A Practical flow white list approach for SCADA systems

Lemay, Antoine; Rochon, Jonathan; Fernandez, José M.

doi:10.14236/ewic/ics2016.4

Cited by 4 publications

(4 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This list can be preconfigured based on the knowledge of legitimate nodes and communication in the network, and/or configured dynamically based on the result of monitoring traffic by switches in the network. The papers [38]- [41] elaborate the network flow-aware anomaly detection approach.…”

Section: G Attack Analysismentioning

confidence: 99%

Keeping Host Sanity for Security of the SCADA Systems

Lee

Hong

2020

IEEE Access

View full text Add to dashboard Cite

Cyber attacks targeting the Supervisory Control and Data Acquisition (SCADA) systems are becoming more complex and more intelligent. Currently proposed security measures for the SCADA systems come under three categories: physical/logical network separation, communication message security, and security monitoring. However, the recent malwares which were used successfully to disrupt the critical systems show that these security strategies are necessary, but not sufficient to defend these malwares. The malware attacks on the SCADA system exploit weaknesses of host system software environment and take over the control of host processes in the SCADA system. In this paper, we explain how the malware interferes in the important process logics, and invades the SCADA host process by using Dynamic Link Library (DLL) Injection. As a security measure, we propose an algorithm to block DLL Injection efficiently, and show its effectiveness of defending real world malwares using DLL Injection technique by implementing as a library and testing against several DLL Injection scenarios. It is expected that this approach can prevent all the hosts in the SCADA system from being taken over by this kind of malicious attacks, consequently keeping its sanity all the time. INDEX TERMS SCADA security, malware, DLL injection, code injection, host system security. I. INTRODUCTION The Supervisory Control and Data Acquisition (SCADA), more broadly the Industrial Control System (ICS), is a system to monitor and control geographically distributed large-scale process field devices. The cyber attacks on the SCADA/ICS systems are considered severe threats for the critical industrial facilities like power grid due to their catastrophic impact on industry development and social safety. For this reason, to maintain the health and sanity of the SCADA/ICS system against cyber attacks poses daunting challenges. All security measures which have been considered and published for the SCADA/ICS systems can be classified into three categories: physical/logical network separation, communication message security, and security monitoring [1]. Network separation is based on the concept of Defense in Depth [2], [3]. The logical separation is to separate a SCADA/ICS network into several segmented zones or domains depending on criticality or functionality. The associate editor coordinating the review of this manuscript and approving it for publication was Jiafeng Xie.

show abstract

Section: G Attack Analysismentioning

confidence: 99%

Keeping Host Sanity for Security of the SCADA Systems

Lee

Hong

2020

IEEE Access

View full text Add to dashboard Cite

show abstract

“…SCADA networks have very predictable patterns compared to the IT network. [18] In the IT network, it is not possible to completely predict a list of allowable communication paths. A large portion of the traffic occurring in the IT network is involved in human actions, leading to dynamic traffic patterns.…”

Section: Intrusion Detection System(ids) For Scada Systemsmentioning

confidence: 99%

Direction of Security Monitoring for Substation Automation Systems

Hong¹,

Lee²

2019

World Congress on Electrical Engineering and Computer Systems and Science

View full text Add to dashboard Cite

All security measures which have been proposed ultimately come under three security strategies: network separation, communication message security, and security monitoring. However, considering the recent sophisticated attacks against SCADA/ICS systems, these security strategies cannot provide sufficient security measures. These attacks try to hijack or take control of host systems, control servers and eventually control devices, once they penetrate the networks in one way or another. Their attack vectors are the vulnerabilities of the software underlying the host systems. The attack was realized by injecting malicious codes into legitimate process memory and executing the malicious codes in the context of a legitimate process, and eventually cause malfunction of field devices. In this respect, we need a security measure running on host systems which can provide the process and file protection related to legitimate usage of memory ranges and file paths. The measure can provide a holistic security strategy for SCADA systems including substation automation systems.

show abstract

“…When evaluated on real SCADA datasets, legitimate flows absent from the learning generate most of the false alarms, but little is said on how to resolve this problem. Lemay et al (2016) show that ICS whitelists can be transformed into rulesets for Snort.…”

Section: Sdn For Intrusion Detection and Ics Securitymentioning

confidence: 99%

“…For these reasons, network-based intrusion detection has attracted the interest of researchers and different approaches have been described in the literature. One of them is the usage of whitelisting (Cheung et al 2007;Barbosa et al 2013;Lemay et al 2016). Whitelists describe permitted operations and exploit the fact that almost everything is automated in ICS such that traffic characteristics and topologies are stable (R. R. R. Barbosa and R. Sadre and A. Pras 2012).…”

Section: Introductionmentioning

confidence: 99%

A Two-level Intrusion Detection System for Industrial Control System Networks using P4

Ndonda

Sadre

2018

Electronic Workshops in Computing

View full text Add to dashboard Cite

The increasing number of attacks against Industrial Control Systems (ICS) have shown the vulnerability of these systems. Many ICS network protocols have no security mechanism and the requirements on high availability and real-time communication make it challenging to apply intrusive security measures. In this paper, we propose a two-level intrusion detection system for ICS networks based on Software Defined Networking (SDN). The first level consists of flow and Modbus whitelists, leveraging P4 for efficient real-time monitoring. The second level is a deep packet inspector communicating with an SDN controller to update the whitelists of the first level. We show by experiments in an emulated environment that our design has only a small impact on communication latencies in the ICS and is efficient against Modbus/TCP oriented attacks.

show abstract

A Practical flow white list approach for SCADA systems

Cited by 4 publications

References 2 publications

Keeping Host Sanity for Security of the SCADA Systems

Keeping Host Sanity for Security of the SCADA Systems

Direction of Security Monitoring for Substation Automation Systems

A Two-level Intrusion Detection System for Industrial Control System Networks using P4

Contact Info

Product

Resources

About