ferling sequence attacks on scada systems - uni-muenster.de

Sequence attacks on SCADA systemsBachelor thesis

presented to theWestfälische Wilhelms-Universität MünsterFaculty of mathematics and computer scienceDepartment of computer sciencebyBenedikt Ferling

AssessorProf. Dr. Anne RemkeDr. Dietmar LammersWestfälische Wilhelms-UniversitätMünster

SupervisorJustyna ChromikUniversity of Twente

Münster, July 2016

Declaration of Academic Integrity

I hereby confirm that this thesis on Sequence attacks on SCADA systems is solely my ownwork and that I have used no sources or aids other than the ones stated. All passages inmy thesis for which other sources, including electronic media, have been used, be it directquotes or content references, have been acknowledged as such and the sources cited.Münster, den 12. Juli 2016 signature of student

I agree to have my thesis checked in order to rule out potential similarities with otherworks and to have my thesis stored in a database for this purpose.Münster, den 12. Juli 2016 signature of student

Acknowledgement

I express my gratitude to all those who gave me the possibility to complete this thesis.Thanks to Prof. Dr. Remke without whom this work and the cooperation with the Universityof Twente didn’t come about. Special thanks to Justyna Chromik for her assistance especiallyin the technical parts and who always had answers for me when I got stuck. FurthermoreI would like to thank Marco Caselli for his time for giving me a deeper look into his work.I also thank Maria Berens who looked closely at the final version of the thesis for Englishstyle and grammar. Thanks to my parents Agnes and Norbert Ferling and my wife KatharinaFerling for supporting me in all other areas while writing the thesis. And last but not leastthanks to Franziska, who always had a smile for me.

Contents

1 Introduction 1

2 SCADA networks and their security 22.1 SCADA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.2 IEC 60870-5-104 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.3 Intrusion detection systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.4 Sequence attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Discrete Time Markov Chains and sequences 143.1 Discrete Time Markov Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.1.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2 Minimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.3 Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.4 Representation of sequences in a DTMC . . . . . . . . . . . . . . . . . . . . . 204 Sequence attacks 234.1 Detecting sequence violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.2 Sequence attack scenarios and minimization . . . . . . . . . . . . . . . . . . . 275 Experiments and results 335.1 Implementation and representation of the graphs . . . . . . . . . . . . . . . . . 335.2 Implementation of the minimization . . . . . . . . . . . . . . . . . . . . . . . . . 345.3 Experiments on traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Summary and conclusion 44

List of Figures 46

List of Tables 47

Introduction 11 Introduction

Supervisory Control and Data Acquisition (SCADA) systems are deeply ingrained in thefabric of critical infrastructure sectors [1]. These systems are commonly deployed to aid theoperation of these infrastructures by providing automated processes that ensure the correctfunctioning of these infrastructures.Due to their standardization and their connectivity to other networks, they are increasinglya subject to serious damage and disruption [1]. The US grid hack [2] and the Ukrainiangrid hack [3] are two examples that show the consequences of poor security. As a result ofcyber-attacks on networks controlling mentioned grids, many people were left without elec-tricity for hours. In general, these systems are barely protected from the escalating cyberthreats [1]. Even if the security of the SCADA system is addressed, the attacker can usemore sophisticated approaches to perform the attack. Stuxnet has demonstrated that skilledattackers can strike critical infrastructures by leveraging knowledge about the controlledprocess, especially by sending misplaced legal messages [4]. Common intrusion detectionsystems are only able to identify messages with malicious content within the network. Oneway to exploit those systems using the knowledge about the processes are the so-calledsequence attacks. They subvert infrastructure operations by sending misplaced industrialcontrol system messages [4]. Industrial systems show regular and consistent communicationpatterns, thus analyzing the communication using a stochastic approach in order to identifysequence attacks is an appropriate choice to investigate [5][6].M. Caselli et al. showed, that it is possible to detect sequence attacks within SCADAnetworks [4]. However, the analysis of the structure they used may be time consuming,depending on the complexity of the communication within the network. In this thesis werebuild the approach of M. Caselli and show that it is possible to successfully reduce thecomplexity of the structure in order to identify most types of sequence attacks.

2 SCADA networks and their security2 SCADA networks and their security

This section introduces the basics of SCADA. It provides an overview of the hard- and soft-ware components used in SCADA networks. Furthermore the IEC 60870-5-104 protocol- one of the important protocols used in combination with these networks - is introduced.Besides, a brief summary of the protocol, a detailed explanation of the structure is provided.In addition an introduction to intrusion detection systems is given and a description of what“sequence attacks“ are.Chapter 2.1 describes the SCADA system with its components and communication models.In Chapter 2.2 the IEC-104 protocol is described with all the relevant parts needed forthis thesis. Chapter 2.3 introduces the different kinds of intrusion detection systems. InChapter 2.4 the sequence attacks are introduced.

2.1 SCADA

Modern industrial processes and industries have systems and equipment which are often sep-arated by large distances. The management of these systems can be very time-consuming.Collect data from devices, evaluate the data and execute actions depending on the data areregular jobs in the process of managing industrial systems. The devices within the systemare often wide spread, which makes the useage of modern IT indispensable [7].A Supervisory Control and Data Acquisition (SCADA) system is a computer-basedsystem for monitoring and controlling industrial processes [4] [1]. The system refers to acombination of telemetry and data acquisition which it does by interconnecting field net-

works and a control network. The field network hosts devices that are directly connectedto the physical process. The control network hosts the servers that supervise the controlof the physical process. More and more SCADA systems are connected to the businessmanagement which usually refers to the enterprise network [8]. Furthermore it is possibleto transmit data from the field network to the internet. An example of a SCADA system isshown in Fig. 1. This example uses multiple firewalls to connect the networks.The field network hosts devices like sensors, actuators, RTUs and PLCs. Sensors trans-mit the values of the monitored process over serial wires to the PLCs. Actuators are systemcomponents which are responsible for controlling a systems behaviour. They control a phys-ical process, i.e., open or closing a valve, changing the pressure inside a pipe or tank orsetting the temperature of a systems component. RTUs and PLCs which collect the fielddata and send it back to the data acquisition server via the communication system. Theyalso receive commands, usually from the control network, which are then executed on theappropriate actuator, e.g., closing a valve. Today the difference between RTUs and PLCs is

SCADA networks and their security 3infinitesimal, although PLCs are more often used in areas where output arrangements andmultiple inputs are needed. This is due to their nature of having electrical noise immunityand vibration and impact resistance [9]. Besides their main purpose to collect data and sendthis data to a central station, PLCs may also communicate on a peer-to-peer basis with otherPLCs. Furthermore, they may act like a relay station, i.e., they collect data from other PLCsand forward them to the central station. Today the RTUs are mostly replaced by PLCs asPLCs can easily be set up for a variety of different functions [7]. In this thesis both RTUsand PLCs will be referred to as PLCs.

The process control network, also refered to as control network, is responsible for con-trolling the process by evaluating the data of the field network and triggering appropriateactions. The data acquisition server within the control network is responsible for collecting,storing and providing the data of the field devices such as RTUs and PLCs. HMIs are respon-sible to enable human operators to interact with the physical process, e.g, the HMI presentsthe data of the data acquisition server and the human operator can initiate commands thataffect the process.SCADA software is used to interact with the components of the SCADA system, e.g.monitoring data, watching trends, sending commands, etc. On the one hand it can be dividedinto open source and proprietary software for interaction with the operators. On the otherhand it can be divided into the different communication protocols used for the communi-cation between the devices. An example of proprietary protocol is the S7 protocol of theSiemens company. Open source protocols are for example Modbus or IEC 60870-5-104. Inthe early days of industrial systems most companies developed proprietary protocols. Themain problem with proprietary protocols is the reliance on the supplier of the system. Openprotocols have nowadays gained popularity because of their interoperability - hardware ofdifferent manufacturers can be installed on the same system. This thesis focuses on the IEC60870-5-104 protocol [7].The communication channels are responsible for transferring the data between the de-vices. They can be wired, fiber optic, radio, telephone line, microwave and possibly evensatellite. They connect the components of the SCADA system, such that they can communi-cate [7].The SCADA communication model consists of two approaches in which devices can com-municate. The first one is called master-slave. This approach uses the idea that the masterdevice is in total control of the communication system. The device makes regular request fordata to be transferred to/ from each of the slave devices in the network. This request could befor instance a software update request, or a restart command. An example for the download

4 SCADA networks and their securityof data is the sensors data the PLC is connected to. The slave only answers to request inthis configuration. There are some advantages of this approach. First the software is simpleand reliable due to the simplicity of the communication. Second, link failures between themaster and a slave node are detected quickly and third, no collisions can occur on the net-work. However there are also some disadvantages. The slave is unable to communicate tothe master for urgent actions. Even if this function is enabled, the master may be processinganother slave at that moment. Another disadvantage is, that slaves that need to communicatewith each other have to do this through the master. This adds complexity to the design ofthe master station.

The other approach to communicate is called peer-to-peer. In this approach each devicewithin the network can initialize a connection, therefore collisions of requests and responsesare unavoidable and need to be handled appropriately [7]. One method handling thosecollisions and controlling the communication is known as “carrier sense with multiple ac-cess/ collision detection“ (CSMA/CD). This and other methods are handled by the underlyingprotocols.The important communication part, within a peer-to-peer network, is the PLC-to-PLC com-munication. In this situation a request from a PLC is first sent to the master station. Howeverthe destination of the request is not the master station itself, but another PLC. The masterstation needs to forward the message and when it receives the reply it needs to forward itappropriate to the requesting PLC. Additional logic is used to handle this process withoutlosing requests or responses [7]. The main advantage of this system is the low cost of theinstallation. What can be an advantage on the one hand - no central station is in controlof the data - can be an disadvantage on the other hand. In industrial networks the centralorganisation of the data leads to an improvement of the precise statements that often can onlybe made by comparing data of different field devices. Another disadvantage is the software.Peer-to-peer networks needs a more complex software in order to guarantee a collision freecommunication. The disadvantages however overweight the advantages in terms of industrialcontrol systems.SCADA encompasses the collecting of the sensor information via a PLC, transferring itback to the data aquisition server, carrying out any necessary analysis and displaying theinformation on the HMIs. The required control actions are then conveyed back to the process[7]. The accurate and timely data allows for optimization of the systems operation and process.Further benefits are more efficiency, reliability and most importantly, safer operations. Thisall results in a lower cost of operation compared to earlier non-automated systems. Adisadvantages of SCADA systems is, that the system is more complicated. Furthermore it isonly possible to see as far as the PLCs. This is an important part as the PLC might transmitwrong data. Another disadvantage are the additional skills that are needed to manage the

SCADA networks and their security 5system [7]. Nevertheless, the advantages overweight the disadvantages for modern industrialprocesses and industries.

Figure 1: Architecture of a SCADA system [8]Today SCADA systems use special communication protocols like Modbus, MMS, IEC60870-5-104 or S7 for efficient and optimum data transfer. Since we analyze the com-munication between two devices only, the difference of the approaches “master-slave“ and“peer-to-peer“ are small. The difference is that both stations may request data or respondto requests. This thesis focuses on the IEC 60870-5-104 protocol.

2.2 IEC 60870-5-104 Protocol

The standard IEC 60870-5 refers to a collection of standards produced by the InternationalElectronical Commission (IEC), to provide an open standard for the transmission of SCADAtelemetry control and information [7]. It provides a detailed functional description for tele-control equipment and systems for controlling geographically widespread processes. Thestandard is intended but not limited to applications in the electrical industries, since its dataobjects are applicable to general SCADA applications in any industry [7].The standard was initially completed in 1995 with its profile IEC 60870-5-101(IEC-101)and is titled “Companion standard for basic telecontrol tasks“. At this point it covered onlytransmission over relatively low bandwidth bit-serial communication circuits. With the in-creasingly widespread use of network communications technology, the standard needed to

6 SCADA networks and their securitybe extended. With the protocol IEC 60870-5-104(IEC-104) - titled “Network Access usingStandard Transport Profiles“- the standard now provides the possibility to communicate overnetworks using TCP/IP. To be precise the changes compared to IEC-101 lay in the transport,network, link and physical layer services to suit the complete network access. The protocoluses TCP/IP to establish connections. This enables the communication over networks, e.g.,local area networks or wide area networks. Thereby, known technology like routers or virtualprivate networks can be used to connect different facilities.

Figure 2: Telegram format with variable length (I-format) [10]The overall message structure of IEC-104 is rather complex. This section introduces -apart from some basic information - those parts of the protocol that are relevant for this thesis.The overall structure of an IEC-104 packet, that we consider in this thesis, is shown in Fig. 2.It consists of the application protocol control information (APCI) and the application service

data units (ASDU) which both together are called the application protocol data unit (APDU).There are three types of control field formats. The I-format, the S-format and the U-format.Since this thesis focuses on the ASDU, only packets with the I-format are considered, whichare the only packets containing an ASDU. The ASDU is the part of the packet where allthe relevant information for this thesis is found. Furthermore, only fields considered in thisthesis are explained. Since third party libraries are used in this thesis for the parsing of thepackets, the exact bytes are not covered here. For further information about the protocol andthe exact structure we refer the reader to [7] or [10].

SCADA networks and their security 7The application protocol control information (APCI) is the application header. It con-tains general information about the structure found in the packet. Since this thesis focuseson the ASDU within the APDU, the important bytes are the first two bytes of the firstcontrol field octet inside the APCI. This is where the type (I, S or U) is defined. If thefirst byte is 0, the control field format is from the type I and the packet has an ASDU. Thisis then used for further analysis. All other fields inside the APCI are not covered in this thesis.

Figure 3: Structure of the ASDU [10]The application service data unit (ASDU) structure is slightly more complicated. It isshown in Fig. 3. The important fields for this thesis are: “Type identification“, “Number ofobjects“, “ASDU address fields“ and the “Information object address fields“. These fields areimportant, because they identify a special operation within the network. This will be ad-dressed later in the thesis in Sec. 3.4. In addition the network address of the communicatingdevices would be needed, but this thesis concentrates on the analysis of the communicationbetween two devices only. Therefore the communicating devices are always known. The Type

8 SCADA networks and their securityidentification (TypeId) refers to a list of known values in the range from 1 to 127, althoughnot all numbers are in use. Each number is mapped to a function that the device shouldexecute, e.g., 103 → clock synchronization command or 102 → read command. Number ofobjects defines the number of information objects found in the ASDU. This can be more thanone. The TypeId is assigned to all these information objects inside this packet. The ASDUaddress field (ASDU-Address) contains the address which all objects of the ASDU refer to.The Information object address (IOA) refers to an specific information object. A packet mayhave up to 127 information objects, with the depending object information. An informationobject can be an actuator or a sensor attached to the device. The device in this case is, forexample, a PLC. Attached to the PLC are various sensors and actuators over serial lines.Each sensor or actuator is connected to a port, which is then refered to by an IOA. It isto note that each vendor has its own specification for their devices, although the generalstructure found in [7] and [10] applies.

As shown in Fig. 1, PLCs are part of the field network and sometimes also of the controlnetwork. This depends on the architecture of each particular network. Sometimes the fieldnetwork and the control network are ingrained into the same physical network. The systemof Fig. 1 is connected to the internet. Although the networks are protected by firewalls, anattacker might still be able to infiltrate the system. Various ways of bypassing firewalls andother system protections exist. As soon as an attacker has access to the industrial network,the field and control devices are no longer safe.The IEC-104 protocol is based on TCP/IP - a reliable network protocol. Furthermore thecommunication between the master station and a PLC can be encrypted. Thus the systemis able to exchange messages in a reliable and secure way. But these two facts do notlead to a secure system. The IEC-104 protocol is only responsible for the exchange ofinformation between devices within an industrial network. It has no built in security, whichguarantees the communication with a special host or device. Furthermore no mechanism forintrusion detection, intergrity or confidentiality is implemented. Most of the SCADA-systemstoday are not encrypted and the TCP/IP-protocol also does not control what is sent withina communication. This leads to the problem that an attacker can compromise the field or thecontrol network. This thesis focuses on sequence attacks, an attack scenario which is notdetected by most of the IDS-systems today because they focus on packets with maliciouscontent [4]. Before the sequence attacks are discussed an introduction into the terminologyIDS is given.2.3 Intrusion detection systems

When it comes to security there are several approaches to protect a system. They all targeton a specific type of security, e.g., removing malicious software, blocking content that is not

SCADA networks and their security 9allowed to enter or exit a system or detecting suspicious activities. All these systems tryto be as precise as possible. However not all systems are equally precise and some alertactivities are malicious although these activities are absolute legit to the system. Thesealerts can be classified using a confusion matrix.

A confusion matrix is a specific table layout that allows one to see if an algorithm,used for the classification of something, works as expected. Within the matrix each columnrepresents the instances of a predicted class and each row represents the instances of theactual class. In this work we classify malicious activities and valid activities. However interms of security an activity might also be a network packet or a file. An algorithm thatworks 100% correctly will classify every valid activity or file as valid and every maliciousactivity or file as malicious. However this does not apply to many algorithms and leads usto four classifications in our thesis:A true positive occurs when something that is recognized as malicious and is in realitymalicious. This can be a virus for example. A true negative occurs when something thatis recognized as harmless and is in reality harmless. This can be a normal picture or asimple text document. A false positive occurs when something that is recognized as mali-cious although it is not. This can be a Microsoft Word document with macros, whereby themacro is just used for the forms inside the document but is recognized as harmful to thesystem. A false negative occurs when something that is recognized as harmless is in realityharmful and malicious. An example is a program that hides inside a file. The file is scannedand recognized as harmless. But by opening the file the malicious program inside the fileexecutes and compromises the system. This is the worst of all scenarios since no alarm istriggered although the system is compromised.This thesis focuses on intrusion detection systems. The other approaches were just ex-amples of other ways to secure a system. An intrusion detection system (IDS) is a securitysystem that monitors computer systems or network traffic and analyzes the behavior of trafficfor possible hostile attacks [11]. Computer systems and networks can be secured in multipleways e.g., firewalls, anti-virus-software or physical access limitation etc. All these systemshave a specific aim - none of them can handle them all. An IDS aims to detect hostile attackson a system or network. IDSs can be divided into two dimensions. The first dimension isthe target the IDS is monitoring. It consists of two types, host and network based IDSs. Thesecond dimension can be distinguished between the method they identify attacks - staticversus heuristic versus anomaly detection method [11] [12].The first dimension is separated into host based and network based IDSs. The questionthis dimension answers is, what the IDS should monitor. If it is a special host and theactivities inside the host, then the host based approach is to select. If the network is the

10 SCADA networks and their securitytarget to monitor, then the network based approach is to select. Below the two types areexplained.

A host based IDS must be installed on every monitored computer. The advantages ofsuch a system are that they can make very specific statements of an attack on the systemand the system is comprehensively monitored. What is an advantage on the one hand is adisadvantage on the other hand - the IDS is specialized for that operating system and canbarely be used on other operating systems. Another disadvantage is that the system can bevictim itself by a denial of service attack - i.e., a technique where a system is paralyzed dueto overloading [12].Network based IDSs record the network traffic, analyze it and report malicious activities.Since the network traffic can be tapped at a central point of the network only one system isneeded to monitor the whole traffic for a network segment - this applies to switched networksonly. However the bandwidth of networks may be greater than the bandwidth a system cananalyze on the fly. To be able to continuously monitor the network, some packets need tobe dropped if the throughput is greater than the system can analyze in the same time. Thisresults in a loss of precision of statements. Another disadvantage is that the failure of thenetwork IDS leads to a complete unmonitored network. There are several places where toimplement the network based IDS. Fig. 4 shows three different options [11].1. The IDS is connected to “SWITCH A“ (red line). In this scenario the IDS recognizes allhostile activity leaving or entering the network. However it will not recognize hostileactivity within the network itself. An attacker inside the network can still harm thesystem.2. The IDS is connected to “SWITCH B“ (purple line). This is nearly the same scenarioas in option one. The difference is, that the IDS will not “see“ hostile activity that isblocked by the router. It might be of interest to see what is happening outside andwho is trying to get into the network.3. The IDS is placed at “SWITCH C“ (blue line). The IDS now recognizes hostile activitywithin the network as well as malicious activity that comes through the firewall. It stilldoes not recognize hostile activity from outside that is blocked by the firewall or therouter [11] [12].The second dimension follows up with the question how an intrusion is detected. Thereare three main approaches how a malicious activity can be detected - static analysis, heuris-

tic analysis and anomaly based detection.

SCADA networks and their security 11

Figure 4: Integration of an network based IDS [13]Static analysis is based on signatures. A signature is a unique sequence of bytes usedto identify a specific type of data, e.g., a file, a virus or a network packet. The IDS has adatabase of different signatures which are known to be malicious. They are often classifiedby the potential of their danger [11].IDSs with the static analysis passes four main stages. In the first stage the system mustbe trained with the signatures it should identify. In the second stage the IDS perceives thetraffic. This is an essential part of the IDS because if the system is placed on the wrong partof the system it may not be able to recognize anything. The third stage is the analysis ofthe traffic. Within this stage the database with the signatures, which was set up in the firststage, is essential, since the IDS identifies the malicious activities based on the databasesknowledge. Stage four is the action that is triggered if a malicious activity is recognized.This can be an email, a pop up on the operators screen, a text message, etc. The operatormay manually initiate an action if necessary [11].Heuristic methods take place everywhere, where unknown attacks or attacks with avariation shall be detected. Based on little information they can produce relatively goodstatements that are close to reality. However due to their nature they also produce morefalse positive alerts - i.e., an alert that is in reality no alert [11].The process of this method is similar to the static analysis. In stage one the needed in-formation is stored in a database. There may be a lack of information so that the systemcan not fully guarantee the identification of a hostile attack. This may be intended if thealgorithm works significantly faster. Otherwise it may be caused if the defenders have notcollected enough information so far. Stage two applies equally. In stage three the analysisof the traffic is different. It will no longer create a signature of the packet comparing it with

12 SCADA networks and their securitysignatures in the database but rather tries to get an answer from a complex algorithm. Thereare several approaches how to search for unknown attacks or those with a little variation.Since this thesis does not focus on heuristic methods, these approaches are not discussedhere. Stage four is the same as in the static analysis [14].

Anomaly based detection is a method of identifying a hostile attack by considering everyactivity as hostile if it is not known to be normal to the system. This presupposes that theIDS is trained with activities that are allowed in the system. The system is therefore dividedinto four stages as well. In the first stage the system is trained to recognize normal activities.Stage two is the same as in the static analysis. In the third stage the recognized activitiesare tested against the known activities. If the tested activity is not known to the system, itis potentially hostile. Stage four then applies and a message is sent to the operator [14] [11].This work will focus on the network based IDSs. Furthermore we use the anomaly baseddetection approach. The reason is that the build system can be interpreted as a databaseof known and good activities. All activities that are unknown to the system are potentiallymalicious. Therefore one is able to detect nearly every attack that may harm the systemno matter if known or unknown. However the system still underlies a dependency. Thedependency of the training data itself. The training data is the data set that is used to tellthe IDS which activities are good and legit. This data set should include all activities thatdo not harm the system and that will occur. Activities that do not harm the system and thatdo not occur in normal traffic will inflate the training system. This results in a long analysis,thus the traffic is not analyzed in real time anymore.

2.4 Sequence attacks

Sequence attacks are a class of attack, which are specific to industrial control systems. Theycan harm a system by sending misplaced messages or commands although each of the sentmessages or commands is valid to the system [4].Long time industrial systems have been considered safe because of the nature of theirexistence. They were often proprietary and separated from other networks. With the devel-opment of open protocols and the need to be able to remotely control multiple networks, e.g.,connecting multiple systems over the internet, the attack vector increased. Moreover, mostof the systems are not encrypted, because they are considered safe, e.g., behind a firewall.Thus an attacker can easily gain control over the system once he is inside the network. Theattacker can then attempt to take control of the industrial processes by leveraging the lackof integrity and authentication mechanisms. To take control of the process, an attacker can

SCADA networks and their security 13either try to reprogram the logic of a PLC or directly control the process from the networkusing the same control messages used by legitimate operators. When having control overthe process, an attacker may send commands in such order or timing that is not intendedby the process. The sequence of these commands, that may harm the physical process, isinterpreted as an attack - the sequence attack [4].

Anomaly based IDSs may recognize those attacks. But this depends on the approach,i.e., how they detect anomalies. There are several approaches for anomaly based IDSs, sincethere are several ways on how to harm a system with legit commands.One way to harm a system is to use commands that are valid within the whole system.However, not every legit command is valid for every device in the system. If an IDS isjust looking for valid commands within the system, it may not recognize commands that areinvalid for a specific device. The device may not handle the command appropriately and maycrash. An IDS, that looks for system wide valid commands only, will not recognize this kindof attack. Furthermore, an IDS, that only looks for commands that are valid within the wholesystem, will not recognize sequences that lead to a compromised system. They only detectsingle commands that are not normal for the system.Another way to harm a system is to use valid commands in such an order, that a devicemisbehaves. Experiments showed that it is possible to successfully attack some PLCs merelyby sending messages in an inconsistent order. For example sending a “start program“ whilethe program is running causes an error that is not properly handled by the controller. Thisleads to a crash of the PLC. This kind of attack may impede the process of communicatingwith the device. Furthermore the physical process may be compromised as well, e.g., if anactuator for opening and closing a pipe is not reachable anymore [4].A third way is to interfere directly with the underlying physical process. In a report by theU.S. President’s Commission on Critical Infrastructure Protection there is an attack scenariodescribed, that involves a water distribution facility. The scenario describes that major controlvalves on a water pipeline can be rapidly opened and closed to cause water hammer. Waterhammer can cause up to serious damage to a physical system, e.g., noise and vibration or apipe collapse [15].Stuxnet is one of the best known malware that used sequence attacks to disturb physicalprocesses and damage plants. Stuxnet focuses on SCADA systems of the Siemens company.It interfered with the control of the frequency converter, that are inter alia used to controlthe speed of engines. By constantly changing the speed, slowing down and accelerating, thecentrifuges were damaged. Since these commands were valid and no known anomaly wasdetected, Stuxnet was able to leave behind a lot of damage.In order to be able detect attacks to initiate countermeasures and protect our infrastructure,an IDS is required.

14 Discrete Time Markov Chains and sequences3 Discrete Time Markov Chains and sequences

In this section the DTMC is introduced. Besides the formal definition and attributes usedin this thesis, the minimization is discussed. Two approaches of minimizing the DTMC us-ing bisimulation minimization are provided. This is followed by the definition of sequences.The definition involves the mapping of the IEC-104 protocol to a sequence. In additionthe representation of such a sequence within a DTMC is explained. An algorithm for build-ing a DTMC of a given IEC-104 communication is provided which is used throuout the thesis.Chapter Chapter 3.1 introduces the Discrete Time Markov Chain and the used termi-nology in this thesis. In Chapter 3.2 the minimization of Discrete Time Markov Chains isexplained. Chapter 3.3 defines a sequence in context of the communication within SCADAnetworks and the IEC-104 protocol. Chapter 3.4 describes the process a sequence is repre-sented by a Discrete Time Markov Chain. Furthermore an algorithm is provided.

3.1 Discrete Time Markov Chain

A Discrete Time Markov Chain (DTMC) is a stochastic process. What distinguishes aDTMC from other stochastic processes is a specific kind of “memorylessness“ which is knownas the “Markov property“. This property defines that within a stochastic process a futurestate depends maximally on its first predecessor [16].DTMCs have many applications as statistical models of real world processes. They aresuitable for modeling random state changes of a system, in which changes have few or noinfluence on the future of the system. A simple example is the coin toss. The previous tossdoes not give you a higher probability in predicting the outcome of the next toss. If the coinshows tails in the current toss the outcome of the next toss is either tail or head, both witha probability of 50%. This applies vice versa as well [16].A more complex example, where the current state has influence on the process, is a personthat stands in one corner of a room [17]. The corners of the room are labeled s1, s2, s3 ands4 and the person stands in the corner s1 as initially shown in Fig. 5. The person throwsa coin to decide whether he moves clock-wise or counterclock-wise through the room. Theperson repeats this any number of times. One question may be: Where does the personafter n steps stand? A possible stochastic process is (Xn, Xn+1, Xn+2, ...), whereby X is astochastic variable and n ε N an index from a discrete state space. Possible values Xn are{s1, s2, s3, s4}. Let

P(X0 = s1) = 1

Discrete Time Markov Chains and sequences 15be the starting condition, i.e., the person starts in corner s1: Then the probability of beingin state s2 is

P(X1 = s2) = 1/2,and for being in state s4

P(X1 = s4) = 1/2.To calculate the distribution for Xn with n ≥ 2 we need conditional probabilities. Forexample the probability of being in state s3 in the next step, given that one is currently ins4:

P(Xn+1 = s3 | Xn = s4) = 1/2.Based on the decision rules moving around in the room the probability of Xn+1 with nε{1, 2, 3, 4}depends only on Xn [17].

Figure 5: Initial situation of the person in a room [17]

3.1.1 Definition

Let S be a discrete set of states and P be a function that assigns a probability to everytransition between two states such that the sum of all outgoing transitions of each specificstate is 1. A DTMC is described by Eq. (1) [18] [16] [16]DTMC = (S,P, sinit , AP, L), (1)

whereby• S is a set of states• P is the probability function described by (2) and (3)

16 Discrete Time Markov Chains and sequences• sinit is the initial state• AP is a set of atomic propositions• L is a labeling function - described by (4) - that assigns a (possible empty) set ofatomic propositions L(s) to a state s ε S

The probability function is defined by:P : S × S → [0, 1], (2)

such that the sum of the probability for all outgoing transitions of s equals 1.∑s′εS

P(s, s′) = 1 ∀ s ε S (3)The labeling function assigns a set of atomic propositions, from the atomic proposition setAP, to each state. It is defined by:

L : S → 2AP (4)

Figure 6: DTMC representing the person in a corner example [17]Fig. 6 represents the resulting DTMC of the person in a corner example. From each cornerthe probability is 0.5 moving clock- or counterclock-wise.

A path σ in a DTMC is an infinite sequenceσ = s0 → s1 → s2 → · · · → si → · · · (5)

with si ε S . It is a concrete walk along transitions of the DTMC with a probability greater0 - a possible realization of the stochastic process [19]. Sometimes it is also called anexecution of the DTMC [20]. For example (s1, s2, s3, s2, s3) is a valid path whereas (s1, s3)

Discrete Time Markov Chains and sequences 17is not a valid path since there does not exist a transition between s1 and s3.

Properties are characteristics that a DTMC or state have. Each concrete DTMC or statemay have different properties [20] [21]. The properties that are important for this thesis are:Reachability: The reachability of a state is described as:Let S be a set of states, P be the probability function and (S,P) is the DTMC. Let s ε S and

S ′ ⊆ S be a set of states (s1, s2, ...), thenPDTMC (s, S ′), (6)

is the probability of reaching a state of S’ from the state s. For the reachability of S’ it isrequired, that the probability is greater 0. However the exact value of the probability playsno role in this thesis, thus the calculation of these probabilities is not discussed here. Theimportant part is that a state can be reached from another one, e.g., there exists a path froms to a state of S’. A counterexample is shown in Fig. 7. In this example and all following weuse the following formalism: s_i =̂ si ∀ i N. Let S’ be {s1}. ThenPDTMC (s3, S ′) = 0,

because there does not exist a path from s3 to a state of S’.

s_1 s_2 1.0 s_3 1.0 0.5 s_4

0.5 0.5

0.5

Figure 7: DTMC with non-reachable statesIrreducibility: This property plays a role for the size of a DTMC. It answers the questionwhether all states of a DTMC are reachable [21].A DTMC is irreducible if from each state, one can reach any other state in a finite numberof steps. Otherwise it is called reducible. In Fig. 7 state s1 cannot be reached from state s2,thus the DTMC is reducible. In Fig. 6 the DTMC is irreducible because every state can bereached from anywhere in the DTMC.

3.2 Minimization

Ensuring the correctness of the identification of sequence attacks is important. If the IDSdoes not work correctly, it may see attacks that are not there, thus binding too many re-

18 Discrete Time Markov Chains and sequencessources trying to find the non-existent source of the false alarm. An even wors scenario is ifit does not even recognize the attacks. In addition the software needs to work without delaysin real time to detect current attacks. To test traffic in real time against the training DTMC,it needs to be at a reasonable size. Thus the size of the training DTMC plays an impor-tant role identifying sequence attacks. The DTMCs, built using the approach in this thesis,represent the communication between one PLC and its master station. In power stations orhydroelectric power station the installation of the SCADA network typically involves morethan one PLC. An IDS needs to keep track of the communication of all components in thenetwork segment as discussed in Sec. 2.3. Thus the size of the DTMC plays an even biggerrole in terms of the complexity of the IDS [4] [22].

Using a small amount of training data will held the resulting DTMC small. This impliesthat the identification may not be precise, as states may be missing or relations between thestates may be inaccurate. A well trained DTMC is needed for precise statements. This leadsto the question how the DTMC can be held at a manageable size without losing the specificproperties used to identify sequence attacks. One existing approach is the bisimulationminimization [22] [16]. Let DTMC = (S,P, sinit , AP, L) be a DTMC as described in Sec. 3.1.A relation R ⊆ SxS is a strong bisimulation if for any (s1, s2) ε R :L(s1) = L(s2) (7)

both states hold the same atomic propositionsP(s1, C ) = P(s2, C ), (8)

for all equivalence classes C of S under R.In our representation of a sequence in a DTMC, states with the same atomic propositionsare merged together - which will be covered later in Sec. 3.4. Since we merge the eventsinto one state from scratch, the resulting state holds the same atomic propositions for allevents. Hence there is just one equivalence class for each state (multiple events), thus thereaching probabilities are equal. Although the algorithm implements the required propertiesfrom (7) and (8) the number of states within the resulting DTMC obtains more than 50 states.The number of states for longer time capture will only increase. Moreover, the presentedDTMC is only created for one pair of devices. Since one DTMC is needed for each pair ofdevices communicating, a further minimization is needed. A first approach is to delete allnon reachable states. Since we are interested in reachable states within the DTMC the nonreachable states can be removed. Looking at how we build the DTMC this can be done witha small algorithm:

Discrete Time Markov Chains and sequences 19The input of Alg. 1 is a DTMC and the output is the corresponding irreducible DTMCthat we can use in this thesis. Lines 1 till 9 define a loop that repeats itself until no stateis removed from the DTMC anymore. In line 2 the variable “statesRemoved“ is defined andset to the value “False“. Line 3 till 8 define a loop that iterates over all states in the DTMC.Line 4 and 7 define a conditional statement. It the state is not accessible, then line 5 and 6are executed. In these lines the state is removed from the DTMC and the variable “states-Removed“ is set to the value “True“. After the loop of line 3 and 8 has passed through allstates of the DTMC, the condition of the outer loop is tested. If the value of the variable“statesRemoved“ is “False“, there is no further state to remove in the DTMC and the algorithmreturns the DTMC. Otherwise the algorithm jumps to line 2 and repeats the steps from there.This approach makes an irreducible DTMC of the original DTMC, i.e., a DTMC where everystate can be reached from every other state. The effect of this approach is very small, sincethere are only a few states at the beginning that can be deleted.Data: DTMCResult: irreducible DTMC

1 repeat2 statesRemoved ← False;3 foreach state ε DTMC do4 if state not accessible then5 remove(state);6 statesRemoved ← True;7 end8 end9 until statesRemoved == False;

Algorithm 1: Creating a irreducible DTMCA further possible approach is to merge properties that are not needed for the identifica-tion of a specific type of sequence attack, but this might influence the identification of othersequence attacks. The introduction of possible approaches for minimizing the DTMC willbe part of Sec. 4. Beforehand the sequences themselves, the representation within a DTMCand the detection of sequence violations need to be discussed.

3.3 Sequences

In order to detect sequence attacks one needs to be able to extract a sequence of messagesfrom the network traffic and identify information that is needed to construct an IDS. Theeasiest way to define an event in the context of network communications is to consider allthe traffic frames one by one. However, all traffic frames are not equally important and not

20 Discrete Time Markov Chains and sequencesall frames need to be included in a sequence. Therefore, it is necessary to group trafficframes. This thesis considers the communication between two devices only and therefore thefollowing definition of an event applies [4]:Let tn be the time, n ε N such that tn < tn+1. An event stn is a six tupel <Direction, Service,Data, FO, LO, Count> whereby:

• Direction contains the information :“request“ or “response“• Address contains the “ASDU-address“ and the “IOAs“• Service is the “Type-Id“• FO is the first occurrence of the event• LO is the last occurrence of the event• Count represents how often the state is visited

Each event is identified by “Direction“, “Address“ and “Service“. “FO“, “LO“ and “Count“ areused to calculate the probabilities of the outgoing transitions and the median time for a jumpto another state.A sequence (l), is a time ordered list of events stn in a system.

3.4 Representation of sequences in a DTMC

In Sec. 3.3 the communication was transformed into a time-ordered list. In order to identifysequence attacks this list needs to be modeled. A DTMC as described in Sec. 3.1 is used tomodel the communication patterns and protocol behavior. This is done for two reasons [4]:1. A flexible definition of event is needed that does not necessarily consider all theattributes used to build the sequence. We show in Sec. 4 that it might be useful tomerge parts of the event’s six tupel that are used for identification.2. It is necessary to identify temporal consequent events. But only the predecessor isnecessary, which is exactly what the “Markov property“ demands. The transitions areused to

(a) indicate the strength of the relationship between an event and its predecessor.(b) understand the relationship changes over time.The algorithm for creating a DTMC from a sequence is presented in Alg. 2. This algo-rithm is used whether we use the minimization or not, since the minimization consists of the

Discrete Time Markov Chains and sequences 21attribute abstraction. This abstraction is handled by the algorithm in step two, which will benow explained. The algorithm in total consists of 5 steps. The input data is the sequenceof events. The sequence is time ordered, oldest event first and newest last. The outcome orreturn value of the algorithm is the DTMC which represents the sequence [4].The first step is a loop over all events in the sequence. It is defined in line 1 and closedin line 14. The loop processes the events in the order of time, the oldest event first and thenewest last.Step two is the extraction of the attributes from an event. The extracted attributes are storedin the variable “StateDTMC “. These attributes are those needed for identification of thecorresponding state of the event: Request, Response, ASDU-Address, IOSs, TypeId and the“control field format“. This happens in line 2.Step three handles the new created state. The lines 3, 5 and 7 define a conditional statementthat handle the created state and execute the appropriate action. If the new created state iselement of the DTMC, line four is executed. In this line the state in the DTMC that equalsthe new created state from line 2 is updated. The update involves a counter that counts howoften this event occurred in the sequence. If the State does not equal any existing state inthe DTMC, the new created state is added to the DTMC. This happens in line 6.Step four handles the transitions. It is a conditional statement which is defined in lines 8, 10and 12. Line 8 tests whether the transition from “previousState“ to “StateDTMC “ is elementof the DTMC. If so line 9 is executed. In this line the appropriate transition is updated. Theupdate involves the time of the jump and a counter that counts how often this special jumphappens in the sequence. If the transition is not already part of the DTMC, then line 11is executed. In this line a transition from “previousState“ to “StateDTMC “ is added to theDTMC.In Step five, which consists only of line 13, the variable “previousState“ is updated. The newvalue of the variable is the created state of line 2.

22 Discrete Time Markov Chains and sequencesData: Sequence of EventsResult: DTMC representing the sequence of events

1 for all etn ε sequence do2 StateDTMC ← extractAttributes(etn );3 if StateDTMC ε DTMC then4 update(StateDTMC , DTMC);5 else6 add(StateDTMC , DTMC);7 end8 if T ransitionpreviousState,StateDTMC ε DTMC then9 update(T ransitionpreviousState,StateDTMC );

10 else11 add(T ransitionpreviousState,StateDTMC , DTMC);12 end13 previousState ← StateDTMC14 end

Algorithm 2: DTMC modeling of sequences found in [4]

Sequence attacks 234 Sequence attacks

Traditional IDSs focus on malicious packets rather than finding sequences of legal commandsthat can harm the system. This thesis focuses on legal commands that are either sent in thewrong order or with incorrect timing. This chapter shows what kind of sequence attacks existand how to detect them using a DTMC. Furthermore possible limitations are discussed. Inaddition the sequence attacks in combination with possible minimizations are discussed.Chapter 4.1 describes the different kinds of sequence attacks and how they can be de-tected using DTMCs. In Chapter 4.2 the possible minimizations and their limitations arediscussed.

4.1 Detecting sequence violations

Before the system can detect malicious activities a system description is needed. This de-scription needs to be clean and violation free. Of course this can be done by hand, but thiswould include possible mistakes that occur while entering the data. Furthermore it takes alot resources and is all in all not practicable. Another yet naive approach is to consider allvalid commands as violation free. This section shows that this approach is insecure becausethere exist ways how a system can be damaged by using only valid commands. Furthermorethe resulting DTMC would be far too big because of the state explosion problem. This applieshere because one needs all possible transitions between all states which is exponential. Athird approach is giving the IDS a description of the system in form of a network trace. Thistrace needs to be clean and free of violations. The training itself was discussed in Sec. 2. Thedisadvantage of this approach is that there might be information missing if the trace with atoo short period of time was used. If the period is too large the resulting system might be toobig so that the analysis in real time may fail. However this seems to be the only approachthat has a good trade-off between used resources and possible mistakes. Furthermore theDTMC can be held at an appropriate size while still being able to detect sequence attacks.The resulting DTMC is called the “training DTMC“.A sequence is a succession of events in a system. The succession can be described bya DTMC whereby the transitions are jumps to other states. For example consider a systemconsisting of two pipes A and B which should never be open at the same time. Furthermoreis it not usual to rapidly open and close the same pipe again and again. Legal commandsfor the pipes are ’open’ and ’close’. Let the initial state of the system be s1 with both pipesclosed. In terminology of a DTMC one have 3 states: S = {s1, s2, s3} whereby• s1 is the initial state with both pipes closed

24 Sequence attacks• in s2 pipe A is open and pipe B is closed• in s3 pipe A is closed and pipe B is openP is defined such that every pipe is opened with probability 0.5 and closed with aprobability of 1:• P(s1, s2) = P(s1, s3) = 0.5• P(s2, s1) = P(s3, s1) = 1Fig. 8 describes the system. The black state with the label ’ENTRY’ is the entry pointto the system. The blue states describe the safe states of the system.

s_1Pipe A: closedPipe B: closed

s_2Pipe A: open

Pipe B: closed 0.5

s_3Pipe A: closedPipe B: open

0.5

1.0

1.0

Figure 8: DTMC representing the simple pipe exampleTo open a closed pipe one has to make sure to be in state s1 first, e.g closing pipe B beforeopening pipe A. There are three possible violations that can occur to the system, which arediscussed using a simple pipe example.

1. State exists and transition does not existA transition-violation occurs when a command or request is sent to the controller ata point the controller wasn’t expecting this command. This violates the sequence ofcommands which the controller expects and may crash it [4]. Consider the system is instate s2 of the simple pipe example. Pipe A might get the command to open althoughit is already open. The controller may try to open again, resulting in a force that isunexpected to the physical system. Fig. 9 shows the violation in red.2. State and transition do not existA state-violation occurs when either a command or request is sent to the controller ata point the controller wasn’t expecting it or the physical process wasn’t prepared forit. In terminology of the simple pipe example the controller for pipe A may receive the

Sequence attacks 25


s_2Pipe A: open

Pipe B: closed 0.5


0.5

0.5

0.5

1.0

Figure 9: DTMC with a violation compared to Fig. 8 by using a non-existing transitioncommand to open although pipe B is still open. The controller Controller A reacts tothe command by opening the pipe. The system is now in a state where both pipes areopen. This may result in physical damage of the system e.g., too much pressure in oneof the pipes. Fig. 10 shows the violation in red.


s_2Pipe A: open

Pipe B: closed 0.5


0.5

1.0

0.5 s_4Pipe A: openPipe B: open

0.5

Figure 10: DTMC with a violation compared to Fig. 8 by accessing a non-existent state3. State and transition exists but a transition is used too frequentlyA timing-violation occurs when a single transition is used unusually frequently. Thecommands are correctly executed at a point the system expects them but the physi-cal process may be harmed. This happens if the physical laws apply that were notforeseen. For example the system is rapidly getting commands to open and close thesame valve. This may cause “water hammer“, resulting in a number of simultaneouswater main breaks. Fig. 11 shows the violated transition-probability in red. It hasa significant higher probability - P(s1, s2) = 0.975 - than the same transition in theoriginal DTMC. Since the probability of all outgoing transitions of one state equalsone, P(s1, s3) equals 0.025.There is a limitation in this scenario. If the training data was collected from severaldays and pipe B is far less used than pipe A, then it is normal for the transition of

26 Sequence attacks(s1, s2) to have a higher probability. A sequence attack cannot be identified in themoment of the command, since the transition exists in the system. If the transition isused frequently over a short period of time, the transition probability might still layin an interval around the probability that is defined as “not harmful“. Therefore a me-dian time is needed to get statements on how frequently over time a transition can beused. The median time can be calculated using the first occurrence of an event and itslast occurrence. This means that a single event cannot be tested against the trainingDTMC. A parallel DTMC need to be built and tested against the training DTMC.


s_2Pipe A: open

Pipe B: closed 0.975


0.025 1.0

Figure 11: DTMC with a violation compared to Fig. 8 by using a transition too frequentlyApart from the limitation in scenario three which can be handled by looking at the fre-quency of the transition, there is a general limitation in using DTMCs for detecting sequenceattacks. Given a PLC that has two groups of components. Each group behaves differentlyand consists of different components, but the groups depend on each other. This dependencycannot be mapped within a DTMC. There are always details lost and an attack might notbe identified. Consider therefore the following example:Given a PLC with three pipes – A, B and C. Pipe A always has to be closed when B or Care open. B and C can both be open or closed the same time. “o_X “ be “open pipe X“ and“c_X “ be “close pipe X“ with X ε {A, B, C} and let all pipes be closed at the beginning. Avalid path is:

o_A → c_A → o_B → c_B → o_A → c_A, (9)since pipe B and C are closed. Other valid paths are:

o_A → c_A → o_C → c_C → o_A → c_A, (10)o_A → c_A → o_B → o_C → c_B → c_C → o_A → c_A, (11)

o_A → c_A → o_A → c_A. (12)

Sequence attacks 27Let these paths in the order (9), (10), (11) and (12) be the training data. Fig. 12 showsthe corresponding DTMC, without probabilities for a clearer graph. The blue and the redtransitions are those which might be critical. In this scenario however the blue transition issafe, since it can only be taken when all pipes are closed. The red transitions are those totake care of.

o_A

c_A c_B

c_C

o_C

o_B

Figure 12: DTMC representing a general limitationConsider the following path: o_A → c_A → o_B → o_C → c_C → o_A. It isvalid, looking at the transitions, but now pipe B and A are open which is a violation to thedefinition. The reason for this violation is the “Markov property“. In this scenario a sequencedepends on more than just its predecessor, resulting in possible violations of the system. Thisscenario shows that there is a limitation in identifying sequence attacks with DTMCs.

In two cases one can identify a violation of the sequence by detecting non-existing tran-sitions in the system. The third needs a deeper look into the transition probability. A fourthscenario showed a limitation by using DTMCs for detecting sequence attacks. This thesis willnow focus on the three violations that can be detected. These three violations show that it ispossible to use unintended paths within the DTMC by using valid commands only. It leadsto the question whether there exists paths with valid commands that can harm the system.In addition possible minimization are discussed with which the violations can still be detected.4.2 Sequence attack scenarios and minimization

Order based device Compromise: A typical sequence is the upload of new programs to aPLC. The majority of application level protocols provide functionality for this process. Thisincludes messages from unloading and deleting existing programs to transferring, storing andloading new programs. These functionalities are typically achieved by sending sequences ofmessages. The sequence of messages for uploading a logic program to a PLC looks typically

28 Sequence attackslike Fig. 13. The states represent the events of the process:• s_1: “unlock the PLC“• s_2: “lock the PLC“• s_3: “stop the running program“• s_4: “delete the existing program“• s_5: “transfer the new program code to the PLC“• s_6: “create program“• s_7: “start program“

s_2s_3 1.0

s_5 s_6 1.0

s_4 1.0

s_1 1.0

1.0s_7 1.0

1.0

Figure 13: Order based device reprogrammingThe process starts in state “s_1“. Now the PLC is running. The transition from state “s_1“to state “s_2“ is triggered by the command “lock the PLC“. Then the command “stop therunning program“ is sent to the controller and the process is in the state “s_3“. The processfollows with the commands “delete the existing program“, “transfer the new program code tothe PLC“, “create program“, “start program“ and “unlock the PLC“ and ends in the state “s_7“.Experiments in an industrial control laboratory environment have revealed that it is possibleto attack some PLCs merely by sending some of these messages in an inconsistent order[4]. For example, sending a valid “start program“ message when the program is still runningcauses an error that is not properly handled by the PLC controller firmware, which causesthe PLC controller to crash. Fig. 14 shows the malicious transition in red which causes thePLC controller to crash [4]. The controller is in state “s_7“, thus already running. If it nowgets the command “start program“ it crashes.

Now consider a more complex version of Fig. 13. The controller has 3 sensors attachedto it. One can read those values by sending the command “read value“ with the specifiedsensor address. They are addressed accordingly to Sec. 3.3. The IOAs shall be 1, 2 and 3.Fig. 15 is an example DTMC. The result is depending on the count of read commands andjumps to “s_2“. In all the new states “s_8“, “s_9“ and “s_10“ the PLC is running. It is valid

Sequence attacks 29

s_2s_3 1.0 s_4 s_5 1.0

s_1 0.5

s_7 0.5

s_6 1.0 1.0 1.0 1.0

Figure 14: Compromised order based device reprogrammingreading multiple values and after some time executing the command “lock the PLC“ since thecontroller is running.

s_2

s_3 1.0s_4 s_5 1.0

s_8

s_10 0.25

s_9 0.75 0.5

0.5

1.0 s_1

0.5

0.5

0.25

0.5

0.25

s_6 s_7 1.0 1.0 1.0

Figure 15: DTMC representing order based device reprogramming incl. other trafficNow consider this DTMC, being in state “s_8“ and executing the command “start program“.A transition is used that is not present in the training DTMC. Figure Fig. 16 shows theviolation in red.

s_2

s_3 1.0s_5 s_6 1.0

s_8

s_9

0.6s_10

0.2s_7 0.2

s_4 1.0 1.0

s_1 0.33 0.67

0.25 0.5 0.25

0.5

0.5

1.0 1.0

Figure 16: DTMC representing order based device reprogramming incl. other traffic and aviolationNow that a sequence attack can be detected, one wants to try to minimize the DTMC fora faster analysis. This can be done by merging the IOAs, i.e., a state is now identified onlyby its “Direction“, “Service“ and “ASDU address“. The states “s_8“, “s_9“ and “s_10“ resultin one state. They use the same “direction“, “ASDU type“, “ASDU address“ and the IOAsare merged. The “ASDU type“ of the commands, needed for the PLC update, differ for allstates. Accordingly these states are not merged although they share the same IOA. This isshown in Fig. 18. There is no transition from state “s_8“ to “s_7“. Thus the sequence attack

30 Sequence attacksof using the command “start program“ while being in state “s_8“ can still be identified - seeFig. 17. This means the IOAs can be merged while still being able to identify this type ofsequence attack. But the following example shows, that this minimization needn’t apply toall scenarios.

s_2 s_3 1.0 s_4 s_5 1.0

s_8 0.1

0.9s_1

0.5

0.5s_6 1.0 s_7 1.0 1.0 1.0

Figure 17: DTMC representing order based device reprogramming incl. other traffic - mergedIOAs

s_2 s_3 1.0 s_4 1.0 s_8

0.09 0.82

s_7 0.09s_5 1.0

s_1 1.0

0.33 0.67

s_6 1.0 1.0

Figure 18: DTMC representing order based device reprogramming incl. other traffic and aviolation - merged IOAs

Sequence attacks 31

o_A

c_A c_B

o_C

o_D

c_C

c_D

o_B

Figure 19: DTMC representing the system of four pipesLet a system consist of four pipes – A,B,C and D – that can be opened and closed. Initiallythey are all closed. Pipes C and D can be opened and closed at any time, while A and Balways follow the sequence: open A → close A → open B → close B. The resultingDTMC is shown in Fig. 19. It has 8 states in total and 17 transitions. The black states indicatethe sequence that the system must apply. oX stands for “open pipe X“ and c_X means “closepipe X“, whereby X ε {A, B, C,D}. A sequence attack by opening pipe B without closing pipeA first would be detected because of the missing transition. If we follow the minimization fromabove and merge all IOAs, the system would consist of two states. All opening commands aremerged together and all closing commands are merged together. Fig. 20 shows the resultingDTMC. oABCD stands for “open pipe A or B or C or D“ and c_ABCD means “close pipe Aor B or C or D“. Now the system can only distinguish between opening and closing any pipe.Since it was possible to open pipe C and directly open pipe D a self loop is attached to theopen command. The same applies to the close command. Now it is not possible to detect thesequence violation anymore since there exists a transition from open pipe A to open pipe B.This means a new minimization is needed in order to be able to detect this kind of attack.A slightly different minimization would be to merge only specific states. In this example thestates o_C and o_D are mereged as well as c_C and c_D. The corresponding DTMC isshown in Fig. 21. oCD stands for “open pipe C or D“ and c_CD means “close pipe C or D“.The resulting DTMC now has only 6 states and 10 transitions, but the attack scenario willstill be detected by the DTMC.This minimization can be applied to the “order based device programming“ example. Theresulting DTMC might look like Fig. 18, depending on which read commands would be merged.That minimization would not effect the detection of the sequence attack and still lead to a

32 Sequence attacks

o_ABCD

c_ABCD

Figure 20: DTMC representing the system of four pipes by merging all reading commandsand all closing commands

o_A

c_A c_B

o_CD

c_CD

o_B

Figure 21: DTMC representing the system of four pipes by merging some commandssmaller DTMC. This means, that the minimization depends strongly on the sequence attacksthat need to be detected.

Experiments and results 335 Experiments and results

This section discusses how the analysis of the data was realized and shows the results ofthe experiments. A brief instruction into the used tools is given and the software writtenfor the analysis is briefly explained. In addition, possible implementations of minimizationsare discussed. At last the tool is run against data of a company which provided real datafor this thesis. The differences between the original DTMC and its corresponding minimizedDTMC are shown. The traces the company provided didn’t include sequence attacks. Theywere clean traces with which one can train their IDS. The traces were not customized toinclude sequence attacks. Thus, the detection of sequence attacks using this approach andthe minimization is not discussed in this thesis.Chapter 5.1 briefly describes how the tool developed for the experiments was written. Italso explains how the graphs are to be interpreted. In Chapter 5.2 two approaches of howthe minimization can be implemented are described. Chapter 5.3 finally presents the resultsof the experiments. Non-minimized and minimized graphs are compared and discussed.

5.1 Implementation and representation of the graphs

The tool written for this thesis is based on the programming language python version 3.5. Itis a high level language and known to be good for rapid application developing. Furthermore,it is open source and has a large library of additional functionality that can be used withina project. The tool integrates two libraries: “pyshark“ [23] for reading the trace of packetsand performing a deep packet inspection and “digraph“ of the package “graphviz“ [24] forgenerating the graphs.Alg. 2 was implemented straightforward. There is no additional logic in creating thegraphs or generating the DTMC other than structuring the code to keep it readable. Foreasy identification of the entry to DTMC there is an “entry“ state at each graph, which islabeled “entry“ and marked with the color magenta. All other states are marked with col-ors as well. States with same colors indicate that they are bisimilar if the minimization -merging all IOAs - applies. Each state has multiple attributes listed. Direction indicateswhether the packet was a response or a request. The I indicates that the events representedby the state were ASDU-Type I events. The Type-ID is the type-id from the packet. The

ASDU-Addr shows the ASDU-address. IOAs shows the addressed IOAs. First Occuranceis the timestamp of the first occurrence of the event in the trace. Last occurance is the lastoccurence of such an event within the trace. Count is the number of events merged into thisstate.The transitions were labeled as well. There is a fraction and a number p ε ]0, 1]. The first

34 Experiments and resultsnumber of the fraction indicates how often this transition was used. The second number ofthe fraction indicates how many jumps in total were made from that state. The number p isthe probability, using that transition. The transition lines have different levels of thickness.The thicker a line is, the more likely it is to use that transition within the whole graph. It isnot leaned to the transition probability. Instead it is leaned to the number of jumps comparedto all jumps inside the graph. This way one can indicate the main path within the DTMC.5.2 Implementation of the minimization

The minimization was done in two ways. In case (i), the DTMC was built as described inAlg. 2 and afterwards be minimized step by step, which is described by Alg. 3. In case (ii),the DTMC was built using Alg. 2 with another abstraction of the definition state. Thereby astate was identified by only using its “Direction“, “Service“ and “ASDU address“. Both wayslead to the same result. In the following the two approaches are discussed in detail andbeforehand Alg. 3 - used by case (i) - is explained.Data: DTMCResult: minimized DTMC

1 repeat2 statesMerged ← False;3 foreach statep ε DTMC do4 foreach stateo ε DTMC do5 if statep == stateo then6 merge(statep, stateo);7 remove(stateo);8 statesMerged ← True;9 break;

10 end11 end12 if statesMerged == True; then13 break;14 end15 end16 until statesMerged == False;

Algorithm 3: Minimization of a DTMC step by stepAlg. 3 expects a DTMC as input and its output is a minimized DTMC. Line 1 till 16 forma loop which repeats until the variable “statesMerged“ equals “False“. In line 2 the variable

Experiments and results 35“statesMerged“ is set to “False“. Line 3 till 14 form a loop over all states of the DTMC. Astate inside the loop is referenced as statep. The p stands for “persistent“. Line 4 till 11 formanother loop over all states of the DTMC. This time a state is referenced as stateo, wherebythe o stands for “obsolete“. Inside both loops lines 5 till 10 form a conditional statement.If statep equals stateo in all atomic propositions, line 6, 7, 8 and 9 are executed. Theatomic propositions in this algorithm are: Request, Response, ASDU-Address, Type-Id andthe control field format. The IOAs are not part of the atomic propositions anymore. In line 6stateo is merged into statep. This means the counter of how often this state occurred needsto be set, the first and last occurrence for the median time calculation needs to be updated.This also implies the transitions. The source of every outgoing transition from stateo needsto be set to statep. If the transition already exists in statep it is updated, otherwise it isadded to statep. Also all incoming transition into stateo need to be redirected to statep.In this thesis the IOAs were merged as well, as shown in the graphs. In line 7 the obsoletestate stateo is deleted from the DTMC. Line 8 sets the variable “statesMerged“ to “True“.Line 9 consists of the simple statement to jump out of the inner loop. Line 12 and 14 form aconditional statement: If the variable “statesMerged“ equals “True“, then line 13 is executed.Line 13 jumps out of the second loop into the first loop. This means as long as one state canbe merged into another one, both inner loops are executed. Only one state is merged intoanother one at a time.

In case (i), Fig. 22 and Fig. 23 show how states can be merged together. Fig. 22 showsthe originating DTMC and Fig. 23 is the resulting DTMC after the minimization using Alg. 3.In the figures the colors show bisimular states that are equal. Both yellow states can bemerged together, since they equal in the atomic propositions of the minimization algorithm.During the merge, the outgoing transition of the upper yellow state into the other yellowstate results in a self-loop. The source of the outgoing transition of the lower yellow stateis set to the upper yellow state. Furthermore the first and last occurrences are adjusted andthe count of events in the lower state is added to the count of events of the upper state. Thisis one possible way of minimizing the DTMC.In case (ii), generating a minimized DTMC of the data, Alg. 2 is used for building theDTMC. Instead of identifying an event with the attributes Request, Response, ASDU-Address,IOAs, Type-Id and the control field format, it is identified using all the attributes but the IOAs.This is a variation of the identification of a state as explained in Alg. 2, where events withthe same atomic propositions are merged together. Using the same data as in case (i), theresulting DTMC is identical to Fig. 23. Therefore both ways lead to the same result butusing the method in case (i) may lead to unnecessary mistakes because of the extended logic.Thus, a minimization should be done from scratch using Alg. 2 and an appropriate abstractionof the atomic propositions used for the identification.

36 Experiments and results

Direction: RES --- I -- TypeID: 100ASDU-Addr: 132

IOA(s): ['0']First occurance: 2011-06-30 00:18:14Last occurance: 2011-07-01 00:38:00

Count: 147

Direction: REQ --- I -- TypeID: 103ASDU-Addr: 132


Count: 38

24/1470.163



Count: 294

123/1470.837


IOA(s): ['1','2','201','202','203','205','3','4','5','6','8']

First occurance: 2011-06-30 00:18:15Last occurance: 2011-07-01 00:38:00

Count: 147

Direction: REQ --- I -- TypeID: 1ASDU-Addr: 132IOA(s): ['1225']


Count: 147

147/1471.0

13/370.351

24/370.649

ENTRY

1/11.0



Count: 14

14/141.0

147/1471.0

133/2940.452

147/2940.5

14/2940.048

Figure 22: DTMC representing legit activities of device B over the period of one day

Experiments and results 37



Count: 147



Count: 38

24/1470.163



Count: 294

123/1470.837


IOA(s): ['1','1225','2','201','202','203','205','3','4','5','6','8']


Count: 294

147/2940.5

147/2940.5

13/370.351

24/370.649

ENTRY

1/11.0



Count: 14

14/141.0

133/2940.452

147/2940.5

14/2940.048

Figure 23: Minimized DTMC representing legit activities of device B over the period of oneday

38 Experiments and results5.3 Experiments on traces



Count: 39

4/390.103



Count: 229

2/390.051



Count: 837

15/390.385



Count: 294

3/390.077



Count: 136

1/390.026



Count: 238

6/390.154



Count: 356

4/390.103



Count: 82

3/390.077



Count: 25

1/390.026


IOA(s): ['100','101','102','103','104','201','202','203','205','97','98','99']


Count: 144



Count: 147

141/1440.979

1/1440.007

1/1440.007



Count: 147

1/1440.007


IOA(s): ['8195','8201']First occurance: 2011-06-30 01:03:35Last occurance: 2011-06-30 01:03:35

Count: 1

1/11.0



Count: 14

14/141.0


IOA(s): ['41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69',

'8']First occurance: 2011-06-30 01:18:15Last occurance: 2011-06-30 09:58:11

Count: 3


IOA(s): ['100','101','102','103','104','201','202','203','205','70','71','72','73','74','75','76','77','78','79','80','81','82','83','84','85','86','87','88','89','90','91','92','93','94','95','96','97','98','99']


Count: 3

3/31.0


IOA(s): ['8193','8194','8195','8196','8197','8198','8199','8200','8201','8202','8203','8204','8205','8206','8207','8208']


Count: 147

147/1471.0


IOA(s): ['9255','9256','9257','9258','9259','9260','9261','9262','9263','9264','9265','9266','9267','9268','9269','9270','9271','9272','9273',

'9274','9275','9276','9277','9278','9279','9280']First occurance: 2011-06-30 00:18:17Last occurance: 2011-07-01 00:38:02

Count: 147



Count: 294

147/1471.0



Count: 10



Count: 149

1/100.1

1/100.1

5/100.5

1/100.1

1/100.1



Count: 5

1/100.1



Count: 1

1/11.0

Direction: RES --- I -- TypeID: 102ASDU-Addr: 170IOA(s): ['9253']


Count: 147

147/1490.987

2/1490.013



Count: 1



Count: 32

1/11.0

1/2290.004

1/2290.004

2/2290.009

1/2290.004

10/2290.044

76/2290.332



Count: 6

1/2290.004



Count: 2

1/2290.004



Count: 1

1/2290.004

33/2290.144



Count: 77

30/2290.131



Count: 3

2/2290.009

16/2290.07


IOA(s): ['8198','8204','8206']First occurance: 2011-06-30 09:23:31Last occurance: 2011-06-30 09:23:31

Count: 1

1/2290.004

6/2290.026



Count: 1

1/2290.004



Count: 1

1/2290.004

17/2290.074



Count: 5

1/2290.004

11/2290.048



Count: 1

1/2290.004



Count: 31

3/2290.013

6/2290.026

4/2290.017



Count: 1

1/2290.004

1/2290.004



Count: 1

1/11.0

1/60.167

4/60.667

1/60.167

2/21.0



Count: 13

1/130.077

1/130.077

1/130.077

8/130.615

1/130.077

1/130.077

1/11.0

6/8370.007

3/8370.004

1/8370.001

2/8370.002

43/8370.051

35/8370.042

2/8370.002

1/8370.001

332/8370.397

12/8370.014



Count: 1

1/8370.001

106/8370.127

45/8370.054



Count: 1

1/8370.001



Count: 1

1/8370.001

66/8370.079



Count: 2

2/8370.002

135/8370.161

3/8370.004

16/8370.019

5/8370.006

9/8370.011



Count: 14

8/8370.01

2/8370.002

1/770.013

5/770.065

14/770.182

11/770.143

5/770.065

5/770.065

3/770.039

4/770.052

4/770.052

8/770.104

7/770.091

5/770.065

2/770.026

2/770.026

1/770.013


IOA(s): ['9217','9218','9219','9220','9221','9222','9223','9224','9225','9226','9227','9228','9229','9230','9231','9232','9233','9234','9235','9236','9237','9238','9239','9240','9241','9242','9243','9244','9245',

'9246','9247','9248','9249','9250','9251','9252','9253','9254']First occurance: 2011-06-30 00:18:17Last occurance: 2011-07-01 00:38:02

Count: 147

147/1471.0

1/11.0

3/31.0



Count: 1

1/11.0

3/2930.01

3/2930.01

2/2930.007

21/2930.072

14/2930.048

1/2930.003

89/2930.304

6/2930.02

7/2930.024

16/2930.055

31/2930.106

81/2930.276

1/2930.003

3/2930.01

9/2930.031

1/2930.003

5/2930.017

1/11.0

2/1470.014

1/1470.007

144/1470.98

3/1360.022

1/1360.007

10/1360.074

7/1360.051

1/1360.007

1/1360.007

34/1360.25

4/1360.029

1/1360.007

17/1360.125

3/1360.022

19/1360.14

23/1360.169

5/1360.037

2/1360.015

4/1360.029

1/1360.007


IOA(s): ['41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69','70','71','72','73','74','75','76','77','78','79','8','80','81','82','83','84','85','86','87','88',

'89','90','91','92','93','94','95','96']First occurance: 2011-06-30 00:18:16Last occurance: 2011-07-01 00:38:01

Count: 144

144/1441.0

1/11.0

1/11.0

147/1471.0

ENTRY

1/11.0

1/11.0



Count: 1

1/11.0

1/11.0



Count: 1

1/11.0

2/2380.008

1/2380.004

1/2380.004

1/2380.004

22/2380.092

23/2380.097

1/2380.004

2/2380.008

1/2380.004

79/2380.332

2/2380.008

15/2380.063

15/2380.063

16/2380.067

26/2380.109

1/2380.004

26/2380.109

1/2380.004

1/2380.004

2/2380.008

1/20.5

1/20.5

1/50.2

4/50.8

3/31.0



Count: 1

1/11.0

2/3560.006

1/3560.003

3/3560.008

1/3560.003

19/3560.053

16/3560.045

7/3560.02

120/3560.337

4/3560.011

1/3560.003

100/3560.281

22/3560.062

31/3560.087

18/3560.051

2/3560.006

7/3560.02

1/3560.003

1/3560.003

1/11.0

1/2940.003

16/2940.054

1/2940.003

66/2940.224

2/2940.007

5/2940.017

11/2940.037

1/2940.003

19/2940.065

21/2940.071



Count: 1

1/2940.003

1/2940.003

146/2940.497

2/2940.007

1/2940.003

1/11.0

1/310.032

2/310.065

1/310.032

5/310.161

1/310.032

4/310.129

2/310.065

1/310.032

2/310.065

1/310.032

4/310.129

4/310.129

2/310.065

1/310.032

3/1470.02

1/1470.007

143/1470.973

2/820.024

1/820.012

8/820.098

5/820.061

21/820.256

3/820.037

7/820.085

4/820.049

1/820.012

14/820.171

11/820.134

2/820.024

2/820.024

1/820.012

1/250.04

2/250.08

3/250.12

6/250.24

1/250.04

3/250.12

2/250.08

2/250.08

2/250.08

1/250.04

1/250.04

1/250.04

1/11.0

1/320.031

1/320.031

4/320.125

11/320.344

2/320.062

1/320.031

1/320.031

1/320.031

3/320.094

2/320.062

1/320.031

3/320.094

1/320.031

1/140.071

6/140.429

2/140.143

5/140.357

1/50.2

1/50.2

1/50.2

1/50.2

1/50.2

Figure 24: DTMC representing legit activities of device A over the period of one dayIn order to demonstrate the advantages of the minimization, an experiment was created.In this experiment graphs with and without minimization were build, using the same data.The minimization used in this experiment was merging all IOAs together, thus identifying astate by all attributes but the IOAs. A possible application for this minimization was givenin Sec. 4. The resulting DTMC for a given trace from a company over a period of one dayfor one particular device A looks like Fig. 24. Although the period of time is still small fora training DTMC, the resulting graph is complex. It already consists of 52 states and 282transitions. Executing the algorithm on the same data by merging the IOAs results in thegraph represented by Fig. 25. The graph now consists of 8 states and 23 transitions. Forthe states this is a reduction of approximately 84% and for the transitions of approximately

Experiments and results 3991%. This is a significant reduction of the state space.



Count: 294


IOA(s): ['8193','8195','8196','8197','8198','8200','8201','8202','8203','8204','8205','8206','8207']


Count: 2415

147/2940.5


IOA(s): ['100','101','102','103','104','1225','201','202','203','205','41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69','70','71','72','73','74','75','76','77','78','79','8','80','81','82','83','84','85','86','87','88','89','90','91','92','93','94','95','96','97','98',


Count: 441

1/2940.003


IOA(s): ['8193','8194','8195','8196','8197','8198','8199','8200','8201','8202','8203','8204','8205','8206','8207','8208','9217','9218','9219','9220','9221','9222','9223','9224','9225','9226','9227','9228','9229','9230','9231','9232','9233','9234','9235','9236','9237','9238','9239','9240','9241','9242','9243','9244','9245','9246','9247','9248','9249','9250','9251','9252','9253','9254','9255','9256','9257','9258','9259','9260','9261','9262','9263','9264','9265','9266','9267','9268','9269','9270','9271','9272','9273','9274','9275','9276','9277','9278','9279',


Count: 588

146/2940.497

1/24140.0

2229/24140.923

2/24140.001



Count: 14

14/24140.006



Count: 149

147/24140.061



Count: 39

21/24140.009

2/4410.005

291/4410.66

148/4410.336

14/141.0

ENTRY

1/11.0



Count: 147

144/1470.98

1/1470.007

2/1470.014

2/1490.013

147/1490.987

35/390.897

4/390.103

147/5880.25

147/5880.25

294/5880.5

Figure 25: DTMC representing legit activities of device A over the period of one day usingthe minimization

40 Experiments and resultsComparing the reduction on a trace of a complete week, the reduction is even moresignificant. Fig. 26 shows the graph representing the trace of one week. It consists of 81states and 579 transitions. The related graph generated using the minimization is shownin Fig. 27. It only consists of 10 states and 36 transitions. This complies a reduction ofapproximately 88% for the states and approximately 94% for the transitions. This approachis promising regarding the possible reduction of the state space. However it may not alwaysbe possible to detect every sequence attack one wants to look at. Since the detection ofsequence attacks is the essential part of the IDS, another approximation may be used.



Count: 1448

85/14480.059



Count: 6

1/14480.001



Count: 84

8/14480.006



Count: 251

14/14480.01



Count: 1625

112/14480.077



Count: 2001

114/14480.079



Count: 399

13/14480.009



Count: 276

19/14480.013



Count: 60

6/14480.004



Count: 670

44/14480.03



Count: 68

5/14480.003



Count: 6168

502/14480.347



Count: 120

4/14480.003



Count: 51

9/14480.006



Count: 71

7/14480.005



Count: 606

60/14480.041



Count: 1006

1/14480.001



Count: 1008

135/14480.093



Count: 440

1/14480.001

Direction: REQ --- I -- TypeID: 30ASDU-Addr: 170IOA(s): ['54','58']


Count: 44

1/14480.001



Count: 6

2/14480.001



Count: 7

3/14480.002



Count: 477

129/14480.089



Count: 2416

172/14480.119



Count: 3

1/14480.001

2/60.333

4/60.667


IOA(s): ['9217','9218','9219','9220','9221','9222','9223','9224','9225','9226','9227','9228','9229','9230','9231','9232','9233','9234','9235','9236','9237','9238','9239','9240','9241','9242','9243','9244','9245',

'9246','9247','9248','9249','9250','9251','9252','9253','9254']First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:18

Count: 1006


IOA(s): ['9255','9256','9257','9258','9259','9260','9261','9262','9263','9264','9265','9266','9267','9268','9269','9270','9271','9272','9273',

'9274','9275','9276','9277','9278','9279','9280']First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:18

Count: 1006

1006/10061.0



Count: 4

1/40.25

2/40.5

1/40.25

84/841.0



Count: 1

1/11.0



Count: 2

1/20.5

1/20.5



Count: 3

1/30.333

1/30.333

1/30.333



Count: 4

1/40.25

1/40.25

2/40.5



Count: 6

1/60.167

3/60.5

1/60.167

1/60.167



Count: 2

2/21.0



Count: 5

3/50.6

1/50.2

1/50.2

19/2510.076

1/2510.004

35/2510.139

15/2510.06

19/2510.076

3/2510.012

2/2510.008

4/2510.016

2/2510.008

89/2510.355

1/2510.004

1/2510.004

11/2510.044

11/2510.044

37/2510.147



Count: 3

1/2510.004


IOA(s): ['41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69','70','71','72','73','74','75','76','77','78','79','8','80','81','82','83','84','85','86','87','88',

'89','90','91','92','93','94','95','96']First occurance: 2011-06-27 00:59:00Last occurance: 2011-07-04 00:27:17

Count: 975


IOA(s): ['100','101','102','103','104','201','202','203','205','97','98','99']


Count: 973

973/9750.998



Count: 2

2/9750.002



Count: 858

3/8580.003

1/8580.001

3/8580.003

1/8580.001

2/8580.002



Count: 2012

847/8580.987

1/8580.001

112/16250.069

2/16250.001

8/16250.005

1/16250.001

1/16250.001

1/16250.001

2/16250.001

2/16250.001

2/16250.001

10/16250.006

621/16250.382



Count: 1

1/16250.001

73/16250.045

185/16250.114

17/16250.01



Count: 5

1/16250.001

2/16250.001

32/16250.02

3/16250.002

291/16250.179

15/16250.009



Count: 1

1/16250.001

5/16250.003

30/16250.018



Count: 3

1/16250.001



Count: 2

1/16250.001



Count: 12

2/16250.001

1/16250.001

65/16250.04



Count: 19

4/16250.002



Count: 28

1/16250.001



Count: 2

1/16250.001

2/16250.001

26/16250.016

94/16250.058



Count: 1

1/16250.001



Count: 1

1/16250.001

2/16250.001



Count: 12

3/16250.002

1/16250.001



Count: 2

1/16250.001

1/11.0

164/20010.082

10/20010.005

1/20010.0

18/20010.009

116/20010.058

42/20010.021

23/20010.011

21/20010.01


IOA(s): ['8193','8194','8195','8196','8197','8198','8199','8200','8201','8202','8203','8204','8205','8206','8207','8208']


Count: 1006

1/20010.0

2/20010.001

34/20010.017

23/20010.011

673/20010.336

8/20010.004

4/20010.002

3/20010.001

79/20010.039

2/20010.001



Count: 276

5/20010.002

130/20010.065

3/20010.001



Count: 1

1/20010.0

4/20010.002



Count: 3

1/20010.0

1/20010.0

3/20010.001



Count: 8

1/20010.0

1/20010.0



Count: 1

1/20010.0

49/20010.024

573/20010.286



Count: 1

1/20010.0

1/20010.0



Count: 4

1/20010.0

1/20010.0



Count: 1

1/11.0



Count: 1

1/11.0



Count: 1

1/11.0

31/3990.078

2/3990.005

1/3990.003

1/3990.003

2/3990.005

77/3990.193

26/3990.065

14/3990.035

15/3990.038

1/3990.003

22/3990.055

2/3990.005

86/3990.216

33/3990.083

2/3990.005

2/3990.005

9/3990.023

22/3990.055

4/3990.01

1/3990.003

1/3990.003

11/3990.028

28/3990.07

5/3990.013



Count: 16

1/3990.003


IOA(s): ['100','101','102','103','104','201','202','203','205','70','71','72','73','74','75','76','77','78','79','80','81','82','83','84','85','86','87','88','89','90','91','92','93','94','95','96','97','98','99']


Count: 31

31/311.0

13/2760.047

1/2760.004

17/2760.062

13/2760.047

10/2760.036

64/2760.232

16/2760.058

1/2760.004

74/2760.268

11/2760.04

1/2760.004

3/2760.011

3/2760.011



Count: 1

1/2760.004

1/2760.004

21/2760.076

1/2760.004

4/2760.014

20/2760.072

1/2760.004


IOA(s): ['100','101','102','103','104','201','202','203','205']First occurance: 2011-07-01 03:18:00Last occurance: 2011-07-01 03:57:59

Count: 2

2/21.0

1/50.2

1/50.2

1/50.2

2/50.4

1006/10061.0

1006/10061.0

5/600.083

1/600.017

1/600.017

1/600.017

1/600.017

1/600.017

1/600.017

1/600.017

12/600.2

1/600.017

1/600.017

3/600.05

31/600.517



Count: 2

1/20.5

1/20.5

51/6700.076

2/6700.003

5/6700.007

3/6700.004

6/6700.009

38/6700.057

28/6700.042

10/6700.015

14/6700.021

3/6700.004

279/6700.416

1/6700.001

111/6700.166



Count: 1

1/6700.001

9/6700.013



Count: 2

1/6700.001

1/6700.001

4/6700.006

16/6700.024

25/6700.037

1/6700.001

9/6700.013

51/6700.076

1/6700.001

1/9730.001

1/9730.001

2/9730.002



Count: 858

3/9730.003

963/9730.99

3/9730.003

6/680.088

1/680.015

5/680.074

29/680.426

1/680.015

3/680.044

10/680.147

3/680.044

5/680.074

2/680.029

2/680.029

1/680.015

473/61680.077

2/61680.0

1/61680.0

25/61680.004

1/61680.0

44/61680.007

286/61680.046

780/61680.126

65/61680.011

62/61680.01

2/61680.0

2/61680.0

9/61680.001

2/61680.0

98/61680.016

16/61680.003

2488/61680.403

18/61680.003

1/61680.0

14/61680.002

42/61680.007

204/61680.033



Count: 2

1/61680.0

5/61680.001

8/61680.001

2/61680.0

333/61680.054

7/61680.001



Count: 1

1/61680.0



Count: 1

1/61680.0

26/61680.004

2/61680.0

2/61680.0

3/61680.0

4/61680.001

2/61680.0

2/61680.0

1/61680.0

106/61680.017

1018/61680.165

1/61680.0



Count: 2

2/61680.0

6/61680.001

1/11.0

10/1200.083

2/1200.017

3/1200.025

13/1200.108

7/1200.058

1/1200.008

12/1200.1

6/1200.05

1/1200.008

16/1200.133

22/1200.183

4/1200.033

4/1200.033

1/1200.008

7/1200.058

1/1200.008

4/1200.033



Count: 3

1/1200.008

5/1200.042


IOA(s): ['41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69',


Count: 31

31/311.0

1/11.0

1/20.5

1/20.5

5/510.098

4/510.078

6/510.118

21/510.412

3/510.059

3/510.059

1/510.02

3/510.059

5/510.098

11/710.155

1/710.014

2/710.028

5/710.07

1/710.014

1/710.014

2/710.028

1/710.014

1/710.014

33/710.465

3/710.042

5/710.07

1/710.014

3/710.042

1/710.014

73/6060.12

1/6060.002

5/6060.008

1/6060.002

9/6060.015

39/6060.064

52/6060.086

10/6060.017

8/6060.013

3/6060.005

11/6060.018

1/6060.002

210/6060.347

3/6060.005

2/6060.003

3/6060.005

20/6060.033

1/6060.002

47/6060.078

1/6060.002



Count: 1

1/6060.002

5/6060.008

1/6060.002

1/6060.002

19/6060.031

79/6060.13

1/30.333

2/30.667

1/11.0

1/20.5

1/20.5

1/20.5

1/20.5

828/8580.965

27/8580.031

3/8580.003

5/120.417

1/120.083

2/120.167

1/120.083

3/120.25

1/2760.004

9/2760.033

1/2760.004

191/2760.692

52/2760.188

16/2760.058

6/2760.022

ENTRY

1/11.0



Count: 2

1/20.5

1/20.5

1/10060.001

1002/10060.996

2/10060.002

1/10060.001

858/10080.851

1/10080.001

1/10080.001

1/10080.001

147/10080.146

1/190.053

12/190.632

2/190.105

1/190.053

1/190.053

2/190.105

1/11.0

1/11.0

1/11.0

1/11.0

1/4400.002

1/4400.002

3/4400.007

1/4400.002

1/4400.002

1/4400.002

1/4400.002

37/4400.084

4/4400.009

48/4400.109

3/4400.007

324/4400.736

13/4400.03

2/4400.005

1/440.023

1/440.023

17/440.386

13/440.295

12/440.273

1/30.333

1/30.333

1/30.333

1/280.036

5/280.179

2/280.071

19/280.679

1/280.036

128/20120.064

3/20120.001

1/20120.0

6/20120.003

147/20120.073

90/20120.045

39/20120.019

1/20120.0

3/20120.001

12/20120.006

8/20120.004

33/20120.016

8/20120.004

489/20120.243

1/20120.0

4/20120.002

3/20120.001

46/20120.023

855/20120.425

1/20120.0

1/20120.0

1/20120.0

3/20120.001

3/20120.001

1/20120.0

16/20120.008

106/20120.053

3/20120.001

2/60.333

2/60.333

2/60.333

1/80.125

2/80.25

3/80.375

1/80.125

1/80.125

1/20.5

1/20.5

1/11.0

3/70.429

3/70.429

1/70.143

81/4770.17

2/4770.004

1/4770.002

7/4770.015

37/4770.078

40/4770.084

7/4770.015

3/4770.006

4/4770.008

1/4770.002

156/4770.327

2/4770.004

2/4770.004

16/4770.034

1/4770.002

40/4770.084

1/4770.002

30/4770.063

45/4770.094

1/4770.002

2/21.0

175/24150.072

10/24150.004

1/24150.0

1/24150.0

9/24150.004

114/24150.047

708/24150.293

24/24150.01

26/24150.011

24/24150.01

59/24150.024

5/24150.002

805/24150.333

8/24150.003

11/24150.005

91/24150.038

2/24150.001

2/24150.001

5/24150.002

3/24150.001

155/24150.064

2/24150.001

5/24150.002

1/24150.0

1/24150.0

1/24150.0

53/24150.022

110/24150.046

1/24150.0

2/24150.001

1/24150.0

1/11.0

1/11.0

1/11.0

1/30.333

1/30.333

1/30.333

2/120.167

5/120.417

2/120.167

1/120.083

1/120.083

1/120.083

1/30.333

1/30.333

1/30.333

1/20.5

1/20.5

1/30.333

1/30.333

1/30.333

2/160.125

2/160.125

1/160.062

1/160.062

1/160.062

2/160.125

1/160.062

1/160.062

2/160.125

3/160.188

1/40.25

2/40.5

1/40.25

2/21.0

Figure 26: DTMC representing legit activities of device A over the period of one week



IOA(s): ['8193','8195','8196','8197','8198','8199','8200','8201','8202','8203','8204','8205','8206','8207','8208']First occurance: 2011-06-27 00:58:01Last occurance: 2011-07-04 00:29:15

Count: 16650

15349/166490.922



Count: 1008

1002/166490.06



Count: 2012

12/166490.001


IOA(s): ['100','101','102','103','104','1225','201','202','203','205','41','42','43','44','45','46','47','48','49','50','51','52','53','54','55','56','57','58','59','60','61','62','63','64','65','66','67','68','69','70','71','72','73','74','75','76','77','78','79','8','80','81','82','83','84','85','86','87','88',

'89','90','91','92','93','94','95','96','97','98','99']


Count: 3020

7/166490.0


IOA(s): ['101','102','54','58']First occurance: 2011-06-27 02:05:50Last occurance: 2011-06-29 04:47:23

Count: 762

69/166490.004



Count: 84

81/166490.005


IOA(s): ['8193','8194','8195','8196','8197','8198','8199','8200','8201','8202','8203','8204','8205','8206','8207','8208','9217','9218','9219','9220','9221','9222','9223','9224','9225','9226','9227','9228','9229','9230','9231','9232','9233','9234','9235','9236','9237','9238','9239','9240','9241','9242','9243','9244','9245','9246','9247','9248','9249','9250','9251','9252','9253','9254','9255','9256','9257','9258','9259','9260','9261','9262','9263','9264','9265','9266','9267','9268','9269','9270','9271','9272','9273','9274','9275','9276','9277','9278','9279',


Count: 3876

3/166490.0



Count: 251

126/166490.008



Count: 858

9/8580.01

2/8580.002

847/8580.987

3/10080.003

858/10080.851

147/10080.146

991/20120.493

1/20120.0

151/20120.075

5/20120.002

3/20120.001

855/20120.425

6/20120.003

ENTRY

1/11.0

10/30200.003

2004/30200.664

1/30200.0

1005/30200.333

71/7620.093

3/7620.004

687/7620.902

1/7620.001

84/841.0

1006/38760.26

858/38760.221

2012/38760.519

216/2510.861

35/2510.139

Figure 27: Minimized DTMC representing legit activities of device A over the period of oneweek

42 Experiments and resultsThe results from above are experiments on two traces. In order to be able to give rea-sonable statements, more real data needs to be tested. This was done in the following. Thetool was run to create a DTMC without and with minimization. In both cases the states andthe transitions were counted and the results are shown in Tab. 1, Tab. 2 and Tab. 3. Sevendevices were chosen by random. For each device the test was run using a timeinterval ofone hour, one day and one week. The column Label is the label of the trace. Columns

States and Transitions list the states and transitions for a given trace without minimization.The Columns StatesM and T ransitionsM list the states and the transitions for the corre-sponding minimized DTMC. σ represents the fraction StatesMStates and τ represents the fraction

T ransitionsMT ransitions . Thus, the last two columns show the level of minimization. The smaller the levelof minimization, the more effective the algorithm worked.

It is to mention, that the time needed for the generation of a DTMC only depends onthe count of packets within a given trace. The more packets to analyse, the more time thegeneration of the DTMC takes. The connection is linear. The tool written for this thesiswas using a single core of one cpu only. On an Intel Xeon E312xx (Sandy Bridge) with afrequency of 2Ghz the analysis of a trace with 33166 packets needed approximately 141 sec.The number of packets does not contain any information about the time interval of the trace.There are devices with a lot of communication and devices with less communication. A tracecontaining all the communication within one facility in the company over the time interval ofone hour had around 1.400.000 packets. The analysis of this trace took slightly more thanone hour. The most time consuming part in this algorithm is the analysis of the packet itself.In addition, a not irrelevant part of constructing the DTMC needs to be taken into account.As the runtime optimization was not part of this thesis, further adjustments on the algorithmneed to be considered for real time application. This includes speeding up the deep packetinspection as shown in [25] and possible optimization of the code.Tab. 1, Tab. 2 and Tab. 3 show that the minimization can lead to significant improvement,but there still remain cases for which the chosen minimization is not that effective. Asexpected, more states and transitions give more possibilities for minimization. Additionaly,improvements can be seen when comparing the effectivity of one week to one hour.In summary, the results presented show that the approach of minimization can lead to greatimprovements and should be considered when using DTMCs for the detection of sequenceattacks.


Label States Transitions StatesM T ransitionsM σ τA 27 70 9 16 0.33 0.23B 7 11 6 11 0.86 1.0C 20 34 10 20 0.5 0.59D 12 17 9 16 0.75 0.94E 11 16 7 12 0.64 0.75F 25 44 11 23 0.44 0.52G 10 14 8 14 0.8 1.0Table 1: Results using a timeinterval of one hour

Label States Transitions StatesM T ransitionsM σ τA 52 282 8 23 0.15 0.08B 7 11 6 11 0.86 1.0C 28 85 10 33 0.36 0.39D 15 33 9 21 0.6 0.64E 11 19 7 14 0.64 0.74F 34 92 11 30 0.32 0.33G 13 26 8 21 0.62 0.81Table 2: Results using a timeinterval of one day

Label States Transitions StatesM T ransitionsM σ τA 81 579 10 36 0.12 0.06B 7 12 6 12 0.86 1.0C 67 185 12 44 0.18 0.24D 36 84 12 37 0.33 0.44E 11 24 7 16 0.64 0.67F 73 238 11 48 0.15 0.2G 13 31 8 24 0.62 0.77Table 3: Results using a timeinterval of one week

44 Summary and conclusion6 Summary and conclusion

SCADA networks controlling often critical infrastructures are increasingly a subject to cyberattacks. One of the promising methods for improving the security of SCADA networks is theuse of intrusion detection systems. This thesis has investigated the approach of [4] and triedto improve it. For this reason, this thesis first introduced SCADA system and the relatedhard- and software components. The IEC-104 protocol, one of the important protocols usedwithin SCADA networks, was then discussed. Regarding the security of these networks, theterm IDS was explained. Several approaches to intrusion detection were discussed and itwas shown, that these approaches aim at a specific and not always the same goal. This wasfollowed by the introduction of sequence attacks. Chapter three gave an introduction intothe underlying structures of this thesis and its approach to build an IDS. The question whya minimization may be interesting and how a minimization in general works were explained.The representation of sequences in a DTMC is an essential step in this work and was dis-cussed in Sec. 3.4. Furthermore, an algorithm was provided, that builds a DTMC out of asequence. Sec. 3.3 addressed the sequence attacks and how to detect them using a DTMC. Inaddition, possible minimizations were shown as well as some problems regarding sequenceattacks and DTMCs. Finally, Sec. 5 presented results of one possible minimization, usingreal data from a company.Marco Caselli et al. showed that it is possible to detect sequence attacks within SCADAnetworks regarding the IEC-104 protocol [4]. They used a DTMC to model the commu-nication between two devices and anlyzed the resulting structure. This thesis took up theapproach and went one step further. The structure was minimized in order to handle thestate space explosion problem. It was shown that a significant minimization of the DTMCis possible, while still be able to detect the appropriate sequence attack. We were able toreduce the state space of a DTMC describing sequences from a week by over 80% and thetransitions by over 90%. This shows the potential of this approach and was the main aim ofthis work.Nevertheless, it was also shown that the minimization strongly depends on the attackscenario that should be identified, thus each attack scenario needs its own minimization.In order to find a suitable minimization that detects all attack scenarios, one first needs todescribe each minimization for each attack scenario on its own. Afterwards, these minimiza-tions need to be merged into one. It might happen that the minimizations cannot be merged.In that case there does not exist a minimization for that configuration. Furthermore, thisthesis showed that using a DTMC for the detection of sequence attacks lacks an identifica-tion problem. Not all kinds of sequence attacks are possible to describe within a DTMC,since some sequence attacks depend on more than just one time step. Furthermore, some

Summary and conclusion 45of the sequence attacks need precise physical description since some processes like “waterhammer“ strongly depend on the underlying physical process. For precise statements the fre-quence is essential and this may differ, depending if the target is a pipe, a tank or somethingelse. Nevertheless, it is possible with this approach to detect some kinds of sequence attacks.

There is still space for further research, especially the structure which is used to modelthe sequences. It may not be practical to find a new minimization for each device and attackscenario for companies with large installations. Future research may therefore focus onfinding other approaches, that allow faster analysis out of the box. This faces especially theproblem of the expense used to find appropriate minimizations. Upon that, further researchmay also find other approaches that focus on detecting sequence attacks, which depend onmore than one time step. Moreover this thesis didn’t investigate in detecting real sequenceattacks within network traces. Thus, further research may also focus on detecting attacks onreal network traffic. In addition it is worth investigating research in finding out how muchtime can be saved using these minimizations in order to detect sequence attacks.

46 List of FiguresList of Figures

1 Architecture of a SCADA system [8] . . . . . . . . . . . . . . . . . . . . . . . . . 52 Telegram format with variable length (I-format) [10] . . . . . . . . . . . . . . . 63 Structure of the ASDU [10] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Integration of an network based IDS [13] . . . . . . . . . . . . . . . . . . . . . 115 Initial situation of the person in a room [17] . . . . . . . . . . . . . . . . . . . . 156 DTMC representing the person in a corner example [17] . . . . . . . . . . . . 167 DTMC with non-reachable states . . . . . . . . . . . . . . . . . . . . . . . . . . 178 DTMC representing the simple pipe example . . . . . . . . . . . . . . . . . . . 249 DTMC with a violation compared to Fig. 8 by using a non-existing transition 2510 DTMC with a violation compared to Fig. 8 by accessing a non-existent state 2511 DTMC with a violation compared to Fig. 8 by using a transition too frequently 2612 DTMC representing a general limitation . . . . . . . . . . . . . . . . . . . . . . 2713 Order based device reprogramming . . . . . . . . . . . . . . . . . . . . . . . . . 2814 Compromised order based device reprogramming . . . . . . . . . . . . . . . . . 2915 DTMC representing order based device reprogramming incl. other traffic . . 2916 DTMC representing order based device reprogramming incl. other traffic anda violation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2917 DTMC representing order based device reprogramming incl. other traffic -merged IOAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3018 DTMC representing order based device reprogramming incl. other traffic anda violation - merged IOAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3019 DTMC representing the system of four pipes . . . . . . . . . . . . . . . . . . . 3120 DTMC representing the system of four pipes by merging all reading com-mands and all closing commands . . . . . . . . . . . . . . . . . . . . . . . . . . 3221 DTMC representing the system of four pipes by merging some commands . . 3222 DTMC representing legit activities of device B over the period of one day . 3623 Minimized DTMC representing legit activities of device B over the period ofone day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3724 DTMC representing legit activities of device A over the period of one day . . 3825 DTMC representing legit activities of device A over the period of one dayusing the minimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3926 DTMC representing legit activities of device A over the period of one week . 4027 Minimized DTMC representing legit activities of device A over the period ofone week . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

REFERENCES 47List of Tables

1 Results using a timeinterval of one hour . . . . . . . . . . . . . . . . . . . . . . 432 Results using a timeinterval of one day . . . . . . . . . . . . . . . . . . . . . . 433 Results using a timeinterval of one week . . . . . . . . . . . . . . . . . . . . . 43References

1. Zhu, B., Joseph, A. & Sastry, S. A Taxonomy of Cyber Attacks on SCADA Systemsin Proceedings of the 2011 International Conference on Internet of Things and 4thInternational Conference on Cyber, Physical and Social Computing (IEEE ComputerSociety, 2011), 380–388.2. Garance Burke, J. F. AP Investigation: U.S. power grid vulnerable to foreign hacks<http://lasvegassun.com/news/2015/dec/21/ap-investigation-us-power-

grid-vulnerable-to-forei/> (viewed 06.06.2015).3. Goodin, D. First known hacker-caused power outage signals troubling escalation <http:

//arstechnica.com/security/2016/01/first-known-hacker-caused-power-

outage-signals-troubling-escalation/> (viewed 06.06.2015).4. Caselli, M., Zambon, E., Petit, J. & Kargl, F. Modeling Message Sequences For IntrusionDetection in Industrial Control Systems. IFIP (2015).5. Caselli, M., Zambon, E. & Kargl, F. Sequence-aware Intrusion Detection in IndustrialControl Systems in Proceedings of the 1st ACM Workshop on Cyber-Physical SystemSecurity (ACM, 2015), 13–24.6. Barbosa, R. R. R., Sadre, R. & Pras, A. A first look into SCADA network traffic in NetworkOperations and Management Symposium (NOMS), 2012 IEEE (2012), 518–521.7. Clarke, G. & Reynders, D. Practical Modern SCADA Protocols: DNP3, 60870.5 andRelated Systems (Newnes, 2004).8. Wang, C., Fang, L. & Dai, Y. A Simulation Environment for SCADA Security Analy-sis and Assessment in 2010 International Conference on Measuring Technology andMechatronics Automation 1 (2010), 342–347.9. Sherif, Y. S. & Zahir, S. On power line carrier communication (PLC). MicroelectronicsReliability 24, 781 –791 (1984).10. Garance Burke, J. F. LIAN 98(en) : Protocol IEC 60870-5-104, Telegram structure<http://www.mayor.de/lian98/doc.en/html/u_iec104_struct.htm> (2016).11. Mitchell, R. & Chen, I.-R. A Survey of Intrusion Detection Techniques for Cyber-physicalSystems. ACM Comput. Surv. 46, 55:1–55:29 (Mar. 2014).

http://lasvegassun.com/news/2015/dec/21/ap-investigation-us-power-grid-vulnerable-to-forei/

http://lasvegassun.com/news/2015/dec/21/ap-investigation-us-power-grid-vulnerable-to-forei/

http://arstechnica.com/security/2016/01/first-known-hacker-caused-power-outage-signals-troubling-escalation/



http://www.mayor.de/lian98/doc.en/html/u_iec104_struct.htm

48 References12. Intrusion Detection Systems; Definition, Need And Challenges. SANS Institute Reading

Room (2001).13. Reiner, M. Is your Network Intrusion Detecton System blind in one eye? <https:

//misterreiner.wordpress.com/2010/05/17/is-your-network-intrusion-

detecton-system-blind-in-one-eye/> (viewed 20.06.2015).14. Shah, B. How to Choose Intrusion Detection Solution. SANS Institute Reading Room(2001).15. Clark, R. M. & Deininger, R. A. Protecting the Nation’s Critical Infrastructure: TheVulnerability of U.S. Water Supply Systems. Journal of Contingencies and Crisis Man-agement 8, 73–80 (2000).16. Baier, C. & Katoen, J.-P. Principles of Model Checking (Massachusetts Institute ofTechnology, 2008).17. Schomaker, J. Einführung in die Theorie der Markov-Ketten <http : / / wwwmath .

uni-muenster.de/statistik/lehre/SS12/SeminarAnwendungenWT/Vortraege/

Schomaker.pdf> (viewed 10.06.2015).18. Dehnert, C., Katoen, J.-P. & Parker, D. in Verification, Model Checking, and AbstractInterpretation: 14th International Conference, VMCAI 2013, Rome, Italy, January 20-22,2013. Proceedings 28–47 (Springer Berlin Heidelberg, 2013).19. Hansson, H. & Jonsson, B. A logic for reasoning about time and reliability. FormalAspects of Computing 6, 512–535 (1994).20. Kwiatkowska, M., Norman, G. & Parker, D. Stochastic Model Checking in Formal Meth-ods for the Design of Computer, Communication and Software Systems: PerformanceEvaluation (SFM’07) 4486 (Springer, 2007), 220–270.21. Ross, S. M. Introduction to Probability Models 193–194 (Academic Press, 2006).22. Katoen, J.-P., Kemna, T., Zapreev, I. & Jansen, D. N. in, 87–101 (Springer Berlin Hei-delberg, Berlin, Heidelberg, 2007).23. Combs, G. Wireshark <https://www.wireshark.org/#aboutWS> (2004).24. Gansner, E. R. & North, S. C. An open graph visualization system and its applications tosoftware engineering. SOFTWARE - PRACTICE AND EXPERIENCE 30, 1203–1233(2000).25. Smith, R., Estan, C., Jha, S. & Kong, S. Deflating the Big Bang: Fast and Scalable DeepPacket Inspection with Extended Finite Automata. SIGCOMM Comput. Commun. Rev.38, 207–218 (Aug. 2008).

https://misterreiner.wordpress.com/2010/05/17/is-your-network-intrusion-detecton-system-blind-in-one-eye/



http://wwwmath.uni-muenster.de/statistik/lehre/SS12/SeminarAnwendungenWT/Vortraege/Schomaker.pdf



https://www.wireshark.org/#aboutWS

ferling sequence attacks on scada systems - uni-muenster.de

Documents