A behavioral intrusion detection system for SCADA systems

Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) are the computer systems that are used to control many underlying infrastructures, utility systems, and industrial processes used by all modern industrial societies. SCADA systems include subway system control, electrical distribution, water and waste water systems control, oil refinery control, gas and oil pipeline control to name just a few. ICS are used in factories or plants to control production or industrial processes that are repetitive in nature and run continuously. A good example of an ICS application is the control of chemicals being combined in a reaction chamber where specific chemicals are added sequentially and at specific temperatures and pressures. These underlying operations controlled by SCADA and ICS are relatively transparent to our daily lives, but the safe and continued operations of these systems are often critical in our existence.;Original SCADA systems were human controlled and did not include autonomous real-time control systems. To improve process consistency and reduce operational costs many ICS were developed or redesigned to include centralized human monitoring and real-time embedded control systems. As systems have become more complex the line between SCADA and ICS has become blurred and these systems are converging such that ICS are a subset of SCADA systems. Regardless of the definition used for these systems, the proposed method of intrusion detection will work equally well in both SCADA and ICS environments. For simplicity and to reduce redundancy, the rest of this dissertation will use the term SCADA systems to include ICS unless explicitly noted otherwise.;Initially, many automated SCADA systems were designed based on proprietary communications protocols and proprietary designs without network connectivity. As time and technology have progressed these systems have been changing to include open standards based designs, and the system components have been integrated based on IP, RF protocols, and other widely used communication standards.;Security within Supervisory Control and Data Acquisition (SCADA) systems is a concern because many of these systems were not designed with security requirements but security is an increasing concern with several well publicized attacks on these control systems over the last several years. Network messages containing controller and operator commands and sensor status data may be modified, system control elements may be reprogrammed, or control commands may be injected by an attacker to cause system failures. To detect these intrusions a Behavioral Intrusion Detection System (BIDS) is proposed in this dissertation. A BIDS can detect attacks that traditional network or host based Intrusion Detection Systems would not detect within a SCADA system. Once implemented a BIDS would be used to augment existing host and network based IDS systems to detect attacks on SCADA system controllers. The basis of the BIDS approach is to leverage the fact that SCADA systems have a limited and deterministic set of behaviors that result in a relatively small amount of variability during normal system operation. A system's operation can be embodied in system models included in the behavioral intrusion detection system to detect attacks and alert the system operator. Alert filtering is required to minimize false alarms while that ensuring attacks and other anomalous system behaviors including failures are detected.;Based on two system simulations with and without attacks were performed and detailed in this dissertation. The implemented BIDS for each system proved the viability of this approach. BIDS performance resulted an extremely low false alarm rate when attacks were present, and with a high exceptional attack detection rate with very good identification of the attacked control elements.;This dissertation focuses on the development of a new and unique method of intrusion detection for SCADA systems. It is an IDS which includes system models to predict system behavior. A behavior is typically an anticipated sensor signal (pressure, temperature, flow, level etc.). This new IDS is called a Behavioral IDS or BIDS for short. The reliability of this intrusion detection method is improved with the addition of trust anchors within the system to provide real-time data signal whose authenticity and values are assumed to be valid. These trusted signals are used with untrusted system signals by system models within the BIDS to determine when a system behavior is diverging from normal predicted operation and to determine if alert conditions exist. While the use of trust anchors is an underlying and critical enabling technology for this advanced IDS method, the complete definition of the trust anchor is not the subject of this dissertation. Expected trust anchor functionality and support of the Behavioral IDS is provided in this work.