ABSTRACT
Current intrusion detection systems (IDS) for industrial control systems (ICS) mostly involve the retrofitting of conventional network IDSs, such as SNORT. Such an approach is prone to missing highly targeted and specific attacks against ICS. Where ICS-specific approaches exist, they often rely on passive network monitoring techniques, offering a low cost solution, and avoiding any computational overhead arising from actively polling ICS devices. However, the use of passive approaches alone could fail in the detection of attacks that alter the behaviour of ICS devices (as was the case in Stuxnet). Where active solutions exist, they can be resource-intensive, posing the risk of overloading legacy devices which are commonplace in ICSs. In this paper we aim to overcome these challenges through the combination of a passive network monitoring approach, and selective active monitoring based on attack vectors specific to an ICS context. We present the implementation of our IDS, SENAMI, for use with Siemens S7 devices. We evaluate the effectiveness of SENAMI in a comprehensive testbed environment, demonstrating validity of the proposed approach through the detection of purely passive attacks at a rate of 99%, and active value tampering attacks at a rate of 81-93%. Crucially, we reach recall values greater than 0.96, indicating few attack scenarios generating false negatives.
- Snort. https://www.snort.org/. {Online: accessed August 1st 2016}.Google Scholar
- W. Abbas, A. Laszka, Y. Vorobeychik, and X. D. Koutsoukos. Scheduling intrusion detection systems in resource-bounded cyber-physical systems. In Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy, CPS-SPC 2015, Denver, Colorado, USA, October 16, 2015, pages 55--66, 2015. Google ScholarDigital Library
- R. Antrobus, S. Frey, B. Green, and A. Rashid. Simaticscan: Towards a specialised vulnerability scanner for industrial control systems. In Proceedings of the 4th International Symposium on ICS & SCADA Cyber Security Research (ICS-CSR 2016), ICS-CSR 2016, 2016.Google ScholarDigital Library
- M. Caselli, E. Zambon, and F. Kargl. Sequence-aware intrusion detection in industrial control systems. In Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, CPSS 2015, Singapore, Republic of Singapore, April 14 - March 14, 2015, pages 13--24, 2015. Google ScholarDigital Library
- R. Di Pietro and L. V. Mancini. Intrusion detection systems, volume 38. Springer Science & Business Media, 2008.Google Scholar
- Digital Bond. PLCScan, 2016.Google Scholar
- S. Frey, A. Rashid, A. Zanutto, J. Busby, and K. Szmagalska-Follis. On the role of latent design conditions in cyber-physical systems security. In Proceedings of the 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems, Austin, Texas, pages 43--46. ACM, 2016. Google ScholarDigital Library
- B. für Sicherheit in der Informationstechnik. Die lageder it-sicherheit in deutschland 2014. https://www.bsi.bund.de/DE/Publikationen/Lageberichte/lageberichtenode.html. {Online: accessed May 29th 2015}.Google Scholar
- J. González and M. Papa. Passive scanning in modbus networks. In Critical Infrastructure Protection, Post-Proceedings of the First Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, Dartmouth College, Hanover, New Hampshire, USA, March 19-21, 2007, pages 175--187, 2007.Google Scholar
- B. Green, S. Frey, A. Rashid, and D. Hutchison. Testbed diversity as a fundamental principle for effective ICS security research. In Proceedings of theFirst International Workshop on Security and Resilience of Cyber-Physical Infrastructures (SERECIN), pages 12--15. Lancaster University Technical Report SCC-2016-01, 2016.Google Scholar
- B. Green, M. Kroto l, and D. Hutchison. Achieving ics resilience and security through granular data flow management. In 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy (CPS-SPC), Austria, Vienna, October 28, 2016, 2016. Google ScholarDigital Library
- D. Hadziosmanovic, R. Sommer, E. Zambon, and P. H. Hartel. Through the eye of the PLC: semantic security monitoring for industrial processes. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, LA, USA, December 8-12, 2014, pages 126--135, 2014. Google ScholarDigital Library
- Infracritical. Project SHINE ndings report. http://www.slideshare.net/BobRadvanovsky/project-shine- ndings-report-dated-1oct2014, 2014. Last accessed 12 April 2016.Google Scholar
- A. Kleinmann and A. Wool. Accurate modeling of the siemens S7 SCADA protocol for intrusion detection and digital forensic. JDFSL, 9(2):37--50, 2014.Google Scholar
- R. Langner. To kill a centrifuge. http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf.Google Scholar
- R. E. Mahan, J. D. Fluckiger, S. L. Clements, C. Tews, J. R. Burnette, C. A. Goranson, and H. Kirkham. Secure data transfer guidance for industrial control and SCADA systems. Pacific Northwest National Lab (PNNL) Report, http://www.pnnl.gov/main/publications/external/technical reports/PNNL-20776.pdf, 2011. Last accessed 4 January 2016.Google Scholar
- K. McLaughlin, S. Sezer, P. Smith, Z. Ma, and F. Skopik. PRECYSE: cyber-attack detection and response for industrial control systems. In 2nd International Symposium for ICS & SCADA Cyber Security Research 2014, ICS-CSR 2014, 11-12 September 2014, St. Pölten, Austria, 2014. Google ScholarDigital Library
- S. E. McLaughlin and P. McDaniel. SABOT: specification-based payload generation for programmable logic controllers. In the ACM Conference on Computer and Communications Security, CCS'12, Raleigh, NC, USA, October 16-18, 2012, pages 439--449, 2012. Google ScholarDigital Library
- A. Nicholson, H. Janicke, and A. Cau. Position paper: Safety and security monitoring in ICS/SCADA systems. In Proceedings of the 2nd International Symposium on ICS & SCADA Cyber Security Research 2014, ICS-CSR 2014, pages 61--66, UK, 2014. BCS. Google ScholarDigital Library
- B. Paske, B. Green, D. Prince, and D. Hutchison. Design and Construction of an Industrial Control System Testbed. In PGNET, pages 151--156, 2014.Google Scholar
- SANS. Analysis of the cyber attack on the ukrainian power grid. https://ics.sans.org/media/E-ISACSANSUkraineDUC5.pdf. {Online: accessed August 1st 2016}.Google Scholar
- M. Strohmeier, V. Lenders, and I. Martinovic. Intrusion detection for airborne communication using PHY-Layer information. In Detection of Intrusions and Malware, and Vulnerability Assessment - 12th International Conference, DIMVA 2015, Milan, Italy, July 9-10, 2015, Proceedings, pages 67--77, 2015. Google ScholarDigital Library
Index Terms
- SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection
Recommendations
Stealthy attack detection method based on Multi-feature long short-term memory prediction model
AbstractIndustrial control systems (ICS) face severe threats due to the inherent vulnerability of shared networks. Among the attacks against ICS, stealthy attack is an attack behavior in which an attacker injects false sensor measurements or ...
Highlights- Intrusion detection method proposed for stealthy attacks on ICS systems.
- ...
Analyzing attack strategies against rule-based intrusion detection systems
Workshops ICDCN '18: Proceedings of the Workshop Program of the 19th International Conference on Distributed Computing and NetworkingIntrusion Detection Systems (IDS) have been widely used to detect cyber attacks in Cyber-Physical Systems (CPS). However, attackers can often adapt their attacking strategies to evade detection. Many commercial IDS are rule-based systems. This paper ...
A hybrid intrusion detection system design for computer network security
Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure ...
Comments