Process-aware SCADA traffic monitoring: A local approach

Justyna Joanna Chromik

Research output: ThesisPhD Thesis - Research UT, graduation UTAcademic

50 Downloads (Pure)

Abstract

Supervisory Control and Data Acquisition (SCADA) systems are used to monitor and control large physical infrastructures, such as electricity transmission and distribution systems. For years they have operated as isolated systems, using proprietary protocols, and keeping the exchanged information only within the system, which was designed in a centralized architecture. Nowadays, however, SCADA systems are closely connected to the Internet in order to provide remote control capabilities. This makes them vulnerable to adversaries, which aim at disrupting the controlled process. Monitoring SCADA systems is a popular way to keep track of activities that are happening inside such systems. Unfortunately, approaches that are successful in regular IT systems are, however, not always applicable for SCADA systems. Real-life incidents show that disruptive commands can originate at authorised, legitimate hosts, leading to undesired consequences, such as a blackout. Unfortunately, most of the proposed approaches do not investigate the effect of the analysed packets on the underlying, physical system. In contrast, this thesis focuses on enhancing the traffic monitoring by proposing a local and process-aware monitoring tool for power distribution systems, that detects when the physical process is in an unsafe state. As a result, this thesis proposes a new and generic modelling formalism that can describe (a part of) a power distribution system, combined with a new local monitoring algorithm that can validate a set of physical constraints and safety requirements that are required to hold in the power distribution system. The proposed formalism and algorithm have been tested in a co-simulation testbed, and have also been implemented as a Self-Aware Monitor (SAM) tool. The SAM tool automatically generates the appropriate set of rules, based on the description of the topology of the local substation, and on the configuration of the controlling Remote Terminal Unit. Finally, a case study conducted at a substation of a Dutch distribution system operator has brought important insights about the feasibility of process-aware monitoring.
Original languageEnglish
QualificationDoctor of Philosophy
Awarding Institution
  • University of Twente
Supervisors/Advisors
  • Remke, Anne Katharina Ingrid, Supervisor
  • Haverkort, Boudewijn Remigius Heinrich Maria, Supervisor
Award date12 Jul 2019
Place of PublicationEnschede
Publisher
Print ISBNs978-90-365-4801-4
DOIs
Publication statusPublished - 12 Jul 2019

Fingerprint

SCADA systems
Data acquisition
Monitoring
Remote control
Testbeds
Electricity
Topology
Internet
Network protocols

Cite this

Chromik, Justyna Joanna. / Process-aware SCADA traffic monitoring: A local approach. Enschede : University of Twente, 2019. 231 p.
@phdthesis{8dbab15ff6c4461c83f0b5f21a249acb,
title = "Process-aware SCADA traffic monitoring: A local approach",
abstract = "Supervisory Control and Data Acquisition (SCADA) systems are used to monitor and control large physical infrastructures, such as electricity transmission and distribution systems. For years they have operated as isolated systems, using proprietary protocols, and keeping the exchanged information only within the system, which was designed in a centralized architecture. Nowadays, however, SCADA systems are closely connected to the Internet in order to provide remote control capabilities. This makes them vulnerable to adversaries, which aim at disrupting the controlled process. Monitoring SCADA systems is a popular way to keep track of activities that are happening inside such systems. Unfortunately, approaches that are successful in regular IT systems are, however, not always applicable for SCADA systems. Real-life incidents show that disruptive commands can originate at authorised, legitimate hosts, leading to undesired consequences, such as a blackout. Unfortunately, most of the proposed approaches do not investigate the effect of the analysed packets on the underlying, physical system. In contrast, this thesis focuses on enhancing the traffic monitoring by proposing a local and process-aware monitoring tool for power distribution systems, that detects when the physical process is in an unsafe state. As a result, this thesis proposes a new and generic modelling formalism that can describe (a part of) a power distribution system, combined with a new local monitoring algorithm that can validate a set of physical constraints and safety requirements that are required to hold in the power distribution system. The proposed formalism and algorithm have been tested in a co-simulation testbed, and have also been implemented as a Self-Aware Monitor (SAM) tool. The SAM tool automatically generates the appropriate set of rules, based on the description of the topology of the local substation, and on the configuration of the controlling Remote Terminal Unit. Finally, a case study conducted at a substation of a Dutch distribution system operator has brought important insights about the feasibility of process-aware monitoring.",
author = "Chromik, {Justyna Joanna}",
year = "2019",
month = "7",
day = "12",
doi = "10.3990/1.9789036548014",
language = "English",
isbn = "978-90-365-4801-4",
series = "DSI Ph.D. thesis series",
publisher = "University of Twente",
number = "19-009",
address = "Netherlands",
school = "University of Twente",

}

Chromik, JJ 2019, 'Process-aware SCADA traffic monitoring: A local approach', Doctor of Philosophy, University of Twente, Enschede. https://doi.org/10.3990/1.9789036548014

Process-aware SCADA traffic monitoring: A local approach. / Chromik, Justyna Joanna.

Enschede : University of Twente, 2019. 231 p.

Research output: ThesisPhD Thesis - Research UT, graduation UTAcademic

TY - THES

T1 - Process-aware SCADA traffic monitoring: A local approach

AU - Chromik, Justyna Joanna

PY - 2019/7/12

Y1 - 2019/7/12

N2 - Supervisory Control and Data Acquisition (SCADA) systems are used to monitor and control large physical infrastructures, such as electricity transmission and distribution systems. For years they have operated as isolated systems, using proprietary protocols, and keeping the exchanged information only within the system, which was designed in a centralized architecture. Nowadays, however, SCADA systems are closely connected to the Internet in order to provide remote control capabilities. This makes them vulnerable to adversaries, which aim at disrupting the controlled process. Monitoring SCADA systems is a popular way to keep track of activities that are happening inside such systems. Unfortunately, approaches that are successful in regular IT systems are, however, not always applicable for SCADA systems. Real-life incidents show that disruptive commands can originate at authorised, legitimate hosts, leading to undesired consequences, such as a blackout. Unfortunately, most of the proposed approaches do not investigate the effect of the analysed packets on the underlying, physical system. In contrast, this thesis focuses on enhancing the traffic monitoring by proposing a local and process-aware monitoring tool for power distribution systems, that detects when the physical process is in an unsafe state. As a result, this thesis proposes a new and generic modelling formalism that can describe (a part of) a power distribution system, combined with a new local monitoring algorithm that can validate a set of physical constraints and safety requirements that are required to hold in the power distribution system. The proposed formalism and algorithm have been tested in a co-simulation testbed, and have also been implemented as a Self-Aware Monitor (SAM) tool. The SAM tool automatically generates the appropriate set of rules, based on the description of the topology of the local substation, and on the configuration of the controlling Remote Terminal Unit. Finally, a case study conducted at a substation of a Dutch distribution system operator has brought important insights about the feasibility of process-aware monitoring.

AB - Supervisory Control and Data Acquisition (SCADA) systems are used to monitor and control large physical infrastructures, such as electricity transmission and distribution systems. For years they have operated as isolated systems, using proprietary protocols, and keeping the exchanged information only within the system, which was designed in a centralized architecture. Nowadays, however, SCADA systems are closely connected to the Internet in order to provide remote control capabilities. This makes them vulnerable to adversaries, which aim at disrupting the controlled process. Monitoring SCADA systems is a popular way to keep track of activities that are happening inside such systems. Unfortunately, approaches that are successful in regular IT systems are, however, not always applicable for SCADA systems. Real-life incidents show that disruptive commands can originate at authorised, legitimate hosts, leading to undesired consequences, such as a blackout. Unfortunately, most of the proposed approaches do not investigate the effect of the analysed packets on the underlying, physical system. In contrast, this thesis focuses on enhancing the traffic monitoring by proposing a local and process-aware monitoring tool for power distribution systems, that detects when the physical process is in an unsafe state. As a result, this thesis proposes a new and generic modelling formalism that can describe (a part of) a power distribution system, combined with a new local monitoring algorithm that can validate a set of physical constraints and safety requirements that are required to hold in the power distribution system. The proposed formalism and algorithm have been tested in a co-simulation testbed, and have also been implemented as a Self-Aware Monitor (SAM) tool. The SAM tool automatically generates the appropriate set of rules, based on the description of the topology of the local substation, and on the configuration of the controlling Remote Terminal Unit. Finally, a case study conducted at a substation of a Dutch distribution system operator has brought important insights about the feasibility of process-aware monitoring.

U2 - 10.3990/1.9789036548014

DO - 10.3990/1.9789036548014

M3 - PhD Thesis - Research UT, graduation UT

SN - 978-90-365-4801-4

T3 - DSI Ph.D. thesis series

PB - University of Twente

CY - Enschede

ER -

Chromik JJ. Process-aware SCADA traffic monitoring: A local approach. Enschede: University of Twente, 2019. 231 p. (DSI Ph.D. thesis series; 19-009). https://doi.org/10.3990/1.9789036548014