Understanding IEC-60870-5-104 Traffic Patterns in SCADA Networks

Lin, Chih‐Yuan; Nadjm‐Tehrani, Simin

doi:10.1145/3198458.3198460

Cited by 29 publications

(14 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, the procedure to deploy an IDS on the SCADA network is not so different from the deployment on general TCP/IP networks. Nevertheless, before building and deploying an IDS on SCADA network, we have to know normal patterns of TCP data packets that contain SCADA protocol packets before understanding the data packet that contains an attack packet as proposed by Lin et al [8] in understanding IEC 104 traffic patterns and Hodo et al [9] for anomalies in the SCADA system on the IEC 104 protocol. Subsection 3.1 discusses details of security holes in the five crucial points in Figure 2 that are used as a backdoor to exploit the SCADA system, subsection 3.2 discusses how the IDS alarm sensors are set up on those five points, so the IDS can work efficiently and accurately for detecting anomalies in the system SCADA networks and subsection 3.3 proposes a model for a future study to generate reliable IDS in the SCADA system.…”

Section: Security Analysismentioning

confidence: 99%

See 1 more Smart Citation

The trends of supervisory control and data acquisition security challenges in heterogeneous networks

Arifin

Susanto²,

Stiawan

et al. 2021

IJEECS

View full text Add to dashboard Cite

<p>Supervisory control and data acquisition (SCADA) has an important role in communication between devices in strategic industries such as power plant grid/network. Besides, the SCADA system is now open to any external heterogeneous networks to facilitate monitoring of industrial equipment, but this causes a new vulnerability in the SCADA network system. Any disruption on the SCADA system will give rise to a dangerous impact on industrial devices. Therefore, deep research and development of reliable intrusion detection system (IDS) for SCADA system/network is required. Via a thorough literature review, this paper firstly discusses current security issues of SCADA system and look closely benchmark dataset and SCADA security holes, followed by SCADA traffic anomaly recognition using artificial intelligence techniques and visual traffic monitoring system. Then, touches on the encryption technique suitable for the SCADA network. In the end, this paper gives the trend of SCADA IDS in the future and provides a proposed model to generate a reliable IDS, this model is proposed based on the investigation of previous researches. This paper focuses on SCADA systems that use IEC 60870-5-104 (IEC 104) protocol and distributed network protocol version 3 (DNP3) protocol as many SCADA systems use these two protocols.</p>

show abstract

Section: Security Analysismentioning

confidence: 99%

“…Research work that aims to study the traffic data in the SCADA system have been carried out by [8]. The researchers investigate the normal traffic of the international electrotechnical commission (IEC) 104 protocol in the SCADA system.…”

Section: Introductionmentioning

confidence: 99%

The trends of supervisory control and data acquisition security challenges in heterogeneous networks

Arifin

Susanto²,

Stiawan

et al. 2021

IJEECS

View full text Add to dashboard Cite

show abstract

“…As such, we further analyzed this particular type of Per/Cyl COT from O30, and found that O30 transmitted these same 37 IOAs every 10 seconds. Periodic transmission of data as seen by this event can be essential in modeling intrusion detecting system, which have been proposed previously by several papers [1], [2], [6].…”

Section: Analysis Of I-format Packetsmentioning

confidence: 99%

“…To our best knowledge, this paper presents the first measurement study of a real-world IEC 104 network used for coordinating AGC in a live system. All previous studies of IEC 104 have been done either with emulated networks or testbeds [6], [7].…”

Section: Introductionmentioning

confidence: 99%

IEC 60870-5-104 Network Characterization of a Large-Scale Operational Power Grid

Mai

Qin

Silva

et al. 2019

2019 IEEE Security and Privacy Workshops (SPW)

View full text Add to dashboard Cite

Modern SCADA systems are interconnected with one or more industrial network protocols such as DNP3, Modbus/TCP, Ethernet/IP, and IEC 60870-5-104 (IEC 104). IEC 104 is a particularly important protocol because it is one of the network protocols used for Automatic Generation Control (AGC), which is the algorithm that maintains electric power balance across large geographical areas. In this work, we focus on an empirical study and observation of a real-world, large scale IEC 104 power network.

show abstract

“…By using entropy in Equation 1, which measures the amount of disorder in the observed data, and taking into account the peculiarities of traffic pattern in SCADA systems, it is possible to detect even small deviations from the reference state, and to differentiate regular behavior from that when under attack. Furthermore, the particular characteristics of the SCADA-generated traffic, specifically its periodic shape [12], allow us to retain the observation data from one normal day for a long time, without the need for frequent updates and recalculation of the reference probability distribution Q(x).…”

Section: B Distributed Statistical Sdn-agents For Attack Detectionmentioning

confidence: 99%

Softwarization of SCADA: Lightweight Statistical SDN-Agents for Anomaly Detection

Rinaldi

Adamsky

Soua

et al. 2019

2019 10th International Conference on Networks of the Future (NoF)

View full text Add to dashboard Cite

The increasing connectivity of restricted areas such as Critical Infrastructures (CIs) raises major security concerns for Supervisory Control And Data Acquisition (SCADA) systems, which are deployed to monitor their operation. Given the importance of an early anomaly detection, Intrusion Detection Systems (IDSs) are introduced in SCADA systems to detect malicious activities as early as possible. Agents or probes form the cornerstone of any IDS by capturing network packets and extracting relevant information. However, IDSs are facing unprecedented challenges due to the escalation in the number, scale and diversity of attacks. Software-Defined Network (SDN) then comes into play and can provide the required flexibility and scalability. Building on that, we introduce Traffic Agent Controllers (TACs) that monitor SDNenabled switches via OpenFlow. By using lightweight statistical metrics such as Kullback-Leibler Divergence (KLD), we are able to detect the slightest anomalies, such as stealth port scans, even in the presence of background traffic. The obtained metrics can also be used to locate the anomalies with precision over 90% inside a hierarchical network topology.

show abstract

Understanding IEC-60870-5-104 Traffic Patterns in SCADA Networks

Cited by 29 publications

References 12 publications

The trends of supervisory control and data acquisition security challenges in heterogeneous networks

The trends of supervisory control and data acquisition security challenges in heterogeneous networks

IEC 60870-5-104 Network Characterization of a Large-Scale Operational Power Grid

Softwarization of SCADA: Lightweight Statistical SDN-Agents for Anomaly Detection

Contact Info

Product

Resources

About