Adrian lauf jonathan wiley william h robinson gabor karsai vanderbilt isis tanya roosta berkeley
Download
1 / 25

Applying policy-based intrusion detection to scada networks - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS) Tanya Roosta (Berkeley). Applying policy-based intrusion detection to scada networks. Outline. Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Applying policy-based intrusion detection to scada networks' - jamuna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Adrian lauf jonathan wiley william h robinson gabor karsai vanderbilt isis tanya roosta berkeley

Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS)

Tanya Roosta (Berkeley)

Applying policy-based intrusion detection to scada networks


Outline
Outline Karsai (Vanderbilt ISIS)

  • Overview of Supervisory Control and Data Acquisition (SCADA) systems

    • Implementation and threats

  • Intrusion Detection System (IDS) for SCADA

    • Policy-based

    • Signature-based

  • Implementation

    • Mesh networking and routing protocols

    • IDS Structure

  • Testbed Scenario: Tennessee Eastman plant

  • Summary and future work


Outline1
Outline Karsai (Vanderbilt ISIS)

  • Overview of Supervisory Control and Data Acquisition (SCADA) systems

    • Implementation and threats

  • Intrusion Detection System (IDS) for SCADA

    • Policy-based

    • Signature-based

  • Implementation

    • Mesh networking and routing protocols

    • IDS Structure

  • Testbed Scenario: Tennessee Eastman plant

  • Summary and future work


Motivation scada
Motivation: SCADA Karsai (Vanderbilt ISIS)

  • Supervisory Control and Data Acquisition

    • A process control system

    • Four main components

      • Sensors

      • Actuators

      • Local control loops

      • Plant-wide control loops

  • Applications:

    • Power plants

    • Oil and gas pipelines

    • Nuclear

    • Manufacturing

  • Next-generation SCADA

    • Wireless networking protocols for sensors and actuators provide new challenges

      • Security

      • Power

      • Link-level reliability


State of security
State of Security Karsai (Vanderbilt ISIS)

  • Prior to wireless networks

    • Serial links between sensors, actuators and local control loops

  • Wireless networks

    • Two methodologies

      • RTUs – Remote Terminal Units

      • Intelligent Device Nodes: Integrated control, sensors and actuation

    • 802.15.4 and similar

      • Low-power ad-hoc networks

        • By default, unsecured

    • Star configuration

      • Low-power direct-to-AP configuration

        • By default, unsecured


Plant management and operation
Plant Management and Operation Karsai (Vanderbilt ISIS)

  • Local control loops report to SCADA master

    • May be located offsite

      • Implies TCP-based connectivity

  • Allows off-site management of a plant or series of plants

  • Generally secured by enterprise-level firewall


Security risks
Security Risks Karsai (Vanderbilt ISIS)

  • Transition from wired serial links to wireless

    • Early implementations used no encryption or security methods

    • Secondary modifications included a firewalled method

  • Primary risk is from firewall-based protection

    • Sensors/actuators not locally protected

    • If firewall is breached, or on-site access established, control loops are at risk


Outline2
Outline Karsai (Vanderbilt ISIS)

  • Overview of Supervisory Control and Data Acquisition (SCADA) systems

    • Implementation and threats

  • Intrusion Detection System (IDS) for SCADA

    • Policy-based

    • Signature-based

  • Implementation

    • Mesh networking and routing protocols

    • IDS Structure

  • Testbed Scenario: Tennessee Eastman plant

  • Summary and future work


Intrusion detection
Intrusion Detection Karsai (Vanderbilt ISIS)

  • Identification of known attack patterns

    • Jamming

      • Denial of Service

      • Radio interference

    • Injection attacks

      • Packet replay

    • Route disruption

      • Re-routing of traffic to alternate destination

        • Affects mesh-routed networks

    • Packet alteration

      • Difficult to identify

  • Related work

    • T. Roosta, S. Shieh, S. Sastry, Taxonomy of Security Attacks in Sensor Networks, 1st International IEEE Conference on System Integration and Reliability Improvements, 2006

    • A. Lauf, R. A. Peters, W. H. Robinson, Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks in Elsevier Journal for Ad-Hoc Networks, submitted for review


Intrusion detection cont d
Intrusion Detection (cont’d) Karsai (Vanderbilt ISIS)

  • Policy approach

    • Usage of pre-defined system-wide policies

      • Best for periodic systems

      • Optimized for deterministic data patterns

    • Attacks trip tolerance levels of monitored services

  • Hybrid approaches

    • Frequency detection

      • +

    • Cross-correlation approaches


Proposed method
Proposed method Karsai (Vanderbilt ISIS)

  • Usage of Policy-based IDS as proposed by T. Roosta[1]

  • Implementation of IDS in a JVM

    • Allows portability

    • Device cross-compatibility

  • Usage of the Tennessee Eastman plant model[2]

    • Simulated in MATLAB Simulink

    • Network simulation performed by TrueTime[3]

  • Direct Java interface between MATLAB and IDS

    • IDS to receive local UDP support

[1] T. Roosta, An Intrusion Detection System for Wireless Process Control Systems

[2] J. J. Downs, E. F. Vogel, A Plant-Wide Industrial Process Control Problem in Computers chem. Engng., Vol 17 No. 3 pp245-255 1993

[3] The TrueTime Project at Lund University, http://www.nt.ntnu.no/users/skoge/prost/proceedings/ifac2002/data/content/01667/1667.pdf


Proposed method cont d
Proposed Method (cont’d) Karsai (Vanderbilt ISIS)

  • Policy-based IDS runs on multiple nodes

    • Several copies distributed to select Intelligent Device Nodes (“Field” nodes)

    • Copy on local Access Points (“Master” nodes)

  • Policies monitor several factors

    • “Health” packets at 15-minute intervals

    • Average packet size

    • Routing stability


What is a policy why used
What is a policy? Why used? Karsai (Vanderbilt ISIS)

  • Set of conditions and limits

    • Specifies normal operation

    • Ideal for periodic systems

  • Each policy covers a system aspect

    • Packet size

    • Radio power

    • Link stability

  • Policies provide specific capabilities

    • Determine if particular conditions met or exceeded

    • Can target an area more precisely than a general traffic-based IDS


Outline3
Outline Karsai (Vanderbilt ISIS)

  • Overview of Supervisory Control and Data Acquisition (SCADA) systems

    • Implementation and threats

  • Intrusion Detection System (IDS) for SCADA

    • Policy-based

    • Signature-based

  • Implementation

    • Mesh networking and routing protocols

    • IDS Structure

  • Testbed Scenario: Tennessee Eastman plant

  • Summary and future work


Routing
Routing Karsai (Vanderbilt ISIS)

  • Assuming 802.15.4 ZigBee networking between nodes

  • AODV mesh routing protocol

    • Ad Hoc On-Demand Distance Vector Routing

    • Reduces need for constant radio power

    • Creates routes as needed


Application of ids
Application of IDS Karsai (Vanderbilt ISIS)

  • Policy-based IDS added to several key nodes on the mesh-routed network

  • AP also runs instance of IDS

  • JVM allows device independence

    • Intelligent Device Nodes can run the same IDS code

  • Policies are dynamically allocated, revoked and updated


Attack methods
Attack methods Karsai (Vanderbilt ISIS)

  • No data available on proprietary plant technologies – let alone attacks

  • Simulation of attacks to follow logical choices

    • Jamming of one node

    • Jamming of several nodes

    • Packet alteration/checksum failures

    • Temporal disruption

    • Routing/link/PHY failures

  • Testing will consist of Simulink trial runs together with varying IDS policies


Ids structure
IDS Structure Karsai (Vanderbilt ISIS)

  • IDS is comprised of 4 core Java components

    • IDS engine/policy adherence verification

    • Policy management

    • Event management

    • System control

  • Policy management is dynamic

  • Instance runs on JVM, receives event data from embedded C-based monitoring applications


Outline4
Outline Karsai (Vanderbilt ISIS)

  • Overview of Supervisory Control and Data Acquisition (SCADA) systems

    • Implementation and threats

  • Intrusion Detection System (IDS) for SCADA

    • Policy-based

    • Signature-based

  • Implementation

    • Mesh networking and routing protocols

    • IDS Structure

  • Testbed Scenario: Tennessee Eastman plant

  • Summary and future work


Choosing a plant model
Choosing a Plant Model Karsai (Vanderbilt ISIS)

  • Tennessee Eastman plant model chosen as test system

    • Represents well-known chemical process control case

    • Uses “real-world” data in simulation

    • Provides MATLAB Simulink simulation

      • Can be adapted for a networked simulation

  • TrueTime used as network discrete event simulator

    • Integrates easily into existing Tennessee Eastman plant simulation

    • Multiple physical layer simulation methods

    • Can provide real-time data to IDS


Example tn eastman plant
Example: TN Eastman Plant Karsai (Vanderbilt ISIS)

  • Sensor/actuator systems are grouped and discretized

  • Discrete components are matched to Intelligent Device Nodes with networking capabilities

  • Certain nodes are fitted with copies of the IDS

    • Monitors routing, received data, sent data, packet size, frequency, health, radio power, etc.

  • Access Point is also fitted with a copy of the IDS


Aodv truetime implementation
AODV Karsai (Vanderbilt ISIS)TrueTime implementation

  • Each node implements the TrueTime kernel

  • Capable of reading data inputs as well as routing

  • Sends data for consumption between nodes

  • Data sent to SCADA master


Ids localization
IDS localization Karsai (Vanderbilt ISIS)

Local Field IDS

Sensor/actuator Intelligent Device Node (1 of 6)


Ids setup
IDS setup Karsai (Vanderbilt ISIS)

  • Simulink sensor and actuator blocks discretized

  • Data routed via AODV network and TrueTime

  • IDS linked via MATLAB Java to selected nodes

  • IDS monitors events based on prescribed policies

  • In real-world scenario

    • Specialized monitor apps report to IDS via UDP

    • IDS runs on localized JVM

Controller

C

Monitor

C

Monitor

C

Monitor

C

Monitor

UDP

Policies

JVM

IDS


Summary and future work
Summary and Future Work Karsai (Vanderbilt ISIS)

  • Development of Routing model in progress

  • IDS complete

  • IDS instance generation in progress

  • Attack synthesis in progress


ad