We present an online monitoring tool for SCADA systems based on the network monitor Bro, which can be used locally at eld stations. The tool generates alerts when suspicious and erroneous commands and sensor readings are detected. It can hence be seen as a local Intrusion Detection System, as well as a safety enhancement. It maintains a model of the local system, which is updated with incoming packets containing sensor readings and commands. Focusing on the protocol IEC-104, a parser was developed and the packet content was directly fed into the system model. Adaptive policies are implemented in Bro, which formulate physical constraints and safety requirements and allow to check whether SCADA trac complies to these rules in real time. A case study with a real IEC-104 trac trace shows the feasibility of our approach.
|Title of host publication||5th International Symposium for ICS&SCADA Cyber Security Research (ICS-CSR 2018)|
|Place of Publication||Hamburg|
|Publisher||BCS Learning & Development Ltd.|
|Number of pages||10|
|Publication status||Published - 30 Aug 2018|
|Event||5th International Symposium for ICS & SCADA Cyber Security Research , ICS-CSR 2018 - University of Hamburg, Hamburg, Germany|
Duration: 29 Aug 2018 → 30 Aug 2018
Conference number: 5
|Conference||5th International Symposium for ICS & SCADA Cyber Security Research , ICS-CSR 2018|
|Period||29/08/18 → 30/08/18|
- Intrusion detection system
- Power distribution
Chromik, J. J., Remke, A., & Haverkort, B. R. (2018). Bro in SCADA: dynamic intrusion detection policies based on a system model. In 5th International Symposium for ICS&SCADA Cyber Security Research (ICS-CSR 2018) (pp. 112-121). Hamburg: BCS Learning & Development Ltd..