Visible to the public Deep Packet Inspection in Industrial Automation Control System to Mitigate Attacks Exploiting Modbus/TCP Vulnerabilities

TitleDeep Packet Inspection in Industrial Automation Control System to Mitigate Attacks Exploiting Modbus/TCP Vulnerabilities
Publication TypeConference Paper
Year of Publication2020
AuthorsNyasore, O. N., Zavarsky, P., Swar, B., Naiyeju, R., Dabra, S.
Conference Name2020 IEEE 6th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS)
Keywordsattack mitigation, command injection attacks, composability, deep packet inspection, denial of service attack, DPI capabilities, DPI industrial firewall, firewalls, gas turbine operation, IDPS, IDPS-Snort, industrial automation control system, industrial automation control systems, industrial control, industrial control and automation system security, industrial control systems, industrial firewall, information assurance, Intrusion detection, Intrusion Detection and Prevention System, IP networks, malicious parameter command injection, Modbus TCP/IP protocol, Modbus-TCP vulnerability, Modbus/TCP, Networked Control Systems Security, Predictive Metrics, prevention systems, pubcrawl, real-time communication, refinery control, Resiliency, Scalability, transport protocols

Modbus TCP/IP protocol is a commonly used protocol in industrial automation control systems, systems responsible for sensitive operations such as gas turbine operation and refinery control. The protocol was designed decades ago with no security features in mind. Denial of service attack and malicious parameter command injection are examples of attacks that can exploit vulnerabilities in industrial control systems that use Modbus/TCP protocol. This paper discusses and explores the use of intrusion detection and prevention systems (IDPS) with deep packet inspection (DPI) capabilities and DPI industrial firewalls that have capability to detect and stop highly specialized attacks hidden deep in the communication flow. The paper has the following objectives: (i) to develop signatures for IDPS for common attacks on Modbus/TCP based network architectures; (ii) to evaluate performance of three IDPS - Snort, Suricata and Bro - in detecting and preventing common attacks on Modbus/TCP based control systems; and (iii) to illustrate and emphasize that the IDPS and industrial firewalls with DPI capabilities are not preventing but only mitigating likelihood of exploitation of Modbus/TCP vulnerabilities in the industrial and automation control systems. The results presented in the paper illustrate that it might be challenging task to achieve requirements on real-time communication in some industrial and automation control systems in case the DPI is implemented because of the latency and jitter introduced by these IDPS and DPI industrial firewall.

Citation Keynyasore_deep_2020