University of Illinois Urbana-Champaign

Adapting Bro into SCADA: Building Specification-based Intrusion Detection System for DNP3 Protocol

Lin, Hui; Kalbarczyk, Zbigniew; Iyer, Ravishankar K.

Permalink

https://hdl.handle.net/2142/90433

Description

Title
Adapting Bro into SCADA: Building Specification-based Intrusion Detection System for DNP3 Protocol
Author(s)
  • Lin, Hui
  • Kalbarczyk, Zbigniew
  • Iyer, Ravishankar K.
Issue Date
2012-07
Keyword(s)
  • Intrusion detection
  • Security specification
  • Critical infrastructure
  • Bro
  • SCADA
Abstract
Modern SCADA systems are increasingly adopting Internet technology to control industry processes. With their security vulnerabilities exposed to public networks, an attacker is able to penetrate into these control systems to put remote facilities in danger. To detect such attacks, SCADA systems require an intrusion detection technique that can monitor network traffic based on proprietary network protocols. To achieve this goal, we adapt Bro, a network traffic analyzer widely used for intrusion detection, for use with SCADA systems. A built-in parser in Bro supports DNP3, a network protocol that is widely used in SCADA systems for electrical power grids. By exploiting Bro’s intrusion detection features, we apply a specification-based technique to analyze the parsed traffic. This built-in parser provides high visibility of network events in SCADA systems. Instead of exploiting an attack signature or a statistical normal pattern, SCADA-specific semantics related to each event are analyzed. Such analyses are made in terms of defined security policies which can be included at runtime. Our experiments are carried out in a laboratory-scale SCADA system environment with well-formatted but malicious network traffic. The detection capability and performance of the Bro-adapted intrusion detection system revealed in experiments show its potential applicability in the real SCADA system environment.
Publisher
Coordinated Science Laboratory, University of Illinois at Urbana-Champaign
Series/Report Name or Number
Coordinated Science Laboratory Report no. UILU-ENG-12-2206
Type of Resource
text
Language
en
Permalink
http://hdl.handle.net/2142/90433
Sponsor(s)/Grant Number(s)
Department of Energy & Department of Homeland Security/DE-OE0000097

Owning Collections

Report - Coordinated Science Laboratory PRIMARY