Safeguarding SCADA Systems with Anomaly Detection

Abstract: This paper will show how the accuracy and security of SCADA systems can be improved by using anomaly detection to identify bad values caused by attacks and faults. The performance of invariant induction and ngram anomaly-detectors will be compared and this paper will also outline plans for taking this work further by integrating the output from several anomalydetecting techniques using Bayesian networks. Although the methods outlined in this paper are illustrated using the data from an electricity network, thi… Show more

“…The system is validated using 2 weeks of data from a real water treatment facility. The data was captured in the context of the Hermes, [20] network anomaly testbed aware Carcano et al [28,29,59] network anomaly simulation aware Cárdenas et al [31] network anomaly simulation aware Cheung et al [37] network anomaly testbed unaware D'Antonio et al [45] network anomaly none unaware Di Santo et al [49] network anomaly simulation aware Düssel et al [51] network anomaly measurement unaware Goldenberg and Wool [62] network anomaly measurement unaware Gonzalez and Papa [64] network anomaly testbed unaware Hadeli et al [69] network anomaly testbed unaware Hadiosmanovic et al [70] host anomaly measurement unaware Hoeve [76] network anomaly testbed unaware Linda et al [99] network anomaly testbed unaware McEvoy and Wolthusen [105] network anomaly simulation aware Oman and Phillips [116] network anomaly none unaware Premaratne et al [122] network signature testbed unaware Rrushi et al [125,126] network anomaly none aware Valdes and Cheung [145] network anomaly testbed unaware Xiao et al [151] network anomaly none aware Yang et al [152] host anomaly testbed unaware Table 4.2: Overview of surveyed IDS approaches Castor and Midas projects 4 , which also supported the work described in this thesis.…”

“…To the best of our knowledge, Bigham et al [20] was the first work to suggest the use of process level information in the context of intrusion detection. This work describes two methods to detect anomalies based on network measurements.…”

Anomaly detection in SCADA systems : a network based approach

“…The system is validated using 2 weeks of data from a real water treatment facility. The data was captured in the context of the Hermes, [20] network anomaly testbed aware Carcano et al [28,29,59] network anomaly simulation aware Cárdenas et al [31] network anomaly simulation aware Cheung et al [37] network anomaly testbed unaware D'Antonio et al [45] network anomaly none unaware Di Santo et al [49] network anomaly simulation aware Düssel et al [51] network anomaly measurement unaware Goldenberg and Wool [62] network anomaly measurement unaware Gonzalez and Papa [64] network anomaly testbed unaware Hadeli et al [69] network anomaly testbed unaware Hadiosmanovic et al [70] host anomaly measurement unaware Hoeve [76] network anomaly testbed unaware Linda et al [99] network anomaly testbed unaware McEvoy and Wolthusen [105] network anomaly simulation aware Oman and Phillips [116] network anomaly none unaware Premaratne et al [122] network signature testbed unaware Rrushi et al [125,126] network anomaly none aware Valdes and Cheung [145] network anomaly testbed unaware Xiao et al [151] network anomaly none aware Yang et al [152] host anomaly testbed unaware Table 4.2: Overview of surveyed IDS approaches Castor and Midas projects 4 , which also supported the work described in this thesis.…”

“…To the best of our knowledge, Bigham et al [20] was the first work to suggest the use of process level information in the context of intrusion detection. This work describes two methods to detect anomalies based on network measurements.…”

Anomaly detection in SCADA systems : a network based approach

“…For example, fingerprint the details of ICS field controllers [81,99], analyse field measurements to perform state estimation [23,69], monitor system functionality from network protocol [45].…”

“…Process-related attacks typically cannot be detected by observing network traffic or protocol specifications in the system. We argue that to detect such attacks one needs to analyse data passing through the system [18,23] and include a semantic understanding of user actions. Bigham et al [23] use periodical snapshots of power load readings in a power grid system to detect if a specific load snapshot significantly varies from expected proportions.…”

“…While we see the vendor proprietary protocol in use among hosts that are part of the supervisory infrastructure, we observe only Modbus for all communication involving PLCs. We see three types of Modbus messages in the traces: read multiple registers (function code 3), write multiple registers (16), and parallel reading and writing on multiple registers (23). In the following, we focus our discussion on the Modbus traffic.…”

Process matters: cyber security in industrial control systems

Modeling And Detecting Anomalies In Scada Systems