applying policy-based intrusion detection to scada networks
DESCRIPTION
Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS) Tanya Roosta (Berkeley). Applying policy-based intrusion detection to scada networks. Outline. Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats - PowerPoint PPT PresentationTRANSCRIPT
1
APPLYING POLICY-BASED INTRUSION DETECTION TO SCADA NETWORKS
Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS)Tanya Roosta (Berkeley)
2
Outline
Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats
Intrusion Detection System (IDS) for SCADA Policy-based Signature-based
Implementation Mesh networking and routing protocols IDS Structure
Testbed Scenario: Tennessee Eastman plant Summary and future work
3
Outline
Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats
Intrusion Detection System (IDS) for SCADA Policy-based Signature-based
Implementation Mesh networking and routing protocols IDS Structure
Testbed Scenario: Tennessee Eastman plant Summary and future work
4
Motivation: SCADA
Supervisory Control and Data Acquisition A process control system Four main components
Sensors Actuators Local control loops Plant-wide control loops
Applications: Power plants Oil and gas pipelines Nuclear Manufacturing
Next-generation SCADA Wireless networking protocols for
sensors and actuators provide new challenges Security Power Link-level reliability
5
State of Security
Prior to wireless networks Serial links between sensors,
actuators and local control loops
Wireless networks Two methodologies
RTUs – Remote Terminal Units Intelligent Device Nodes:
Integrated control, sensors and actuation
802.15.4 and similar Low-power ad-hoc networks
By default, unsecured Star configuration
Low-power direct-to-Access Point configuration By default, unsecured
6
Plant Management and Operation Local control loops report to SCADA
master May be located offsite
Implies TCP-based connectivity Allows off-site management of a
plant or series of plants Generally secured by enterprise-level
firewall
7
Security Risks
Transition from wired serial links to wireless Early implementations used
no encryption or security methods
Secondary modifications included a firewalled method
Primary risk is from firewall-based protection Sensors/actuators not locally
protected If firewall is breached, or on-
site access established, control loops are at risk
8
Outline
Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats
Intrusion Detection System (IDS) for SCADA Policy-based Signature-based
Implementation Mesh networking and routing protocols IDS Structure
Testbed Scenario: Tennessee Eastman plant Summary and future work
9
Intrusion Detection
Identification of known attack patterns Jamming
Denial of Service Radio interference
Injection attacks Packet replay
Route disruption Re-routing of traffic to alternate destination
Affects mesh-routed networks Packet alteration
Difficult to identify Related work
T. Roosta, S. Shieh, S. Sastry, Taxonomy of Security Attacks in Sensor Networks, 1st International IEEE Conference on System Integration and Reliability Improvements, 2006
A. Lauf, R. A. Peters, W. H. Robinson, Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks in Elsevier Journal for Ad-Hoc Networks, submitted for review
10
Intrusion Detection (cont’d) Policy approach
Usage of pre-defined system-wide policies Best for periodic systems Optimized for deterministic
data patterns Attacks trip tolerance
levels of monitored services
Hybrid approaches Frequency detection
plus Cross-correlation
approaches
11
Proposed method
Usage of Policy-based IDS as proposed by T. Roosta[1]
Implementation of IDS in a JVM Allows portability Device cross-compatibility
Usage of the Tennessee Eastman plant model[2]
Simulated in MATLAB Simulink Network simulation performed by TrueTime[3]
Direct Java interface between MATLAB and IDS IDS to receive local UDP support
[1] T. Roosta, An Intrusion Detection System for Wireless Process Control Systems[2] J. J. Downs, E. F. Vogel, A Plant-Wide Industrial Process Control Problem in Computers chem. Engng., Vol 17 No. 3 pp245-255 1993[3] The TrueTime Project at Lund University, http://www.control.lth.se/truetime/
12
Proposed Method (cont’d)
Policy-based IDS runs on multiple nodes Several copies distributed
to select Intelligent Device Nodes (“Field” nodes)
Copy on local Access Points (“Master” nodes)
Policies monitor several factors “Health” packets at 15-
minute intervals Average packet size Routing stability
13
What is a policy? Why used?
Set of conditions and limits Specifies normal operation Ideal for periodic systems
Each policy covers a system aspect Packet size Radio power Link stability
Policies provide specific capabilities Determine if particular
conditions met or exceeded Can target an area more
precisely than a general traffic-based IDS
14
Outline
Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats
Intrusion Detection System (IDS) for SCADA Policy-based Signature-based
Implementation Mesh networking and routing protocols IDS Structure
Testbed Scenario: Tennessee Eastman plant Summary and future work
15
Routing
Assuming 802.15.4 ZigBee networking between nodes
AODV mesh routing protocol Ad Hoc On-Demand
Distance Vector Routing
Reduces need for constant radio power
Creates routes as needed
16
Application of IDS
Policy-based IDS added to several key nodes on the mesh-routed network
AP also runs instance of IDS JVM allows device independence
Intelligent Device Nodes can run the same IDS code
Policies are dynamically allocated, revoked and updated
17
Attack methods
No data available on proprietary plant technologies – let alone attacks
Simulation of attacks to follow logical choices Jamming of one node Jamming of several nodes Packet alteration/checksum failures Temporal disruption Routing/link/PHY failures
Testing will consist of Simulink trial runs together with varying IDS policies
18
IDS Structure
IDS is comprised of 4 core Java components IDS engine/policy
adherence verification Policy management Event management System control
Policy management is dynamic
Instance runs on JVM, receives event data from embedded C-based monitoring applications
19
Outline
Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats
Intrusion Detection System (IDS) for SCADA Policy-based Signature-based
Implementation Mesh networking and routing protocols IDS Structure
Testbed Scenario: Tennessee Eastman plant Summary and future work
20
Choosing a Plant Model
Tennessee Eastman plant model chosen as test system Represents well-known chemical process control case Uses “real-world” data in simulation Provides MATLAB Simulink simulation
Can be adapted for a networked simulation TrueTime used as network discrete event
simulator Integrates easily into existing Tennessee Eastman
plant simulation Multiple physical layer simulation methods Can provide real-time data to IDS
21
Example: TN Eastman Plant
Sensor/actuator systems are grouped and discretized
Discrete components are matched to Intelligent Device Nodes with networking capabilities
Certain nodes are fitted with copies of the IDS Monitors routing, received
data, sent data, packet size, frequency, health, radio power, etc.
Access Point is also fitted with a copy of the IDS
22
AODV TrueTime implementation
•Each node implements the TrueTime kernel•Capable of reading data inputs as well as routing•Sends data for consumption between nodes •Data sent to SCADA master
23
IDS localization
Local Field IDS
Sensor/actuator Intelligent Device Node (1 of 6)
24
IDS setup
Simulink sensor and actuator blocks discretized
Data routed via AODV network and TrueTime
IDS linked via MATLAB Java to selected nodes
IDS monitors events based on prescribed policies
In real-world scenario Specialized monitor apps
report to IDS via UDP IDS runs on localized JVM
Controller
CMonitor
CMonitor
CMonitor
CMonitor
JVM
UDP
IDSPolicies
25
Summary and Future Work
Development of Routing model in progress
IDS complete IDS instance generation in progress Attack synthesis in progress