Intrusion Detection and Security Monitoring of SCADA Networks

Legacy SCADA systems, and the systems being sold today, lack the security required to prevent attacks. Intrusion detection systems (IDS) and security monitoring tools can work as compensating controls by identifying and stopping attacks. Unfortunately, existing security systems do not identify SCADA specific attacks. Our proposal will add SCADA specific knowledge to IDS and security monitoring tools. Specifically, we will: (1) create an open source SCADA signature set for the SNORT IDS that will include specific signature examples, a context, and a tool for SCADA vendors and users to add system specific signatures. (2) identify and extract security specific log entries in SCADA application logs for use in a security monitoring tool. Examples include failed logins, display changes, and escalation of privileges. (3) Correlate the SCADA application log events and the SCADA IDS data to appropriately set the alert level. The technical approach will focus on identifying attacks to the field device, RTU/PLC, to SCADA server communication. With TCP/IP based field devices spread over a wide geographic area, and the lack of a security standard for this protocol, this communication is perhaps the largest cyber security risk. Our proposal is an immediate compensating control for this risk.