1 / 25

Applying policy-based intrusion detection to scada networks

Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS) Tanya Roosta (Berkeley). Applying policy-based intrusion detection to scada networks. Outline. Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats

jamuna
Download Presentation

Applying policy-based intrusion detection to scada networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS) Tanya Roosta (Berkeley) Applying policy-based intrusion detection to scada networks

  2. Outline • Overview of Supervisory Control and Data Acquisition (SCADA) systems • Implementation and threats • Intrusion Detection System (IDS) for SCADA • Policy-based • Signature-based • Implementation • Mesh networking and routing protocols • IDS Structure • Testbed Scenario: Tennessee Eastman plant • Summary and future work

  3. Outline • Overview of Supervisory Control and Data Acquisition (SCADA) systems • Implementation and threats • Intrusion Detection System (IDS) for SCADA • Policy-based • Signature-based • Implementation • Mesh networking and routing protocols • IDS Structure • Testbed Scenario: Tennessee Eastman plant • Summary and future work

  4. Motivation: SCADA • Supervisory Control and Data Acquisition • A process control system • Four main components • Sensors • Actuators • Local control loops • Plant-wide control loops • Applications: • Power plants • Oil and gas pipelines • Nuclear • Manufacturing • Next-generation SCADA • Wireless networking protocols for sensors and actuators provide new challenges • Security • Power • Link-level reliability

  5. State of Security • Prior to wireless networks • Serial links between sensors, actuators and local control loops • Wireless networks • Two methodologies • RTUs – Remote Terminal Units • Intelligent Device Nodes: Integrated control, sensors and actuation • 802.15.4 and similar • Low-power ad-hoc networks • By default, unsecured • Star configuration • Low-power direct-to-AP configuration • By default, unsecured

  6. Plant Management and Operation • Local control loops report to SCADA master • May be located offsite • Implies TCP-based connectivity • Allows off-site management of a plant or series of plants • Generally secured by enterprise-level firewall

  7. Security Risks • Transition from wired serial links to wireless • Early implementations used no encryption or security methods • Secondary modifications included a firewalled method • Primary risk is from firewall-based protection • Sensors/actuators not locally protected • If firewall is breached, or on-site access established, control loops are at risk

  8. Outline • Overview of Supervisory Control and Data Acquisition (SCADA) systems • Implementation and threats • Intrusion Detection System (IDS) for SCADA • Policy-based • Signature-based • Implementation • Mesh networking and routing protocols • IDS Structure • Testbed Scenario: Tennessee Eastman plant • Summary and future work

  9. Intrusion Detection • Identification of known attack patterns • Jamming • Denial of Service • Radio interference • Injection attacks • Packet replay • Route disruption • Re-routing of traffic to alternate destination • Affects mesh-routed networks • Packet alteration • Difficult to identify • Related work • T. Roosta, S. Shieh, S. Sastry, Taxonomy of Security Attacks in Sensor Networks, 1st International IEEE Conference on System Integration and Reliability Improvements, 2006 • A. Lauf, R. A. Peters, W. H. Robinson, Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks in Elsevier Journal for Ad-Hoc Networks, submitted for review

  10. Intrusion Detection (cont’d) • Policy approach • Usage of pre-defined system-wide policies • Best for periodic systems • Optimized for deterministic data patterns • Attacks trip tolerance levels of monitored services • Hybrid approaches • Frequency detection • + • Cross-correlation approaches

  11. Proposed method • Usage of Policy-based IDS as proposed by T. Roosta[1] • Implementation of IDS in a JVM • Allows portability • Device cross-compatibility • Usage of the Tennessee Eastman plant model[2] • Simulated in MATLAB Simulink • Network simulation performed by TrueTime[3] • Direct Java interface between MATLAB and IDS • IDS to receive local UDP support [1] T. Roosta, An Intrusion Detection System for Wireless Process Control Systems [2] J. J. Downs, E. F. Vogel, A Plant-Wide Industrial Process Control Problem in Computers chem. Engng., Vol 17 No. 3 pp245-255 1993 [3] The TrueTime Project at Lund University, http://www.nt.ntnu.no/users/skoge/prost/proceedings/ifac2002/data/content/01667/1667.pdf

  12. Proposed Method (cont’d) • Policy-based IDS runs on multiple nodes • Several copies distributed to select Intelligent Device Nodes (“Field” nodes) • Copy on local Access Points (“Master” nodes) • Policies monitor several factors • “Health” packets at 15-minute intervals • Average packet size • Routing stability

  13. What is a policy? Why used? • Set of conditions and limits • Specifies normal operation • Ideal for periodic systems • Each policy covers a system aspect • Packet size • Radio power • Link stability • Policies provide specific capabilities • Determine if particular conditions met or exceeded • Can target an area more precisely than a general traffic-based IDS

  14. Outline • Overview of Supervisory Control and Data Acquisition (SCADA) systems • Implementation and threats • Intrusion Detection System (IDS) for SCADA • Policy-based • Signature-based • Implementation • Mesh networking and routing protocols • IDS Structure • Testbed Scenario: Tennessee Eastman plant • Summary and future work

  15. Routing • Assuming 802.15.4 ZigBee networking between nodes • AODV mesh routing protocol • Ad Hoc On-Demand Distance Vector Routing • Reduces need for constant radio power • Creates routes as needed

  16. Application of IDS • Policy-based IDS added to several key nodes on the mesh-routed network • AP also runs instance of IDS • JVM allows device independence • Intelligent Device Nodes can run the same IDS code • Policies are dynamically allocated, revoked and updated

  17. Attack methods • No data available on proprietary plant technologies – let alone attacks • Simulation of attacks to follow logical choices • Jamming of one node • Jamming of several nodes • Packet alteration/checksum failures • Temporal disruption • Routing/link/PHY failures • Testing will consist of Simulink trial runs together with varying IDS policies

  18. IDS Structure • IDS is comprised of 4 core Java components • IDS engine/policy adherence verification • Policy management • Event management • System control • Policy management is dynamic • Instance runs on JVM, receives event data from embedded C-based monitoring applications

  19. Outline • Overview of Supervisory Control and Data Acquisition (SCADA) systems • Implementation and threats • Intrusion Detection System (IDS) for SCADA • Policy-based • Signature-based • Implementation • Mesh networking and routing protocols • IDS Structure • Testbed Scenario: Tennessee Eastman plant • Summary and future work

  20. Choosing a Plant Model • Tennessee Eastman plant model chosen as test system • Represents well-known chemical process control case • Uses “real-world” data in simulation • Provides MATLAB Simulink simulation • Can be adapted for a networked simulation • TrueTime used as network discrete event simulator • Integrates easily into existing Tennessee Eastman plant simulation • Multiple physical layer simulation methods • Can provide real-time data to IDS

  21. Example: TN Eastman Plant • Sensor/actuator systems are grouped and discretized • Discrete components are matched to Intelligent Device Nodes with networking capabilities • Certain nodes are fitted with copies of the IDS • Monitors routing, received data, sent data, packet size, frequency, health, radio power, etc. • Access Point is also fitted with a copy of the IDS

  22. AODV TrueTime implementation • Each node implements the TrueTime kernel • Capable of reading data inputs as well as routing • Sends data for consumption between nodes • Data sent to SCADA master

  23. IDS localization Local Field IDS Sensor/actuator Intelligent Device Node (1 of 6)

  24. IDS setup • Simulink sensor and actuator blocks discretized • Data routed via AODV network and TrueTime • IDS linked via MATLAB Java to selected nodes • IDS monitors events based on prescribed policies • In real-world scenario • Specialized monitor apps report to IDS via UDP • IDS runs on localized JVM Controller C Monitor C Monitor C Monitor C Monitor UDP Policies JVM IDS

  25. Summary and Future Work • Development of Routing model in progress • IDS complete • IDS instance generation in progress • Attack synthesis in progress

More Related