1

APPLYING POLICY-BASED INTRUSION DETECTION TO SCADA NETWORKS

Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS)Tanya Roosta (Berkeley)

2

Outline

Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats

Intrusion Detection System (IDS) for SCADA Policy-based Signature-based

Implementation Mesh networking and routing protocols IDS Structure

Testbed Scenario: Tennessee Eastman plant Summary and future work

3

Outline

Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats

Intrusion Detection System (IDS) for SCADA Policy-based Signature-based

Implementation Mesh networking and routing protocols IDS Structure

Testbed Scenario: Tennessee Eastman plant Summary and future work

4

Motivation: SCADA

Supervisory Control and Data Acquisition A process control system Four main components

Sensors Actuators Local control loops Plant-wide control loops

Applications: Power plants Oil and gas pipelines Nuclear Manufacturing

Next-generation SCADA Wireless networking protocols for

sensors and actuators provide new challenges Security Power Link-level reliability

5

State of Security

Prior to wireless networks Serial links between sensors,

actuators and local control loops

Wireless networks Two methodologies

RTUs – Remote Terminal Units Intelligent Device Nodes:

Integrated control, sensors and actuation

802.15.4 and similar Low-power ad-hoc networks

By default, unsecured Star configuration

Low-power direct-to-AP configuration By default, unsecured

6

Plant Management and Operation Local control loops report to SCADA

master May be located offsite

Implies TCP-based connectivity Allows off-site management of a

plant or series of plants Generally secured by enterprise-level

firewall

7

Security Risks

Transition from wired serial links to wireless Early implementations used

no encryption or security methods

Secondary modifications included a firewalled method

Primary risk is from firewall-based protection Sensors/actuators not locally

protected If firewall is breached, or on-

site access established, control loops are at risk

8

Outline

Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats

Intrusion Detection System (IDS) for SCADA Policy-based Signature-based

Implementation Mesh networking and routing protocols IDS Structure

Testbed Scenario: Tennessee Eastman plant Summary and future work

9

Intrusion Detection

Identification of known attack patterns Jamming

Denial of Service Radio interference

Injection attacks Packet replay

Route disruption Re-routing of traffic to alternate destination

Affects mesh-routed networks Packet alteration

Difficult to identify Related work

T. Roosta, S. Shieh, S. Sastry, Taxonomy of Security Attacks in Sensor Networks, 1st International IEEE Conference on System Integration and Reliability Improvements, 2006

A. Lauf, R. A. Peters, W. H. Robinson, Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks in Elsevier Journal for Ad-Hoc Networks, submitted for review

10

Intrusion Detection (cont’d) Policy approach

Usage of pre-defined system-wide policies Best for periodic systems Optimized for deterministic

data patterns Attacks trip tolerance

levels of monitored services

Hybrid approaches Frequency detection

+ Cross-correlation

approaches

11

Proposed method

Usage of Policy-based IDS as proposed by T. Roosta[1]

Implementation of IDS in a JVM Allows portability Device cross-compatibility

Usage of the Tennessee Eastman plant model[2]

Simulated in MATLAB Simulink Network simulation performed by TrueTime[3]

Direct Java interface between MATLAB and IDS IDS to receive local UDP support

[1] T. Roosta, An Intrusion Detection System for Wireless Process Control Systems[2] J. J. Downs, E. F. Vogel, A Plant-Wide Industrial Process Control Problem in Computers chem. Engng., Vol 17 No. 3 pp245-255 1993[3] The TrueTime Project at Lund University, http://www.nt.ntnu.no/users/skoge/prost/proceedings/ifac2002/data/content/01667/1667.pdf

12

Proposed Method (cont’d)

Policy-based IDS runs on multiple nodes Several copies distributed

to select Intelligent Device Nodes (“Field” nodes)

Copy on local Access Points (“Master” nodes)

Policies monitor several factors “Health” packets at 15-

minute intervals Average packet size Routing stability

13

What is a policy? Why used?

Set of conditions and limits Specifies normal operation Ideal for periodic systems

Each policy covers a system aspect Packet size Radio power Link stability

Policies provide specific capabilities Determine if particular

conditions met or exceeded Can target an area more

precisely than a general traffic-based IDS

14

Outline

Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats

Intrusion Detection System (IDS) for SCADA Policy-based Signature-based

Implementation Mesh networking and routing protocols IDS Structure

Testbed Scenario: Tennessee Eastman plant Summary and future work

15

Routing

Assuming 802.15.4 ZigBee networking between nodes

AODV mesh routing protocol Ad Hoc On-Demand

Distance Vector Routing

Reduces need for constant radio power

Creates routes as needed

16

Application of IDS

Policy-based IDS added to several key nodes on the mesh-routed network

AP also runs instance of IDS JVM allows device independence

Intelligent Device Nodes can run the same IDS code

Policies are dynamically allocated, revoked and updated

17

Attack methods

No data available on proprietary plant technologies – let alone attacks

Simulation of attacks to follow logical choices Jamming of one node Jamming of several nodes Packet alteration/checksum failures Temporal disruption Routing/link/PHY failures

Testing will consist of Simulink trial runs together with varying IDS policies

18

IDS Structure

IDS is comprised of 4 core Java components IDS engine/policy

adherence verification Policy management Event management System control

Policy management is dynamic

Instance runs on JVM, receives event data from embedded C-based monitoring applications

19

Outline

Overview of Supervisory Control and Data Acquisition (SCADA) systems Implementation and threats

Intrusion Detection System (IDS) for SCADA Policy-based Signature-based

Implementation Mesh networking and routing protocols IDS Structure

Testbed Scenario: Tennessee Eastman plant Summary and future work

20

Choosing a Plant Model

Tennessee Eastman plant model chosen as test system Represents well-known chemical process control case Uses “real-world” data in simulation Provides MATLAB Simulink simulation

Can be adapted for a networked simulation TrueTime used as network discrete event

simulator Integrates easily into existing Tennessee Eastman

plant simulation Multiple physical layer simulation methods Can provide real-time data to IDS

21

Example: TN Eastman Plant

Sensor/actuator systems are grouped and discretized

Discrete components are matched to Intelligent Device Nodes with networking capabilities

Certain nodes are fitted with copies of the IDS Monitors routing, received

data, sent data, packet size, frequency, health, radio power, etc.

Access Point is also fitted with a copy of the IDS

22

AODV TrueTime implementation

•Each node implements the TrueTime kernel•Capable of reading data inputs as well as routing•Sends data for consumption between nodes •Data sent to SCADA master

23

IDS localization

Local Field IDS

Sensor/actuator Intelligent Device Node (1 of 6)

24

IDS setup

Simulink sensor and actuator blocks discretized

Data routed via AODV network and TrueTime

IDS linked via MATLAB Java to selected nodes

IDS monitors events based on prescribed policies

In real-world scenario Specialized monitor apps

report to IDS via UDP IDS runs on localized JVM

Controller

CMonitor

CMonitor

CMonitor

CMonitor

JVM

UDP

IDSPolicies

25

Summary and Future Work

Development of Routing model in progress

IDS complete IDS instance generation in progress Attack synthesis in progress