Using a Specification-based Intrusion Detection System to Extend the DNP3 Protocol with Security Functionalities

Lin, Hui; Slagell, Adam; Kalbarczyk, Zbigniew; Iyer, Ravishankar K.

Permalink

https://hdl.handle.net/2142/90434 Copy

Description

Title

Using a Specification-based Intrusion Detection System to Extend the DNP3 Protocol with Security Functionalities

Author(s)

• Lin, Hui
• Slagell, Adam
• Kalbarczyk, Zbigniew
• Iyer, Ravishankar K.

Issue Date

2012-11

Keyword(s)

• SCADA
• DNP3
• Bro
• Specification-based intrusion detection system
• Authentication

Abstract

Modern SCADA systems are increasingly adopting Internet technologies to control distributed industrial assets. As proprietary communication protocols are increasingly being used over public networks without efficient protection mechanisms, it is increasingly easier for attackers to penetrate into the communication networks of companies that operate electrical power grids, water plants, and other critical infrastructure systems. To provide protection against such attacks without changing legacy configurations, SCADA systems require an intrusion detection technique that can understand information carried by network traffic based on proprietary SCADA protocols. To achieve that goal, we adapted Bro, a specification-based intrusion detection system, for SCADA protocols in our previous work. In that work, we built into Bro a new parser to support DNP3, a complex proprietary network protocol that is widely used in SCADA systems for electrical power grids. The built-in parser provides clear visibility of network events related to SCADA systems. The semantics associated with the events provide us with a fine-grained operational context of the SCADA system, including types of operations and their parameters. Based on such information, we propose in this work two security policies to perform authentication and integrity checking on observed SCADA network traffic. To evaluate the proposed security policies, we simulated SCADA-specific attack scenarios in a test-bed, including real proprietary devices used in an electrical power grid. Experiments showed that the proposed intrusion detection system with the security policies can work efficiently in a large industry control environment that can include approximately 4000 devices.

Publisher

Coordinated Science Laboratory, University of Illinois at Urbana-Champaign

Series/Report Name or Number

Coordinated Science Laboratory Report no. UILU-ENG-12-2207

Type of Resource

text

Language

en

Permalink

http://hdl.handle.net/2142/90434

Sponsor(s)/Grant Number(s)

• U.S. Department of Energy / DE-OE0000097
• National Science Foundation / OCI-1032889
• Infosys Limited
• The Boeing Company

Owning Collections