Adapting bro into SCADA: Building a specification-based intrusion detection system for the DNP3 protocol

Hui Lin, Adam J Slagell, Catello Di Martino, Zbigniew T Kalbarczyk, Ravishankar K Iyer

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

When SCADA systems are exposed to public networks, attackers can more easily penetrate the control systems that operate electrical power grids, water plants, and other critical infrastructures. To detect such attacks, SCADA systems require an intrusion detection technique that can understand the information carried by their usually proprietary network protocols. To achieve that goal, we propose to attach to SCADA systems a specification-based intrusion detection framework based on Bro [7][8], a runtime network traffic analyzer. We have built a parser in Bro to support DNP3, a network protocol widely used in SCADA systems that operate electrical power grids. This built-in parser provides a clear view of all network events related to SCADA systems. Consequently, security policies to analyze SCADA-specific semantics related to the network events can be accurately defined. As a proof of concept, we specify a protocol validation policy to verify that the semantics of the data extracted from network packets conform to protocol definitions. We performed an experimental evaluation to study the processing capabilities of the proposed intrusion detection framework.

Original languageEnglish (US)
Title of host publication8th Annual Cyber Security and Information Intelligence Research Workshop
Subtitle of host publicationFederal Cyber Security R and D Program Thrusts, CSIIRW 2013
DOIs
StatePublished - Apr 15 2013
Event8th Annual Cyber Security and Information Intelligence Research Workshop: Federal Cyber Security R and D Program Thrusts, CSIIRW 2013 - Oak Ridge, TN, United States
Duration: Jan 8 2013Jan 10 2013

Publication series

NameACM International Conference Proceeding Series

Other

Other8th Annual Cyber Security and Information Intelligence Research Workshop: Federal Cyber Security R and D Program Thrusts, CSIIRW 2013
CountryUnited States
CityOak Ridge, TN
Period1/8/131/10/13

Keywords

  • Bro
  • DNP3
  • SCADA
  • Specification-based intrusion detection system

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Adapting bro into SCADA: Building a specification-based intrusion detection system for the DNP3 protocol'. Together they form a unique fingerprint.

  • Cite this

    Lin, H., Slagell, A. J., Di Martino, C., Kalbarczyk, Z. T., & Iyer, R. K. (2013). Adapting bro into SCADA: Building a specification-based intrusion detection system for the DNP3 protocol. In 8th Annual Cyber Security and Information Intelligence Research Workshop: Federal Cyber Security R and D Program Thrusts, CSIIRW 2013 [5] (ACM International Conference Proceeding Series). https://doi.org/10.1145/2459976.2459982