Bro in SCADA: dynamic intrusion detection policies based on a system model

Justyna J. Chromik, Anne Remke, Boudewijn R. Haverkort

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    Abstract

    We present an online monitoring tool for SCADA systems based on the network monitor Bro, which can be used locally at eld stations. The tool generates alerts when suspicious and erroneous commands and sensor readings are detected. It can hence be seen as a local Intrusion Detection System, as well as a safety enhancement. It maintains a model of the local system, which is updated with incoming packets containing sensor readings and commands. Focusing on the protocol IEC-104, a parser was developed and the packet content was directly fed into the system model. Adaptive policies are implemented in Bro, which formulate physical constraints and safety requirements and allow to check whether SCADA trac complies to these rules in real time. A case study with a real IEC-104 trac trace shows the feasibility of our approach.
    Original languageEnglish
    Title of host publication5th International Symposium for ICS&SCADA Cyber Security Research (ICS-CSR 2018)
    Place of PublicationHamburg
    PublisherBCS Learning & Development Ltd.
    Pages112-121
    Number of pages10
    ISBN (Print)978-1-78017-454-9
    Publication statusPublished - 30 Aug 2018
    Event5th International Symposium for ICS & SCADA Cyber Security Research , ICS-CSR 2018 - University of Hamburg, Hamburg, Germany
    Duration: 29 Aug 201830 Aug 2018
    Conference number: 5
    http://www.ics-csr.com/

    Conference

    Conference5th International Symposium for ICS & SCADA Cyber Security Research , ICS-CSR 2018
    Abbreviated titleICS-CSR
    CountryGermany
    CityHamburg
    Period29/08/1830/08/18
    Internet address

    Keywords

    • Intrusion detection system
    • Process-aware
    • SCADA
    • IDS
    • Power distribution

    Fingerprint Dive into the research topics of 'Bro in SCADA: dynamic intrusion detection policies based on a system model'. Together they form a unique fingerprint.

    Cite this