10 likes | 159 Views
Applying Policy-Based Intrusion Detection to SCADA Networks. Adrian P. Lauf, Jonathan Wiley, William H. Robinson , Gabor Karsai, Vanderbilt University Institute for Software Integrated Systems Tanya Roosta, UC Berkeley. Project Description. The Tennessee Eastman Plant.
E N D
Applying Policy-Based Intrusion Detection to SCADA Networks Adrian P. Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai, Vanderbilt University Institute for Software Integrated Systems Tanya Roosta, UC Berkeley Project Description The Tennessee Eastman Plant • Security Scenario:a SCADA process control system in a chemical plant consists of wireless sensors and actuators • Sensors and Actuators form discrete devices • Devices are mesh-networked • Unsecured setup provides no security beyond a firewall • Objective: Develop an intrusion detection system (IDS) capable of monitoring conditions on the mesh-routed network • Use pre-defined policies to identify when network traffic and content is non-compliant • Use distributed IDS instances across the network for improved identification • Identify various classes of intrusions • MATLAB/Simulink implementation of a well-documented chemical process control system • Identification of key sensor/actuator blocks involved in control aspect • Grouping sensor/actuator blocks into discrete network-enabled nodes • Nodes can perform data acquisition, control, and routing • 802.15.4 protocol used for wireless data • AODV routing for link-level stability and reduced radio traffic SCADA network IDS Operation IDS Architecture • Implemented as a discrete event monitoring system with policy advising • Core IDS event logging implemented in Java • Events recorded to individual logging tables managed by an Event Manager • Policies apply directly to single or multiple event tables • Events are fed to IDS via C-based monitoring applications • JVM has no access to kernel and driver-level OS functionality • Specific monitoring applications written in C return event notifications to IDS • Notifications sent over local UDP connection • Permits flexibility of device-specific implementations • Individual nodes tasked with performing data acquisition and routing • Select nodes outfitted with IDS • Access Point also outfitted with IDS • Statistics gathered by monitors are aggregated in event tables • Policies are analyzed against data in the tables • Exceptions noted and reported • Attack types: • Jamming (detect radio power utilization) • Packet data alteration • Packet replay attacks • Routing failures (redirection) • Command injection • Authentication failures = IDS-enabled node Abstraction Levels November 11, 2008