Bro in SCADA: dynamic intrusion detection policies based on a system model

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We present an online monitoring tool for SCADA systems based on the network monitor Bro, which can be used locally at eld stations. The tool generates alerts when suspicious and erroneous commands and sensor readings are detected. It can hence be seen as a local Intrusion Detection System, as well as a safety enhancement. It maintains a model of the local system, which is updated with incoming packets containing sensor readings and commands. Focusing on the protocol IEC-104, a parser was developed and the packet content was directly fed into the system model. Adaptive policies are implemented in Bro, which formulate physical constraints and safety requirements and allow to check whether SCADA trac complies to these rules in real time. A case study with a real IEC-104 trac trace shows the feasibility of our approach.
LanguageEnglish
Title of host publication5th International Symposium for ICS&SCADA Cyber Security Research (ICS-CSR 2018)
Place of PublicationHamburg
PublisherBCS Learning & Development Ltd.
Pages112-121
Number of pages10
ISBN (Print)978-1-78017-454-9
StatePublished - 30 Aug 2018
Event5th International Symposium for ICS & SCADA Cyber Security, ICS-CSR 2018 - University of Hamburg, Hamburg, Germany
Duration: 29 Aug 201830 Aug 2018
Conference number: 5
http://www.ics-csr.com/

Conference

Conference5th International Symposium for ICS & SCADA Cyber Security, ICS-CSR 2018
Abbreviated titleICS-CSR
CountryGermany
CityHamburg
Period29/08/1830/08/18
Internet address

Fingerprint

Intrusion detection
SCADA systems
Sensors
Monitoring

Keywords

  • Intrusion detection system
  • Process-aware
  • SCADA
  • IDS
  • Power distribution

Cite this

Chromik, J. J., Remke, A., & Haverkort, B. R. (2018). Bro in SCADA: dynamic intrusion detection policies based on a system model. In 5th International Symposium for ICS&SCADA Cyber Security Research (ICS-CSR 2018) (pp. 112-121). Hamburg: BCS Learning & Development Ltd..
Chromik, Justyna J. ; Remke, Anne ; Haverkort, Boudewijn R./ Bro in SCADA : dynamic intrusion detection policies based on a system model. 5th International Symposium for ICS&SCADA Cyber Security Research (ICS-CSR 2018). Hamburg : BCS Learning & Development Ltd., 2018. pp. 112-121
@inproceedings{84c293476d844bb3a5b54e4b45c22acf,
title = "Bro in SCADA: dynamic intrusion detection policies based on a system model",
abstract = "We present an online monitoring tool for SCADA systems based on the network monitor Bro, which can be used locally at eld stations. The tool generates alerts when suspicious and erroneous commands and sensor readings are detected. It can hence be seen as a local Intrusion Detection System, as well as a safety enhancement. It maintains a model of the local system, which is updated with incoming packets containing sensor readings and commands. Focusing on the protocol IEC-104, a parser was developed and the packet content was directly fed into the system model. Adaptive policies are implemented in Bro, which formulate physical constraints and safety requirements and allow to check whether SCADA trac complies to these rules in real time. A case study with a real IEC-104 trac trace shows the feasibility of our approach.",
keywords = "Intrusion detection system, Process-aware, SCADA, IDS, Power distribution",
author = "Chromik, {Justyna J.} and Anne Remke and Haverkort, {Boudewijn R.}",
year = "2018",
month = "8",
day = "30",
language = "English",
isbn = "978-1-78017-454-9",
pages = "112--121",
booktitle = "5th International Symposium for ICS&SCADA Cyber Security Research (ICS-CSR 2018)",
publisher = "BCS Learning & Development Ltd.",

}

Chromik, JJ, Remke, A & Haverkort, BR 2018, Bro in SCADA: dynamic intrusion detection policies based on a system model. in 5th International Symposium for ICS&SCADA Cyber Security Research (ICS-CSR 2018). BCS Learning & Development Ltd., Hamburg, pp. 112-121, 5th International Symposium for ICS & SCADA Cyber Security, ICS-CSR 2018, Hamburg, Germany, 29/08/18.

Bro in SCADA : dynamic intrusion detection policies based on a system model. / Chromik, Justyna J.; Remke, Anne; Haverkort, Boudewijn R.

5th International Symposium for ICS&SCADA Cyber Security Research (ICS-CSR 2018). Hamburg : BCS Learning & Development Ltd., 2018. p. 112-121.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Bro in SCADA

T2 - dynamic intrusion detection policies based on a system model

AU - Chromik,Justyna J.

AU - Remke,Anne

AU - Haverkort,Boudewijn R.

PY - 2018/8/30

Y1 - 2018/8/30

N2 - We present an online monitoring tool for SCADA systems based on the network monitor Bro, which can be used locally at eld stations. The tool generates alerts when suspicious and erroneous commands and sensor readings are detected. It can hence be seen as a local Intrusion Detection System, as well as a safety enhancement. It maintains a model of the local system, which is updated with incoming packets containing sensor readings and commands. Focusing on the protocol IEC-104, a parser was developed and the packet content was directly fed into the system model. Adaptive policies are implemented in Bro, which formulate physical constraints and safety requirements and allow to check whether SCADA trac complies to these rules in real time. A case study with a real IEC-104 trac trace shows the feasibility of our approach.

AB - We present an online monitoring tool for SCADA systems based on the network monitor Bro, which can be used locally at eld stations. The tool generates alerts when suspicious and erroneous commands and sensor readings are detected. It can hence be seen as a local Intrusion Detection System, as well as a safety enhancement. It maintains a model of the local system, which is updated with incoming packets containing sensor readings and commands. Focusing on the protocol IEC-104, a parser was developed and the packet content was directly fed into the system model. Adaptive policies are implemented in Bro, which formulate physical constraints and safety requirements and allow to check whether SCADA trac complies to these rules in real time. A case study with a real IEC-104 trac trace shows the feasibility of our approach.

KW - Intrusion detection system

KW - Process-aware

KW - SCADA

KW - IDS

KW - Power distribution

M3 - Conference contribution

SN - 978-1-78017-454-9

SP - 112

EP - 121

BT - 5th International Symposium for ICS&SCADA Cyber Security Research (ICS-CSR 2018)

PB - BCS Learning & Development Ltd.

CY - Hamburg

ER -

Chromik JJ, Remke A, Haverkort BR. Bro in SCADA: dynamic intrusion detection policies based on a system model. In 5th International Symposium for ICS&SCADA Cyber Security Research (ICS-CSR 2018). Hamburg: BCS Learning & Development Ltd.2018. p. 112-121.