adrian lauf jonathan wiley william h robinson gabor karsai vanderbilt isis tanya roosta berkeley
Download
Skip this Video
Download Presentation
Applying policy-based intrusion detection to scada networks

Loading in 2 Seconds...

play fullscreen
1 / 25

Applying policy-based intrusion detection to scada networks - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS) Tanya Roosta (Berkeley). Applying policy-based intrusion detection to scada networks. Outline. Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Applying policy-based intrusion detection to scada networks' - jamuna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
outline
Outline
  • Overview of Supervisory Control and Data Acquisition (SCADA) systems
    • Implementation and threats
  • Intrusion Detection System (IDS) for SCADA
    • Policy-based
    • Signature-based
  • Implementation
    • Mesh networking and routing protocols
    • IDS Structure
  • Testbed Scenario: Tennessee Eastman plant
  • Summary and future work
outline1
Outline
  • Overview of Supervisory Control and Data Acquisition (SCADA) systems
    • Implementation and threats
  • Intrusion Detection System (IDS) for SCADA
    • Policy-based
    • Signature-based
  • Implementation
    • Mesh networking and routing protocols
    • IDS Structure
  • Testbed Scenario: Tennessee Eastman plant
  • Summary and future work
motivation scada
Motivation: SCADA
  • Supervisory Control and Data Acquisition
    • A process control system
    • Four main components
      • Sensors
      • Actuators
      • Local control loops
      • Plant-wide control loops
  • Applications:
    • Power plants
    • Oil and gas pipelines
    • Nuclear
    • Manufacturing
  • Next-generation SCADA
    • Wireless networking protocols for sensors and actuators provide new challenges
      • Security
      • Power
      • Link-level reliability
state of security
State of Security
  • Prior to wireless networks
    • Serial links between sensors, actuators and local control loops
  • Wireless networks
    • Two methodologies
      • RTUs – Remote Terminal Units
      • Intelligent Device Nodes: Integrated control, sensors and actuation
    • 802.15.4 and similar
      • Low-power ad-hoc networks
        • By default, unsecured
    • Star configuration
      • Low-power direct-to-AP configuration
        • By default, unsecured
plant management and operation
Plant Management and Operation
  • Local control loops report to SCADA master
    • May be located offsite
      • Implies TCP-based connectivity
  • Allows off-site management of a plant or series of plants
  • Generally secured by enterprise-level firewall
security risks
Security Risks
  • Transition from wired serial links to wireless
    • Early implementations used no encryption or security methods
    • Secondary modifications included a firewalled method
  • Primary risk is from firewall-based protection
    • Sensors/actuators not locally protected
    • If firewall is breached, or on-site access established, control loops are at risk
outline2
Outline
  • Overview of Supervisory Control and Data Acquisition (SCADA) systems
    • Implementation and threats
  • Intrusion Detection System (IDS) for SCADA
    • Policy-based
    • Signature-based
  • Implementation
    • Mesh networking and routing protocols
    • IDS Structure
  • Testbed Scenario: Tennessee Eastman plant
  • Summary and future work
intrusion detection
Intrusion Detection
  • Identification of known attack patterns
    • Jamming
      • Denial of Service
      • Radio interference
    • Injection attacks
      • Packet replay
    • Route disruption
      • Re-routing of traffic to alternate destination
        • Affects mesh-routed networks
    • Packet alteration
      • Difficult to identify
  • Related work
    • T. Roosta, S. Shieh, S. Sastry, Taxonomy of Security Attacks in Sensor Networks, 1st International IEEE Conference on System Integration and Reliability Improvements, 2006
    • A. Lauf, R. A. Peters, W. H. Robinson, Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks in Elsevier Journal for Ad-Hoc Networks, submitted for review
intrusion detection cont d
Intrusion Detection (cont’d)
  • Policy approach
    • Usage of pre-defined system-wide policies
      • Best for periodic systems
      • Optimized for deterministic data patterns
    • Attacks trip tolerance levels of monitored services
  • Hybrid approaches
    • Frequency detection
      • +
    • Cross-correlation approaches
proposed method
Proposed method
  • Usage of Policy-based IDS as proposed by T. Roosta[1]
  • Implementation of IDS in a JVM
    • Allows portability
    • Device cross-compatibility
  • Usage of the Tennessee Eastman plant model[2]
    • Simulated in MATLAB Simulink
    • Network simulation performed by TrueTime[3]
  • Direct Java interface between MATLAB and IDS
    • IDS to receive local UDP support

[1] T. Roosta, An Intrusion Detection System for Wireless Process Control Systems

[2] J. J. Downs, E. F. Vogel, A Plant-Wide Industrial Process Control Problem in Computers chem. Engng., Vol 17 No. 3 pp245-255 1993

[3] The TrueTime Project at Lund University, http://www.nt.ntnu.no/users/skoge/prost/proceedings/ifac2002/data/content/01667/1667.pdf

proposed method cont d
Proposed Method (cont’d)
  • Policy-based IDS runs on multiple nodes
    • Several copies distributed to select Intelligent Device Nodes (“Field” nodes)
    • Copy on local Access Points (“Master” nodes)
  • Policies monitor several factors
    • “Health” packets at 15-minute intervals
    • Average packet size
    • Routing stability
what is a policy why used
What is a policy? Why used?
  • Set of conditions and limits
    • Specifies normal operation
    • Ideal for periodic systems
  • Each policy covers a system aspect
    • Packet size
    • Radio power
    • Link stability
  • Policies provide specific capabilities
    • Determine if particular conditions met or exceeded
    • Can target an area more precisely than a general traffic-based IDS
outline3
Outline
  • Overview of Supervisory Control and Data Acquisition (SCADA) systems
    • Implementation and threats
  • Intrusion Detection System (IDS) for SCADA
    • Policy-based
    • Signature-based
  • Implementation
    • Mesh networking and routing protocols
    • IDS Structure
  • Testbed Scenario: Tennessee Eastman plant
  • Summary and future work
routing
Routing
  • Assuming 802.15.4 ZigBee networking between nodes
  • AODV mesh routing protocol
    • Ad Hoc On-Demand Distance Vector Routing
    • Reduces need for constant radio power
    • Creates routes as needed
application of ids
Application of IDS
  • Policy-based IDS added to several key nodes on the mesh-routed network
  • AP also runs instance of IDS
  • JVM allows device independence
    • Intelligent Device Nodes can run the same IDS code
  • Policies are dynamically allocated, revoked and updated
attack methods
Attack methods
  • No data available on proprietary plant technologies – let alone attacks
  • Simulation of attacks to follow logical choices
    • Jamming of one node
    • Jamming of several nodes
    • Packet alteration/checksum failures
    • Temporal disruption
    • Routing/link/PHY failures
  • Testing will consist of Simulink trial runs together with varying IDS policies
ids structure
IDS Structure
  • IDS is comprised of 4 core Java components
    • IDS engine/policy adherence verification
    • Policy management
    • Event management
    • System control
  • Policy management is dynamic
  • Instance runs on JVM, receives event data from embedded C-based monitoring applications
outline4
Outline
  • Overview of Supervisory Control and Data Acquisition (SCADA) systems
    • Implementation and threats
  • Intrusion Detection System (IDS) for SCADA
    • Policy-based
    • Signature-based
  • Implementation
    • Mesh networking and routing protocols
    • IDS Structure
  • Testbed Scenario: Tennessee Eastman plant
  • Summary and future work
choosing a plant model
Choosing a Plant Model
  • Tennessee Eastman plant model chosen as test system
    • Represents well-known chemical process control case
    • Uses “real-world” data in simulation
    • Provides MATLAB Simulink simulation
      • Can be adapted for a networked simulation
  • TrueTime used as network discrete event simulator
    • Integrates easily into existing Tennessee Eastman plant simulation
    • Multiple physical layer simulation methods
    • Can provide real-time data to IDS
example tn eastman plant
Example: TN Eastman Plant
  • Sensor/actuator systems are grouped and discretized
  • Discrete components are matched to Intelligent Device Nodes with networking capabilities
  • Certain nodes are fitted with copies of the IDS
    • Monitors routing, received data, sent data, packet size, frequency, health, radio power, etc.
  • Access Point is also fitted with a copy of the IDS
aodv truetime implementation
AODV TrueTime implementation
  • Each node implements the TrueTime kernel
  • Capable of reading data inputs as well as routing
  • Sends data for consumption between nodes
  • Data sent to SCADA master
ids localization
IDS localization

Local Field IDS

Sensor/actuator Intelligent Device Node (1 of 6)

ids setup
IDS setup
  • Simulink sensor and actuator blocks discretized
  • Data routed via AODV network and TrueTime
  • IDS linked via MATLAB Java to selected nodes
  • IDS monitors events based on prescribed policies
  • In real-world scenario
    • Specialized monitor apps report to IDS via UDP
    • IDS runs on localized JVM

Controller

C

Monitor

C

Monitor

C

Monitor

C

Monitor

UDP

Policies

JVM

IDS

summary and future work
Summary and Future Work
  • Development of Routing model in progress
  • IDS complete
  • IDS instance generation in progress
  • Attack synthesis in progress
ad