EE Seminar: Network Intrusion Detection for SCADA Systems
Speaker: Amit Kleinmann
Ph.D. student under the supervision of Prof. Avishai Wool
Wednesday, April 5th, 2017 at 15:00
Room 011, Kitot Bldg., Faculty of Engineering
Network Intrusion Detection for SCADA Systems
Abstract
SCADA systems are command and control systems integrated in industrial facilities that have a strategic significance due to the great damage consequences of any fault or malfunction. SCADA systems were originally created to be deployed in non-networked environments and thus they lack of adequate security against Internet based threats and cyber-related forensics.
Protecting SCADA systems is a unique challenge. The objective of this research was to improve the current state of intrusion detection for SCADA networks. In certain scenarios of SCADA communication, the network traffic is the result of several multiplexed cyclic patterns. We propose to model this type of traffic as a Statechart of multiple DFAs. The Statechart approach is very sensitive and is able to flag anomalies such as a message appearing out of position in the normal sequence or a message referring to a single unexpected bit.
We also suggest unsupervised learning algorithms to automatically build the Statechart DFA. These algorithms identify the number of cycles and learn each of the multiplexed cyclic patterns even in cases where there are symbols that appear more than once in a cycle, or symbol overlaps between different patterns.
Finally, we developed several attack scenarios against real SCADA equipment.
Our stealthy network-based attacks operate by hijacking the SCADA communication channels, manipulating the traffic so as to present the human operator a fabricated view of the industrial process, and tricking her into taking inappropriate and damaging manual actions. All our multi-stage semantic attacks successfully fooled the operator, and brought the system to states of blackout and possible equipment damage.
An important aspect of this research is that the proposed intrusion detection
approach was evaluated using real traffic from production SCADA networks. Our experiments demonstrate that the Statechart DFA anomaly detection model handles SCADA traffic patterns very well. With systems that implement this model in place, attackers are restricted to only mount super-stealthy deception attacks like ours, and cannot mount simpler and more direct attacks without risk of detection. Thus we provide a solid basis for practical anomaly detection systems.
