Flow whitelisting in SCADA networks

Abstract: Supervisory Control And Data Acquisition (SCADA) networks are commonly deployed to aid the operation of large industrial facilities. Modern SCADA networks are becoming more vulnerable to network attacks, due to the now common use of standard communication protocols and increased interconnection to corporate networks and the Internet. In this work, we propose an approach to improve the security of these networks based on flow whitelisting. A flow whitelist describes the legitimate traffic solely using four prop… Show more

“…Alg. 1 l. [1][2][3][4][5][6][7][8][9][10][11][12][13][14], processing its events. S2 extracts the attributes of an event and stores them in variable 'State DT M C ' (c.f.…”

“…6 For validation we use the same traffic capture mentioned in Section 3.3. This data was split into two parts of 5 days each.…”

“…The other half is used for detecting anomalies by comparing the model obtained from the remaining (testing) trace with the training traffic model. Due to the regularity of SCADA traffic the amount of data should be enough to 6 The code used to modify the traces is available on github https://github.com/penc4ke/manipulateTraces.git. (1) 11 (1) 19 (1) 11 (1) 11 (1) 14 (1) 11 (1) capture all relevant events.…”

Intrusion Detection for Sequence-Based Attacks with Reduced Traffic Models

“…Alg. 1 l. [1][2][3][4][5][6][7][8][9][10][11][12][13][14], processing its events. S2 extracts the attributes of an event and stores them in variable 'State DT M C ' (c.f.…”

“…6 For validation we use the same traffic capture mentioned in Section 3.3. This data was split into two parts of 5 days each.…”

“…The other half is used for detecting anomalies by comparing the model obtained from the remaining (testing) trace with the training traffic model. Due to the regularity of SCADA traffic the amount of data should be enough to 6 The code used to modify the traces is available on github https://github.com/penc4ke/manipulateTraces.git. (1) 11 (1) 19 (1) 11 (1) 11 (1) 14 (1) 11 (1) capture all relevant events.…”

Intrusion Detection for Sequence-Based Attacks with Reduced Traffic Models

“…Cheung et al [7], Goldenberg et al [11] and Morris et al [14] have developed intrusion detection systems for industrial control networks that use the Modbus protocol. Barbosa et al [2] have used flow whitelists to describe legitimate traffic based on the properties of network packets. However, the research described in this chapter differs from these and other efforts in that it focuses on system-level characteristics.…”

Industrial Control System Fingerprinting and Anomaly Detection

“…Most SCADA systems generally tend to have static topologies, a limited number of application protocols and regular communication patterns [6] [7].…”

Cyber threats and defence approaches in SCADA systems