Visible to the public Adapting Bro into SCADA: Building a Specification-based Instrusion Detection System for the DNP3 ProtocolConflict Detection Enabled

TitleAdapting Bro into SCADA: Building a Specification-based Instrusion Detection System for the DNP3 Protocol
Publication TypeConference Paper
Year of Publication2013
AuthorsHui Lin, University of Illinois at Urbana-Champaign, Adam Slagell, University of Illinois at Urbana-Champaign, Catello Di Marino, University of Illinois at Urbana-Champaugn, Zbigniew Kalbarczyk, University of Illinois at Urbana-Champaign, Ravishankar K. Iyer, University of Illinois at Urbana-Champaign
Conference NameEighth Annual Security and Information Intelligence Research Workshop (CSIRRW 2013)
Date Published01/2013
Conference LocationOak Ridge, TN
KeywordsBro, DNP3, From Measurements to Security Science: Data-Driven Approach, NSA SoS Lablets Materials, SCADA, science of security, specification-based intrusion detection system, UIUC
Abstract

When SCADA systems are exposed to public networks, attackers can more easily penetrate the control systems that operate electrical power grids, water plants, and other critical infrastructures. To detect such attacks, SCADA systems require an intrusion detection technique that can understand the information carried by their usually proprietary network protocols.

To achieve that goal, we propose to attach to SCADA systems a specification-based intrusion detection framework based on Bro [7][8], a runtime network traffic analyzer. We have built a parser in Bro to support DNP3, a network protocol widely used in SCADA systems that operate electrical power grids. This built-in parser provides a clear view of all network events related to SCADA systems. Consequently, security policies to analyze SCADA-specific semantics related to the network events can be accurately defined. As a proof of concept, we specify a protocol validation policy to verify that the semantics of the data extracted from network packets conform to protocol definitions. We performed an experimental evaluation to study the processing capabilities of the proposed intrusion detection framework.

Citation Keynode-32225