers to exploit the
data completely, thus having all the control over the SCADA systems. This control over can
cause breakdown in the hardware, thus harming the lives of the people.
The visualisation and control of the critical infrastructure systems have been controlled
by the SCADA systems. Four components have been used for the composition of these systems.
The first part contains the sensors and actuators, the second has programmable logic controllers
(PLCs), third is the supervisory control. Sensors are devices which collects the information about
a system. The state of the system is being controlled by the actuators which involves motor,
pump etc. PLCs has the responsibility of managing the collected data representing the state of
system. These controllers can also be considered as remote terminal units (RTUs). The master
terminal unit (MTU) interacts with these controls by managing and handling them. Various
protocols are there for carrying out whole communication such as Fieldbus, Profibus, Distributed
Network Protocol Version 3 (DNP3) and Modbus. Human machine interface (HMI) is
categorised as the final level. It is being used by an operator for representation of the MTU's
collected information. The role of an HMI is to manage the representation of the system along
with its sub systems. It also has another role of exchanging parameters within the SCADA
systems for continuing the interaction with the MTU. A simple SCADA system is represented
below:
1
1.1 Background
The utilities that act very critical are being managed and controlled by the Supervisory
Control and Data Acquisitions (SCADA). There are various controlled systems involved which
includes the railroads, pipelines, power plants etc. Sometime before, these all systems were
excluded from the other various networks but now have been desegregated with the corporate
networks and the Internet. This integration with the various networks have maximized the
control of the organisations, thus savings have been also accounted up for the same. Various
security concerns are also needed to be analysed because of these new connections. The
susceptibility may exist in any of the system, if so, then it will permit the attackers to exploit the
data completely, thus having all the control over the SCADA systems. This control over can
cause breakdown in the hardware, thus harming the lives of the people.
The visualisation and control of the critical infrastructure systems have been controlled
by the SCADA systems. Four components have been used for the composition of these systems.
The first part contains the sensors and actuators, the second has programmable logic controllers
(PLCs), third is the supervisory control. Sensors are devices which collects the information about
a system. The state of the system is being controlled by the actuators which involves motor,
pump etc. PLCs has the responsibility of managing the collected data representing the state of
system. These controllers can also be considered as remote terminal units (RTUs). The master
terminal unit (MTU) interacts with these controls by managing and handling them. Various
protocols are there for carrying out whole communication such as Fieldbus, Profibus, Distributed
Network Protocol Version 3 (DNP3) and Modbus. Human machine interface (HMI) is
categorised as the final level. It is being used by an operator for representation of the MTU's
collected information. The role of an HMI is to manage the representation of the system along
with its sub systems. It also has another role of exchanging parameters within the SCADA
systems for continuing the interaction with the MTU. A simple SCADA system is represented
below:
1
Figure 1Simple SCADA system
As per the requirements of the Corporate Network Interconnection and Security Aspects
of SCADA, these systems were developed to be vigorous, open and that can be easily used and
modified when necessary. It was unsure at that time whether these are secure enough or not.
There are three features which are missing from the structure of the system and these are lack of
authentication of the protocols that are being accessed by the SCADA systems, secured systems
through obscurity etc. It may also lead to imitation of the information and data that is being
received by the RTU and the MTU (Dell Security Annual Threat Report, 2015). It means the
people who are currently operating the specialised protocols and equipment think that no
outsider or any external body will be able to manage it in a way that they used to. The final
factor considers the notion that no trespasser can harm any of their system as it is wholly secure
physically. These features have made the infrastructure system endangered which requires
various cyber security protections.
Various researchers are monitoring the security features in the SCADA systems so that
they can exclude some of the frailness by giving some specific required solutions. Stuxnet, an
attack held at Iran in 2010, given the uranium rich plants by aiming the Siemens step 7 software.
This software is being used for programming the PLCs, which are considered as the digital
2
As per the requirements of the Corporate Network Interconnection and Security Aspects
of SCADA, these systems were developed to be vigorous, open and that can be easily used and
modified when necessary. It was unsure at that time whether these are secure enough or not.
There are three features which are missing from the structure of the system and these are lack of
authentication of the protocols that are being accessed by the SCADA systems, secured systems
through obscurity etc. It may also lead to imitation of the information and data that is being
received by the RTU and the MTU (Dell Security Annual Threat Report, 2015). It means the
people who are currently operating the specialised protocols and equipment think that no
outsider or any external body will be able to manage it in a way that they used to. The final
factor considers the notion that no trespasser can harm any of their system as it is wholly secure
physically. These features have made the infrastructure system endangered which requires
various cyber security protections.
Various researchers are monitoring the security features in the SCADA systems so that
they can exclude some of the frailness by giving some specific required solutions. Stuxnet, an
attack held at Iran in 2010, given the uranium rich plants by aiming the Siemens step 7 software.
This software is being used for programming the PLCs, which are considered as the digital
2
devices handling the industrial systems. The windows environment has been introduced with it
and initiated their search for the Siemen's software. There was a play book named How Stuxnet
is rewriting the cyber terrorism play book, after the identification of the software, Stuxnet was
free enough to have the required data and putting the system in a critical phase. Re writing
firmware and the ladder logic made this possible on PLC. This, further permits the attacker to
forcefully produce false responses towards PLC.
The SCADA system has also been attacked by another attacker, Flame which was able to
collect the surveillance information. Flame is also similar to Stuxnet in a way that it infects all
the systems that are windows based on only distinguishable fact between the both is that the
Flame does not focuses on doing any harm, rather it focuses on collecting and streaming of the
data to the control server (Boyer and Stuart, 2014). After that, the filtration takes place and the
outcomes can be represented to the operator at the end. This specific attack was being used in
Iran for acquiring information of other states.
Aurora, another event by Idaho National laboratory, was being represented to the
government to discuss about the seriousness of these ongoing attacks. It was being experienced
on a temporary basis in which it duplicated the controls of the power system. The control system
was targeted first by the attack and also tried to include and exclude the circuit breakers. Because
of a minor change in the operation cycle, a fully damaged generator was the last and their final
goal which would have caused a fatal condition of the phase. Instead, it has not been imitated in
real but they were successful in grabbing the attention of government. Also, they were able to
increase the development in industrial control system (ICS).
An Intrusion detection system (IDS) can help in detecting and alerting the operators so
that they can prevent the system from further damages. IDS act as very essential part of
providing security features in any system that is communication based. It seems perfect to
manage and analyse the further conditions. In SCADA systems, these are being trained with data
logs which demonstrates the actual traffic. Any dataset which can modify and improve the IDS
system which is required.
1.2 Research Contributions
A primary contribution has been made to the industry and the researches. This
contribution involves two data sets which can be used for replacement of a previous one. The
3
and initiated their search for the Siemen's software. There was a play book named How Stuxnet
is rewriting the cyber terrorism play book, after the identification of the software, Stuxnet was
free enough to have the required data and putting the system in a critical phase. Re writing
firmware and the ladder logic made this possible on PLC. This, further permits the attacker to
forcefully produce false responses towards PLC.
The SCADA system has also been attacked by another attacker, Flame which was able to
collect the surveillance information. Flame is also similar to Stuxnet in a way that it infects all
the systems that are windows based on only distinguishable fact between the both is that the
Flame does not focuses on doing any harm, rather it focuses on collecting and streaming of the
data to the control server (Boyer and Stuart, 2014). After that, the filtration takes place and the
outcomes can be represented to the operator at the end. This specific attack was being used in
Iran for acquiring information of other states.
Aurora, another event by Idaho National laboratory, was being represented to the
government to discuss about the seriousness of these ongoing attacks. It was being experienced
on a temporary basis in which it duplicated the controls of the power system. The control system
was targeted first by the attack and also tried to include and exclude the circuit breakers. Because
of a minor change in the operation cycle, a fully damaged generator was the last and their final
goal which would have caused a fatal condition of the phase. Instead, it has not been imitated in
real but they were successful in grabbing the attention of government. Also, they were able to
increase the development in industrial control system (ICS).
An Intrusion detection system (IDS) can help in detecting and alerting the operators so
that they can prevent the system from further damages. IDS act as very essential part of
providing security features in any system that is communication based. It seems perfect to
manage and analyse the further conditions. In SCADA systems, these are being trained with data
logs which demonstrates the actual traffic. Any dataset which can modify and improve the IDS
system which is required.
1.2 Research Contributions
A primary contribution has been made to the industry and the researches. This
contribution involves two data sets which can be used for replacement of a previous one. The
3
Gao data set was not suitable for the research of the IDS. In the Mississippi State University's in
house SCADA gas pipeline, Network transactions within MTU and the RTU is the data collected
in the data set. For replication of the real attacks and the activities of the operators on the
pipeline of the gas, various new data sets were collected with the help of a novel framework.
When compared with a previous data set, it was found that all the issues that affected were
resolved.
Features have been categorised in three different forms which includes payload
information, network data and labels. The network data provides a specific technique for
intruding the detection structure for competing against. SCADA systems have various network
topologies which are already decided and there are repetitive nodes as well. These systems do
not act like Information technology (IT) networks. It acts conductive with the IDS and is
conscious enough to detect any abnormal activity. Another category compiles of the payload
information. It provides the data about the pipeline state of the gas, parameters etc. These factors
of the system are enough for understanding the level of performance and also it will be able to
monitor if it is present in critical state as well.
For the assessment of performance of the SCADA system, data sets are suggested to be
used in the aid researches with the help of original patterns of the SCADA attacks and operations
of the HMI as well. These systems have a longer life line so it fixes the interactions patterns also.
Then, these data sets are permitted to be used for utilizing SCADA IDS structures by giving
some general characteristics.
1.3 Organisation
The next chapter covers the threatening areas of the SCADA systems, critical
infrastructure systems for the IDS along with an evaluation of the test beds and data sets of the
SCADA. It will be properly defined in this chapter that what is the importance of these data sets
and how this can prove purposeful to the people around. Third chapter, will be sufficiently able
to demonstrate the pipeline system of the gas which helped the data sets to be created adding up
the methodologies and framework which is to be implemented as well. Further two sections of
the third chapter describe the two data sets which will be created. It includes the raw network
transaction data and the information that is being collected from the first. Along with all this,
another section in the chapter comprises of the data set that has been improvised from the earlier
4
house SCADA gas pipeline, Network transactions within MTU and the RTU is the data collected
in the data set. For replication of the real attacks and the activities of the operators on the
pipeline of the gas, various new data sets were collected with the help of a novel framework.
When compared with a previous data set, it was found that all the issues that affected were
resolved.
Features have been categorised in three different forms which includes payload
information, network data and labels. The network data provides a specific technique for
intruding the detection structure for competing against. SCADA systems have various network
topologies which are already decided and there are repetitive nodes as well. These systems do
not act like Information technology (IT) networks. It acts conductive with the IDS and is
conscious enough to detect any abnormal activity. Another category compiles of the payload
information. It provides the data about the pipeline state of the gas, parameters etc. These factors
of the system are enough for understanding the level of performance and also it will be able to
monitor if it is present in critical state as well.
For the assessment of performance of the SCADA system, data sets are suggested to be
used in the aid researches with the help of original patterns of the SCADA attacks and operations
of the HMI as well. These systems have a longer life line so it fixes the interactions patterns also.
Then, these data sets are permitted to be used for utilizing SCADA IDS structures by giving
some general characteristics.
1.3 Organisation
The next chapter covers the threatening areas of the SCADA systems, critical
infrastructure systems for the IDS along with an evaluation of the test beds and data sets of the
SCADA. It will be properly defined in this chapter that what is the importance of these data sets
and how this can prove purposeful to the people around. Third chapter, will be sufficiently able
to demonstrate the pipeline system of the gas which helped the data sets to be created adding up
the methodologies and framework which is to be implemented as well. Further two sections of
the third chapter describe the two data sets which will be created. It includes the raw network
transaction data and the information that is being collected from the first. Along with all this,
another section in the chapter comprises of the data set that has been improvised from the earlier
4
one. Then, at last there would be the last chapter compiling of the conclusions came from this
research.
5
research.
5
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents