TY - GEN
T1 - Adapting bro into SCADA
T2 - 8th Annual Cyber Security and Information Intelligence Research Workshop: Federal Cyber Security R and D Program Thrusts, CSIIRW 2013
AU - Lin, Hui
AU - Slagell, Adam J
AU - Di Martino, Catello
AU - Kalbarczyk, Zbigniew T
AU - Iyer, Ravishankar K
PY - 2013
Y1 - 2013
N2 - When SCADA systems are exposed to public networks, attackers can more easily penetrate the control systems that operate electrical power grids, water plants, and other critical infrastructures. To detect such attacks, SCADA systems require an intrusion detection technique that can understand the information carried by their usually proprietary network protocols. To achieve that goal, we propose to attach to SCADA systems a specification-based intrusion detection framework based on Bro [7][8], a runtime network traffic analyzer. We have built a parser in Bro to support DNP3, a network protocol widely used in SCADA systems that operate electrical power grids. This built-in parser provides a clear view of all network events related to SCADA systems. Consequently, security policies to analyze SCADA-specific semantics related to the network events can be accurately defined. As a proof of concept, we specify a protocol validation policy to verify that the semantics of the data extracted from network packets conform to protocol definitions. We performed an experimental evaluation to study the processing capabilities of the proposed intrusion detection framework.
AB - When SCADA systems are exposed to public networks, attackers can more easily penetrate the control systems that operate electrical power grids, water plants, and other critical infrastructures. To detect such attacks, SCADA systems require an intrusion detection technique that can understand the information carried by their usually proprietary network protocols. To achieve that goal, we propose to attach to SCADA systems a specification-based intrusion detection framework based on Bro [7][8], a runtime network traffic analyzer. We have built a parser in Bro to support DNP3, a network protocol widely used in SCADA systems that operate electrical power grids. This built-in parser provides a clear view of all network events related to SCADA systems. Consequently, security policies to analyze SCADA-specific semantics related to the network events can be accurately defined. As a proof of concept, we specify a protocol validation policy to verify that the semantics of the data extracted from network packets conform to protocol definitions. We performed an experimental evaluation to study the processing capabilities of the proposed intrusion detection framework.
KW - Bro
KW - DNP3
KW - SCADA
KW - Specification-based intrusion detection system
UR - http://www.scopus.com/inward/record.url?scp=84875967976&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84875967976&partnerID=8YFLogxK
U2 - 10.1145/2459976.2459982
DO - 10.1145/2459976.2459982
M3 - Conference contribution
AN - SCOPUS:84875967976
SN - 9781450316873
T3 - ACM International Conference Proceeding Series
BT - 8th Annual Cyber Security and Information Intelligence Research Workshop
Y2 - 8 January 2013 through 10 January 2013
ER -