Abstract
Supervisory control and data acquisition systems (SCADA) are attractive targets due to their widespread use in the critical infrastructure. A large percentage of attacks involve crafted inputs. Buffer overflows, a form of crafted input attack, are still common. These attacks can be used to take over SCADA systems or force them to crash. The compromised systems could be leveraged to issue commands to other devices in a SCADA network and cause harm.
This chapter presents a novel forensic tool that enables operators to detect crafted input attacks and monitor SCADA systems and networks for harmful actions. The tool incorporates several language-theoretic security-compliant parsers to ensure the syntactic validity of communications, enabling the detection of zero-day attacks that leverage crafted packets. The tool also detects attacks triggered using legacy protocols and includes graphical user interfaces, command-line interfaces and tools for comparing network traffic against configuration files to detect malicious activities. Experimental evaluations of the parsers using a large SCADA network traffic dataset demonstrate their efficacy. Fuzzing experiments demonstrate the resilience of the parsers as well as the tool itself.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
F. Adelstein, Live forensics: Diagnosing your system without killing it first, Communications of the ACM, vol. 49(2), pp. 63–66, 2006.
I. Ahmed, S. Obermeier, M. Naedele and G. Richard, SCADA systems: Challenges for forensics investigators, IEEE Computer, vol. 45(12), pp. 44–51, 2012.
P. Anantharaman, V. Kothari, J. Brady, I. Jenkins, S. Ali, M. Millian, R. Koppel, J. Blythe, S. Bratus and S. Smith, Mismorphism: The heart of the weird machine, in Security Protocols XXVII, J. Anderson, F. Stajano, B. Christianson and V. Matyas (Eds.), Springer, Cham, Switzerland, pp. 113–124, 2020.
P. Anantharaman, K. Palani, R. Brantley, G. Brown, S. Bratus and S. Smith, PhasorSec: Protocol security filters for wide-area measurement systems, Proceedings of the IEEE International Conference on Communications, Control and Computing Technologies for Smart Grids, 2018.
R. Berthier and W. Sanders, Specification-based intrusion detection for advanced metering infrastructures, Proceedings of the Seventeenth IEEE Pacific Rim International Symposium on Dependable Computing, pp. 184–193, 2011.
D. Bradbury, The “air gap” between IT and OT is disappearing, and we’re not ready to manage the risk, Infosecurity Magazine, February 26, 2019.
S. Bratus, A. Crain, S. Hallberg, D. Hirsch, M. Patterson, M. Koo and S. Smith, Implementing a vertically-hardened DNP3 control stack for power applications, Proceedings of the Second Annual Industrial Control System Security Workshop, pp. 45–53, 2016.
J. Brenner, Eyes wide shut: The growing threat of cyber attacks on industrial control systems, Bulletin of the Atomic Scientists, vol. 69(5), pp. 15–20, 2013.
E. Byers, Cyber security and the pipeline control system, Pipeline and Gas Journal, pp. 58–59, February 2009.
L. Chang, T. Bryan, A. McKinnon and M. Hadley, Enabling situational awareness in operational technology environments through software-defined networking, Journal of Information Warfare, vol. 18(4), pp. 156–166, 2019.
A. Crain and C. Sistrunk, S4x14 Video: Crain/Sistrunk – Project Robus, Master Serial Killer, Digital Bond, Sunrise, Florida (dale-peterson.com/2014/01/23/s4x14-video-crain-sistrunk-project-robus-master-serial-killer), 2014.
denandz, fuzzotron: A TCP/UDP Based Network Daemon Fuzzer, GitHub (github.com/denandz/fuzzotron), 2018.
P. Eden, A. Blyth, P. Burnap, Y. Cherdantseva, K. Jones and H. Soulsby, A forensic taxonomy of SCADA systems and approach to incident response, Proceedings of the Third International Symposium on ICS and SCADA Cyber Security Research, pp. 42–51, 2015.
M. Ehrlich, D. Krummacker, C. Fischer, R. Guillaume, S. Perez Olaya, A. Frimpong, H. de Meer, M. Wollschlaeger, H. Schotten and J. Jasperneite, Software-defined networking as an enabler for future industrial network management, Proceedings of the Twenty-Third IEEE International Conference on Emerging Technologies and Factory Automation, pp. 1109–1112, 2018.
Electricity Information Sharing and Analysis Center, Analysis of the Cyber Attack on the Ukrainian Power Grid, Washington, DC, 2016.
N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier, Version 1.4, Symantec, Mountain View, California, 2011.
A. Fioraldi, D. Maier, H. Eissfeldt and M. Heuse, AFL++: Combining incremental steps of fuzzing research, Proceedings of the Fourteenth USENIX Workshop on Offensive Technologies, 2020.
D. Formby, P. Srinivasan, A. Leonard, J. Rogers and R. Beyah, Who’s in control of your control system? Device fingerprinting for cyber-physical systems, Proceedings of the Twenty-Third Annual Network Distributed System Security Symposium, 2016.
J. Hong, C. Liu and M. Govindarasu, Integrated anomaly detection for cyber security of substations, IEEE Transactions on Smart Grid, vol. 5(4), pp. 1643–1653, 2014.
A. Kalra, D. Dolezilek, J. Mathew, R. Raju, R. Meine and D. Pawar, Using software-defined networking to build modern, secure IEC 61850 based substation automation systems, Proceedings of the Fifteenth International Conference on Developments in Power System Protection, 2020.
D. Lee, H. Kim, K. Kim and P. Yoo, Simulated attack on the DNP3 protocol in SCADA systems, Proceedings of the Thirty-First Symposium on Cryptography and Information Security, 2014.
L. Maglaras and J. Jiang, Intrusion detection in SCADA systems using machine learning techniques, Proceedings of the Science and Information Conference, pp. 626–631, 2014.
M. Millian, P. Anantharaman, S. Bratus, S. Smith and M. Locasto, Converting an electric power utility network to defend against crafted inputs, in Critical Infrastructure Protection XIII, J. Staggs and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 73–85, 2019.
M. Naedele, Addressing IT security for critical control systems, Proceedings of the Fortieth Annual Hawaii International Conference on System Sciences, 2007.
V. Narayanan and R. Bobba, Learning-based anomaly detection for industrial arm applications, Proceedings of the Workshop on Cyber-Physical Systems Security and Privacy, pp. 13–23, 2018.
National Institute of Standards and Technology, CVE-2020-10613 Detail, National Vulnerability Database, Gathersburg, Maryland (nvd.nist.gov/vuln/detail/CVE-2020-10613), April 22, 2020.
Y. Pats, pythonfuzz: Coverage-Guided Fuzz Testing for Python, GitLab (gitlab.com/gitlab-org/security-products/analyzers/fuzzers/pythonfuzz), 2020.
M. Patterson, Hammer, GitLab (gitlab.special-circumstanc.es/hammer/hammer), 2020.
N. Perlroth and C. Krauss, A cyberattack in Saudi Arabia had a deadly goal. Experts fear another try, New York Times, March 15, 2018.
W. Ren, T. Yardley and K. Nahrstedt, EDMAND: Edge-based multilevel anomaly detection for SCADA networks, Proceedings of the IEEE International Conference on Communications, Control and Computing Technologies for Smart Grids, 2018.
Step Function I/O, Aegis Fuzzer, Bend, Oregon (stepfunc.io/products/aegis-fuzzer), 2021.
F. Tacliad, T. Nguyen and M. Gondree, DoS exploitation of Allen-Bradley’s legacy protocol through fuzz testing, Proceedings of the Third Annual Industrial Control System Security Workshop, pp. 24–31, 2017.
D. Urbina, J. Giraldo, A. Cardenas, N. Tippenhauer, J. Valente, M. Faisal, J. Ruths, R. Candell and H. Sandberg, Limiting the impact of stealthy attacks on industrial control systems, Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1092–1105, 2016.
V. Urias, W. Stout and B. Van Leeuwen, On the feasibility of generating deception environments for industrial control systems, presented at the IEEE International Symposium on Technologies for Homeland Security, 2018.
C. Valli, SCADA forensics with Snort IDS, Proceedings of the International Conference on Security and Management, pp. 618–621, 2009.
R. van der Knijff, Control systems/SCADA forensics, what’s the difference? Digital Investigation, vol. 11(3), pp. 160–174, 2014.
J. Verba and M. Milvich, Idaho National Laboratory Supervisory Control and Data Acquisition Intrusion Detection System (SCADA IDS), Proceedings of the IEEE Conference on Technologies for Homeland Security, pp. 469–473, 2008.
C. Wright, Forensics management, in Handbook of SCADA/Control Systems Security, R. Radvanovsky and J. Brodsky (Eds.), CRC Press, Boca Raton, Florida, pp. 169–200, 2016.
T. Yardley, Building a physical testbed for black start restoration, presented at the ICS Village at DEF CON Safe Mode, 2020.
B. Zhu, A. Joseph and S. Sastry, A taxonomy of cyber attacks on SCADA systems, Proceedings of the International Conference on Internet of Things and Fourth International Conference on Cyber, Physical and Social Computing, pp. 380–388, 2011.
B. Zhu and S. Sastry, SCADA-specific intrusion detection/prevention systems: A survey and taxonomy, Proceedings of the First Workshop on Secure Control Systems, 2010.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Anantharaman, P. et al. (2022). A Communications Validity Detector for SCADA Networks. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XV. ICCIP 2021. IFIP Advances in Information and Communication Technology, vol 636. Springer, Cham. https://doi.org/10.1007/978-3-030-93511-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-93511-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93510-8
Online ISBN: 978-3-030-93511-5
eBook Packages: Computer ScienceComputer Science (R0)
