SCADA Security E-Book

Table of Contents

Cover

Title Page

Copyright Page

FOREWORD

PREFACE

ACRONYMS

CHAPTER 1: Introduction

1.1 Overview

1.2 EXISTING SOLUTIONS

1.3 SIGNIFICANT RESEARCH PROBLEMS

1.4 BOOK FOCUS

1.5 BOOK ORGANIZATION

CHAPTER 2: Background

2.1 SCADA SYSTEMS

2.2 INTRUSION DETECTION SYSTEM (IDS)

2.3 IDS Approaches

CHAPTER 3: SCADA‐Based Security Testbed

3.1 MOTIVATION

3.2 GUIDELINES TO BUILDING A SCADA SECURITY TESTBED

3.3 SCADAVT DETAILS

3.4 SCADAVT APPLICATION

3.5 ATTACK SCENARIOS

3.6 CONCLUSION

3.7 APPENDIX FOR THIS CHAPTER

CHAPTER 4: Efficient

k

‐Nearest Neighbour Approach Based on Various‐Widths Clustering

4.1 INTRODUCTION

4.2 RELATED WORK

4.3 THE

NNVWC APPROACH

4.4 EXPERIMENTAL EVALUATION

4.5 CONCLUSION

Chapter 5: SCADA Data‐Driven Anomaly Detection

5.1 INTRODUCTION

5.2 SDAD APPROACH

5.3 EXPERIMENTAL SETUP

5.4 RESULTS AND ANALYSIS

5.5 SDAD LIMITATIONS

5.6 CONCLUSION

CHAPTER 6: A Global Anomaly Threshold to Unsupervised Detection

6.1 INTRODUCTION

6.2 RELATED WORK

6.3 GATUD APPROACH

6.4 EXPERIMENTAL SETUP

6.5 RESULTS AND DISCUSSION

6.6 CONCLUSION

CHAPTER 7: Threshold Password‐Authenticated Secret Sharing Protocols

7.1 MOTIVATION

7.2 EXISTING SOLUTIONS

7.3 DEFINITION OF SECURITY

7.4 TPASS PROTOCOLS

7.5 SECURITY ANALYSIS

7.6 EXPERIMENTS

7.7 CONCLUSION

CHAPTER 8: Conclusion

SUMMARY

FUTURE WORK

REFERENCES

INDEX

Wiley Series on Parallel and Distributed Computing

End User License Agreement

List of Tables

Chapter 3

TABLE 3.1 A Screenshot of the Configuration of IOModuleGate

TABLE 3.2 The distribution of people throughout the areas

TABLE 3.3 Melburnians' Average Water Usage per Day over Week

TABLE 3.4 The Deployment of PLCs over Field Areas

TABLE 3.5 Field Devices and Their Respective Supervised Devices

TABLE 3.6 The Control and Monitoring Instructions that MTU Performs Through E...

TABLE 3.7 Mapping of Modbus Registers to the Process Parameters of the Implem...

TABLE 3.8 Mapping of Modbus Registers to the Process Parameters of the Implem...

TABLE 3.9 Mapping of Modbus Registers to the Process Parameters of the Implem...

TABLE 3.10 Mapping of Modbus Registers to the Process Parameters of the Imple...

TABLE 3.11 Mapping of Modbus Registers to the Process Parameters of the Imple...

TABLE 3.12 Mapping of Modbus Registers to the Process Parameters of the Imple...

TABLE 3.13 Mapping of Modbus Registers to the Process Parameters of the Imple...

TABLE 3.14 Mapping of Modbus Registers to the Process Parameters of the Imple...

Chapter 4

TABLE 4.1 Variables, data structures, and functions employed by

NNVWC

TABLE 4.2 Variables, data structures, and functions employed by

NNVWC

TABLE 4.3 The average reduction rate of distance calculations against E

‐NN

Chapter 5

TABLE 5.1 The Separation Accuracy of Inconsistent Observations on DUWWTP

TABLE 5.2 The Separation Accuracy of Inconsistent Observations on SimData1

TABLE 5.3 The Separation Accuracy of Inconsistent Observations on SimData2

TABLE 5.4 The Separation Accuracy of Inconsistent Observations on SIRD

TABLE 5.5 The Separation Accuracy of Inconsistent Observations on SORD

TABLE 5.6 The Separation Accuracy of Inconsistent Observations on MORD

TABLE 5.7 The Separation Accuracy of Inconsistent Observations on MIRD

TABLE 5.8 The Detection Accuracy Results of

‐Means in Detecting Consistent/In...

TABLE 5.9 The Detection Accuracy Results of

‐Means in Detecting Consistent/Inco...

TABLE 5.10 The Detection Accuracy Results of

‐Means in Detecting Consistent/Inc...

TABLE 5.11 The Detection Accuracy Results of

‐Means in Detecting Consistent/Inc...

TABLE 5.12 The Detection Accuracy Results of

‐Means in Detecting Consistent/Inc...

TABLE 5.13 The Detection Accuracy Results of

‐Means in Detecting Consistent/Inc...

TABLE 5.14 The Detection Accuracy Results of

‐Means in Detecting Consistent/Incon...

TABLE 5.15 The Detection Accuracy of the Proximity‐Detection Rules on DUWWTP

TABLE 5.16 The Detection Accuracy of the Proximity‐Detection Rules on SimData...

TABLE 5.17 The Detection Accuracy of the Proximity‐Detection Rules on SimData...

TABLE 5.18 The Detection Accuracy of the Proximity‐Detection Rules on SIRD

TABLE 5.19 The Detection Accuracy of the Proximity‐Detection Rules on SORD

TABLE 5.20 The Detection Accuracy of the Proximity‐Detection Rules on MORD

TABLE 5.21 The Detection Accuracy of the Proximity‐Detection Rules on MIRD

TABLE 5.22 The Illustration of the Acceptable Thresholds

That Produce Signif...

Chapter 6

TABLE 6.1 Prediction Results for Decision Models on a Testing Observation

TABLE 6.2 The Separation Accuracy of Inconsistent Observations With/Without G...

TABLE 6.3 The Separation Accuracy of Inconsistent Observations With/Without G...

TABLE 6.4 The Separation Accuracy of Inconsistent Observations With/Without GATU...

TABLE 6.5 The Separation Accuracy of Inconsistent Observations With/Without GATU...

TABLE 6.6 The Separation Accuracy of Inconsistent Observations With/Without GATU...

TABLE 6.7 The Separation Accuracy of Inconsistent Observations With/Without G...

TABLE 6.8 The Separation Accuracy of Inconsistent Observations With/Without GATUD...

TABLE 6.9 The Detection Accuracy of the Proximity‐Detection Rules That Have B...

TABLE 6.10 The Detection Accuracy of the Proximity‐Detection Rules That Have Bee...

TABLE 6.11 The Detection Accuracy of the Proximity‐Detection Rules That Have Bee...

TABLE 6.12 The Detection Accuracy of the Proximity‐Detection Rules That Have Bee...

TABLE 6.13 The Detection Accuracy of the Proximity‐Detection Rules That Have Bee...

TABLE 6.14 The Detection Accuracy of the Proximity‐Detection Rules That Have Bee...

TABLE 6.15 The Detection Accuracy of the Proximity‐Detection Rules That Have ...

TABLE 6.16 The Acceptable Thresholds

that Produce Significant accuracy resul...

TABLE 6.17 The Detection Accuracy of

‐Means Clustering Algorithm With/Without...

TABLE 6.18 The Detection Accuracy of

‐Means Clustering Algorithm With/Without G...

TABLE 6.19 The Detection Accuracy of

‐Means Clustering Algorithm With/Without G...

TABLE 6.20 The Detection Accuracy of

‐Means Clustering Algorithm With/Without G...

TABLE 6.21 The Detection Accuracy of

‐Means Clustering Algorithm With/Without G...

TABLE 6.22 The Detection Accuracy of

‐Means Clustering Algorithm With/Without G...

TABLE 6.23 The Detection Accuracy of

‐Means Clustering Algorithm With/Without...

Chapter 7

TABLE 7.1 Performance Comparison of the Camenisch et al. Protocol and the des...

List of Illustrations

Chapter 1

Figure 1.1 SCADA vulnerabilities revealed since 2001 in OSVDB.

Chapter 2

Figure 2.1 First‐generation SCADA architecture.

Figure 2.2 Second‐generation SCADA architecture.

Figure 2.3 Third‐generation SCADA architecture.

Figure 2.4 The Modbus frame.

Chapter 3

Figure 3.1 SCADAVT Architecture.

Figure 3.2 IOModules protocol message structure.

Figure 3.3 The protocol message structure of the WaterSystem Server.

Figure 3.4 The simulation of a water distribution system.

Figure 3.5 SCADA network topology for controlling the scenario of the water ...

Figure 3.6 The water levels over a period of time for

and

without contro...

Figure 3.7 The water levels over a period of time for

and

with control s...

Figure 3.8 The unsuccessful and successful connections and their elapsed tim...

Figure 3.9 The effect of DDoS, which targets

, on the water volume of

and...

Figure 3.10 The effect of an integrity attack, which targets

, on the water...

Chapter 4

Figure 4.1 Clustering of the two first principal components of a sample of t...

Figure 4.2 An illustration of the use of the triangle inequality for searchi...

Figure 4.3 An investigation of the impact of cluster size, which is influenc...

Figure 4.4 The efficiency of the baseline methods and

NNVWC against E

NN in...

Figure 4.5 The construction time of the baseline methods and

NNVWC for each...

Chapter 5

Figure 5.1 Compromised FEP sends undesired command and falsifies the feedbac...

Figure 5.2 Compromised application server sending false information.

Figure 5.3 The steps of the SDAD approach.

Figure 5.4 The normal operation of the SCADA points

,

,

,

,

,

.

Figure 5.5 Illustration of an inconsistency scoring method based on intra‐cl...

Figure 5.6 (a and c) The behavior of consistent/inconsistent observations of...

Figure 5.7 The extracted proximity‐detection rules for two data points (attr...

Figure 5.8 Simulation of a water distribution system.

Chapter 6

Figure 6.1 Overview of GATUD.

Figure 6.2 The categorization of unlabeled data after applying the anomaly‐s...

Chapter 7

Figure 7.1 Security with TPASS.

Figure 7.2 The TPASS Protocol

based on a Two‐Phase Commitment.

Figure 7.3 The TPASS Protocol

based on Zero‐Knowledge Proof.

Figure 7.4 Comparison of time spent (in seconds) for setting up.

Figure 7.5 Comparison of communication size (in KB) for setting up.

Figure 7.6 Comparison of time spent for retrieving.

Figure 7.7 Comparison of communication size for retrieving.

Figure 7.8 Comparison of average time spent by a server in retrieving.

Figure 7.9 Comparison of average communication size for a server in retrievi...

Guide

Cover Page

Series Page

Title Page

Copyright

Dedication

Foreword

Preface

Acronyms

Table of Contents

Begin Reading

References

Index

Series Page

WILEY END USER LICENSE AGREEMENT

Pages

ii

iii

iv

v

ix

x

xi

xii

xiii

xv

xvi

1

2

3

4

5

6

7

8

9

10

11

12

13

15

16

17

18

19

20

21

22

23

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

196

197

198

199

200

Wiley Series On Parallel and Distributed Computing

Series Editor: Albert Y. Zomaya

A complete list of titles in this series appears at the end of this volume.

SCADA SECURITY: MACHINE LEARNING CONCEPTS FOR INTRUSION DETECTION AND PREVENTION

SCADA-BASED IDs SECURITY

This edition first published 2021© 2021 John Wiley & Sons, Inc.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

The right of Abdulmohsen Almalawi, Zahir Tari, Adil Fahad, Xun Yi to be identified as the authors of this work has been asserted in accordance with law.

Registered OfficeJohn Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

Editorial Office111 River Street, Hoboken, NJ 07030, USA

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats.

Limit of Liability/Disclaimer of WarrantyIn view of ongoing research, equipment modifications, changes in governmental regulations, and the constant flow of information relating to the use of experimental reagents, equipment, and devices, the reader is urged to review and evaluate the information provided in the package insert or instructions for each chemical, piece of equipment, reagent, or device for, among other things, any changes in the instructions or indication of usage and for added warnings and precautions. While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging-in-Publication Data:Names: Almalawi, Abdulmohsen, author. | Tari, Zahir, author. | Fahad, Adil, author. | Yi, Xun, author.Title: SCADA security : machine learning concepts for intrusion detection and prevention / Abdulmohsen Almalawi, King Abdulaziz University, Zahir Tari, RMIT University, Adil Fahad, Al Baha University, Xun Yi, Royal Melbourne Institute of Technology.Description: Hoboken, NJ, USA : Wiley, 2021. | Series: Wiley series on parallel and distributed computing | Includes bibliographical references and index.Identifiers: LCCN 2020027876 (print) | LCCN 2020027877 (ebook) | ISBN 9781119606031 (cloth) | ISBN 9781119606079 (adobe pdf) | ISBN 9781119606352 (epub)Subjects: LCSH: Supervisory control systems. | Automatic control–Security measures. | Intrusion detection systems (Computer security) | Machine learning.Classification: LCC TJ222 .A46 2021 (print) | LCC TJ222 (ebook) | DDC 629.8/95583–dc23LC record available at https://lccn.loc.gov/2020027876LC ebook record available at https://lccn.loc.gov/2020027877

Cover Design: WileyCover Image: © Nostal6ie/Getty Images

FOREWORD

In recent years, SCADA systems have been interfaced with enterprise systems, which therefore exposed them to the vulnerabilities of the Internet and to security threats. Therefore, there has been an increase in cyber intrusions targeting these systems and they are becoming an increasingly global and urgent problem. This is because compromising a SCADA system can lead to large financial losses and serious impact on public safety and the environment. As a countermeasure, Intrusion Detection Systems (IDSs) tailored for SCADA are designed to identify intrusions by comparing observable behavior against suspicious patterns, and to notify administrators by raising intrusion alarms. In the existing literature, there are three types of learning methods that are often adopted by IDS for learning system behavior and building the detection models, namely supervised, semisupervised, and unsupervised. In supervised learning, anomaly‐based IDS requires class labels for both normal and abnormal behavior in order to build normal/abnormal profiles. This type of learning is costly however and time‐expensive when identifying the class labels for a large amount of data. Hence, semi‐supervised learning is introduced as an alternative solution, where an anomaly‐based IDS builds only normal profiles from the normal data that is collected over a period of “normal” operations. However, the main drawback of this learning method is that comprehensive and “purely” normal data are not easy to obtain. This is because the collection of normal data requires that a given system operates under normal conditions for a long time, and intrusive activities may occur during this period of the data collection process. On the another hand, the reliance only on abnormal data for building abnormal profiles is infeasible since the possible abnormal behavior that may occur in the future cannot be known in advance. Alternatively, and for preventing threats that are new or unknown, an anomaly‐based IDS uses unsupervised learning methods to build normal/abnormal profiles from unlabeled data, where prior knowledge about normal/abnormal data is not known. Indeed, this is a cost‐efficient method since it can learn from unlabeled data. This is because human expertise is not required to identify the behavior (whether normal or abnormal) for each observation in a large amount of training data sets. However, it suffers from low efficiency and poor accuracy.

This book provides the latest research and best practices of unsupervised intrusion detection methods tailored for SCADA systems. In Chapter 3, framework for a SCADA security testbed based on virtualisation technology is described for evaluating and testing the practicality and efficacy of any proposed SCADA security solution. Undoubtedly, the proposed testbed is a salient part for evaluating and testing because the actual SCADA systems cannot be used for such purposes because availability and performance, which are the most important issues, are most likely to be affected when analysing vulnerabilities, threats, and the impact of attacks. In the literature, the k‐Nearest Neighbour (k‐NN) algorithm was found to be one of top ten most interesting and best algorithms for data mining in general and in particular it has demonstrated promising results in anomaly detection. However, the traditional k‐NN algorithm suffers from high and “curse of dimensionality” since it needs a large amount of distance calculations. Chapter 4 describes a novel k‐NN algorithm that efficiently works on high‐dimensional data of various distributions. In addition, an extensive experimental study and comparison with several algorithms using benchmark data sets were conducted. Chapters 5 and 6 introduce the practicality and possibility of unsupervised intrusion detection methods tailored for SCADA systems, and demonstrate the accuracy of unsupervised anomaly detection methods that build normal/abnormal profiles from unlabeled data. Finally, Chapter 7 describes two authentication protocols to efficiently protect SCADA Systems, and Chapter 8 nicely concludes with the various solutions/methods described in this book with the aim to outline possible future extensions of these described methods.

PREFACE

Supervisory Control and Data Acquisition (SCADA) systems have been integrated to control and monitor industrial processes and our daily critical infrastructures, such as electric power generation, water distribution, and waste water collection systems. This integration adds valuable input to improve the safety of the process and the personnel, as well as to reduce operation costs. However, any disruption to SCADA systems could result in financial disasters or may lead to loss of life in a worst case scenario. Therefore, in the past, such systems were secure by virtue of their isolation and only proprietary hardware and software were used to operate these systems. In other words, these systems were self‐contained and totally isolated from the public network (e.g., the Internet). This isolation created the myth that malicious intrusions and attacks from the outside world were not a big concern, and such attacks were expected to come from the inside. Therefore, when developing SCADA protocols, the security of the information system was given no consideration.

In recent years, SCADA systems have begun to shift away from using proprietary and customized hardware and software to using Commercial‐Off‐The‐Shelf (COTS) solutions. This shift has increased their connectivity to the public networks using standard protocols (e.g., TCP/IP). In addition, there is decreased reliance on specific vendors. Undoubtedly, this increases productivity and profitability but will, however, expose these systems to cyber threats. A low percentage of companies carry out security reviews of COTS applications that are being used. While a high percentage of other companies do not perform security assessments, and thus rely only on the vendor reputation or the legal liability agreements, some may have no policies at all regarding the use of COTS solutions.

The adoption of COTS solutions is a time‐ and cost‐efficient means of building SCADA systems. In addition, COST‐based devices are intended to operate on traditional Ethernet networks and the TCP/IP stack. This feature allows devices from various vendors to communicate with each other and it also helps to remotely supervise and control critical industrial systems from any place and at any time using the Internet. Moreover, wireless technologies can efficiently be used to provide mobility and local control for multivendor devices at a low cost for installation and maintenance. However, the convergence of state‐of‐the‐art communication technologies exposes SCADA systems to all the inherent vulnerabilities of these technologies.

An awareness of the potential threats to SCADA systems and the need to reduce risk and mitigate vulnerabilities has recently become a hot research topic in the security area. Indeed, the increase of SCADA network traffic makes the manual monitoring and analysis of traffic data by experts time‐consuming, infeasible, and very expensive. For this reason, researchers begin to employ Machine Learning (ML)‐based methods to develop Intrusion Detection Systems (IDSs) by which normal and abnormal behaviors of network traffic are automatically learned with no or limited domain expert interference. In addition to the acceptance of IDSs as a fundamental piece of security infrastructure in detecting new attacks, they are cost‐efficient solutions for minoring network behaviors with high‐accuracy performance. Therefore, IDS has been adopted in SCADA systems. The type of information source and detection methods are the salient components that play a major role in developing an IDS. The network traffic and events at system and application levels are examples of information sources. The detection methods are broadly categorized into two types in terms of detection: signature‐based and anomaly‐based. The former can detect only an attack whose signature is already known, while the latter can detect unknown attacks by looking for activities that deviate from an expected pattern (or behavior). The differences between the nature and characteristics of traditional IT and SCADA systems have motivated security researchers to develop SCADA‐specific IDSs. Recent researches on this topic found that the modelling of measurement and control data, called SCADA data, is promising as a means of detecting malicious attacks intended to jeopardize SCADA systems. However, the development of efficient and accurate detection models/methods is still an open research area.

Anomaly‐based detection methods can be built by using three modes, namely supervised, semi‐supervised, or unsupervised. The class labels must be available for the first mode; however, this type of learning is costly and time‐consuming because domain experts are required to label hundreds of thousands of data observations. The second mode is based on the assumption that the training data set represents only one behavior, either normal or abnormal. There are a number of issues pertaining to this mode. The system has to operate for a long time under normal conditions in order to obtain purely normal data that comprehensively represent normal behaviors. However, there is no guarantee that any anomalous activity will occur during the data collection period. On the other hand, it is challenging to obtain a training data set that covers all possible anomalous behaviors that can occur in the future. Alternatively, the unsupervised mode can be the most popular form of anomaly‐based detection models that addresses the aforementioned issues, where these models can be built from unlabeled data without prior knowledge about normal/abnormal behaviors. However, the low efficiency and accuracy are challenging issues of this type of learning.

There are books in the market that describe the various SCADA‐based unsupervised intrusion detection methods; they are, however, relatively unfocused and lacking much details on the methods for SCADA systems in terms of detection approaches, implementation, data collection, evaluation, and intrusion response. Briefly, this book provides the reader with the tools that are intended to provide practical development and implementation of SCADA security in general. Moreover, this book introduces solutions to practical problems that SCADA intrusion detection systems experience when building unsupervised intrusion detection methods from unlabeled data. The major challenge was to bring various aspects of SCADA intrusion detection systems, such as building unsupervised anomaly detection methods and evaluating their respective performance, under a single umbrella.

The target audience of this book is composed of professionals and researchers working in the field of SCADA security. At the same time, it can be used by researchers who could be interested in SCADA security in general and building SCADA unsupervised intrusion detection systems in particular. Moreover, this book may aid them to gain an overview of a field that is still largely dominated by conference publications and a disparate body of literature.

The book has seven main chapters that are organized as follows. In Chapter 3, the book deals with the establishment of a SCADA security testbed that is a salient part for evaluating and testing the practicality and efficacy of any proposed SCADA security solution. This is because the evaluation and testing using actual SCADA systems are not feasible since their availability and performance are most likely to be affected. Chapter 4 looks in much more detail at the novel efficient k‐Nearest Neighbour approach based on Various‐Widths Clustering, named kNNVWC, to efficiently address the infeasibility of the use of the k‐nearest neighbour approach with large and high‐dimensional data. In Chapter 5, a novel SCADA Data‐Driven Anomaly Detection (SDAD) approach is described in detail. This chapter demonstrates the practicality of the clustering‐based method to extract proximity‐based detection rules that comprise a tiny portion compared to the training data, while meanwhile maintain the representative nature of the original data. Chapter 6 looks in detail at a novel promising approach, called GATUD (Global Anomaly Threshold to Unsupervised Detection), that can improve the accuracy of unsupervised anomaly detection approaches that are compliant with the following assumptions: (i) the number of normal observations in the data set vastly outperforms the abnormal observations and (ii) the abnormal observations must be statistically different from normal ones. Finally, Chapter 7 looks at the authentication protocols in SCADA systems, which enable secure communication between all the components of such systems. This chapter describes two efficient TPASS protocols for SCADA systems: one is built on two‐phase commitment and has lower computation complexity and the other is based on zero‐knowledge proof and has less communication rounds. Both protocols are particularly efficient for the client, who only needs to send a request and receive a response.

ACRONYMS

AGA

American Gas Association

ASCII

American Standard Code for Information Interchange

COTS

Commercial‐Off‐The‐Shelf

CORE

Common Open Research Emulator

CRC

Cyclic Redundancy Check

DDL

Dynamic Link Library

DNP

Distributed Network Protocol

DOS

Denial Of Service

EDMM

Ensemble‐based Decision‐Making Model

E

k

‐NN

Exhaustive

k

‐Nearest Neighbor

EMANE

Extendable Mobile Ad‐hoc Network Emulator

EPANET

Environmental Protection Agency Network

FEP

Front End Processor

GATUD

Global Anomaly Threshold to Unsupervized Detection

HMI

Human Machine Interface

k

‐NN

k

‐Nearest Neighbor

k

NNVWC

k

‐NN based on Various‐Widths Clustering

IDS

Intrusion Detection System

IED

Intelligent Electronic Device

IP

Internet Protocol

IT

Information Technology

LAN

Local Area Network

NISCC

National Infrastructure Security Coordination Center

NS2

Network Simulator 2

NS3

Network Simulator 3

OMNET

Objective Modular Network Testbed

OPNET

Optimized Network Engineering Tool

OST

Orthogonal Structure Tree

OSVDB

Open Source Vulnerability DataBase

PCA

Principal Component Analysis

PLC

Programmable Logic Controller

PLS

Partial Least Squares

RTU

Remote Terminal Unit

SCADA

Supervisory Control And Data Acquisition

SCADAVT

SCADA security testbed based on Virtualization Technology

SDAD

SCADA Data‐driven Anomaly Detection

TCP

Transmission Control Protocol

TPASS

Threshold Password‐Authenticated Secret S in the boo.. It is haring

UDP

User Datagram Protocol

USB

Universal Serial Bus

CHAPTER 1Introduction

This aim of this introductory chapter is to motivate the extensive research work carried in this book, highlighting the existing solutions and their limitations, and putting in context the innovative work and ideas described in this book.

1.1 Overview

Supervisory Control and Data Acquisition (SCADA) systems have been integrated to control and monitor industrial processes and our daily critical infrastructures such as electric power generation, water distribution and waste water collection systems. This integration adds valuable input to improve the safety of the process and the personnel and to reduce operation costs (Boyer, 2009). However, any disruption to SCADA systems can result in financial disasters or may lead to loss of life in a worst case scenario. Therefore, in the past, such systems were secure by virtue of their isolation and only proprietary hardware and software were used to operate these systems. In other words, these systems were self‐contained and totally isolated from the public network (e.g., the Internet). This isolation created the myth that malicious intrusions and attacks from the outside world were not a big concern and that such attacks were expected to come from the inside. Therefore, when developing SCADA protocols, the security of the information system was given no consideration.

In recent years, SCADA systems have begun to shift away from using proprietary and customized hardware and software to using Commercial‐Off‐The‐Shelf (COTS) solutions. This shift has increased their connectivity to the public networks using standard protocols (e.g., TCP/IP). In addition, there is decreased reliance on a single vendor. Undoubtedly, this increases productivity and profitability but will, however, expose these systems to cyber threats (Oman et al., 2000). According to a survey published by the SANS Institute (Bird and Kim, 2012), only 14% of organizations carry out security reviews of COTS applications that are being used, while over 50% of other organizations do not perform security assessments and rely only on vendor reputation or the legal liability agreements, or they have no policies at all regarding the use of COTS solutions.

The adoption of COTS solutions is a time‐ and cost‐efficient means of building SCADA systems. In addition, COST‐based devices are intended to operate on traditional Ethernet networks and the TCP/IP stack. This feature allows devices from various vendors to communicate with each other, and also helps to remotely supervise and control critical industrial systems from any place and at any time using the Internet. Moreover, wireless technologies can efficiently be used to provide mobility and local control for multivendor devices at a low cost for installation and maintenance. However, the convergence of state‐of‐the‐art communication technologies exposes SCADA systems to all the inherent vulnerabilities of these technologies. In what follows, we discuss how the potential cyber‐attacks against traditional IT can also be possible against SCADA systems.

Denial of Services (DoS) attacks.

This is a potential attack on any Internet‐connected device where a large number of spurious packets are sent to a victim in order to consume excessive amounts of endpoint network bandwidth. A packet flooding attack (Houle et al.,

2001

) is often used as another term for a DoS attack. This type of attack delays or totally prevents the victim from receiving the legitimate packets (Householder et al.,

2001

). SCADA networking devices that are exposed to the Internet such as routers, gateways and firewalls are susceptible to this type of attack. Long et al. (

2005

) proposed two models of DoS attacks on a SCADA network using reliable simulation. The first model was directly launched to an endpoint (e.g., controller or a customer‐edge router connecting to the Internet), while the second model is an indirect attack, where the DoS attack is launched on a router (on the Internet) that is located in the path between the plant and endpoint. In this study, it was found that DoS attacks that were launched directly (or indirectly) cause excessive packet losses. Consequently, a controller that receives the measurement and control data late or not at all from the devices deployed in the field will make a decision based on old data.

Propagation of malicious codes.

Such types of attack can occur in various forms such as viruses, Trojan horses, and worms. They are potential threats to SCADA systems that are directly (or indirectly) connected to the Internet. Unlike worms, viruses and Trojans require a human action to be initiated. However, all these threats are highly likely as long as the personnel are connected to the Internet through the corporate network, which is directly connected to the SCADA system, or if they are allowed to plug their personal USBs into the corporate workstations. Therefore, a user can be deceived into downloading a contaminated file containing a virus or installing software that appears to be useful. Shamoon (Bronk and Tikk‐Ringas,

2013

), Stuxnet (Falliere et al.,

2011

), Duqu (Bencsáth et al.,

2012

), and Flame (Munro,

2012

) are examples of such threats targeting SCADA systems and oil and energy sectors.

Inside threats.

The employees who are disgruntled or intend to divulge valuable information for malicious reasons can pose real threats and risks that should be taken seriously. This is because employees usually have unrestricted access to the SCADA systems and also know the configuration settings of these systems. For instance, the attack on the sewage treatment system in Maroochy Shire, South‐East Queensland (Australia) in 2001 (Slay and Miller,

2007

) is an example of an attack that was launched by a disgruntled employee, where the attacker took over the control devices of a SCADA system and caused 800,000 litres of raw sewage to spill out into local parks and rivers.

Figure 1.1 SCADA vulnerabilities revealed since 2001 in OSVDB.

Unpatched vulnerabilities.

The existence of vulnerabilities is highly expected in any system and it is known that hackers always exploit unpatched vulnerabilities to obtain access and to control the targeted system. Even though the vendors immediately release the patches for the identified vulnerabilities, it is challenging to install these patches on SCADA systems that run twenty‐four‐by‐seven. Therefore, such systems will remain vulnerable for weeks or months. As depicted in

Figure 1.1

, and according to the independent and Open Source Vulnerability DataBase (OSVDB)

1

for the security community, vulnerabilities targeting SCADA systems have substantially increased over the past three years since 2011.

Nontechnical (social engineering) attacks.

This type of attack can bypass state‐of‐the‐art security technologies that cost millions of dollars. In general, the attackers initially try to obtain sensitive information such as the design, operations, or security controls of the targeted SCADA system. There are a number of ways to gather such information. If the network access credentials of ex‐employees are not immediately disabled, they can be revealed to another party in order to profit from the information, or as a desire for revenge. In another way, such critical information can be easily obtained from current employees as long as they are known by building a trust relationship or by knowing some information about a naive employee who is allowed to remotely control and monitor the systems via the Internet, all of which can help the attacker to answer the expected questions when calling up the central office to tell them that s/he forgot the network access credentials and assistance is needed to connect to the field network.

The security concepts that have been extensively used in traditional IT systems (e.g., management, filtering, encryption, and intrusion detection) can be adapted to mitigate the risk of the aforementioned potential threats against SCADA systems. However, these concepts cannot be directly applied without considering the nature of SCADA systems. For instance, the resource constraints of SCADA devices, such as low bandwidth, processing power, and memory, complicate the integration of complex cryptography, especially with legacy devices. All the SCADA protocols were developed without any consideration given to information security and, therefore, they lack authentication and integrity. Two solutions to secure the SCADA communications are: placing the cryptographic technologies at each end of the communication medium (American Gas Association (AGA), 2006; Tsang and Smith, 2008), or directly integrating them into the protocol, such as a secure DNP3 that protects the communication between master stations and outstations such as PLCs, RTUs, and IEDs (Majdalawieh et al., 2006).

Apart from the efforts to authenticate and encrypt SCADA communication links, it is still an open research challenge to secure the tens of SCADA protocols that are being used or to develop security modules to protect the communication link between two parties. AGA (American Gas Association (AGA), 2006) highlighted the challenges in building security modules that can be broadly summarized into two points: (i) the additional latency can be introduced by a secure protocol and (ii) the sophisticated key management system requires high bandwidth and additional communication channels that SCADA communication links are lacking.

Similarly, the traffic filtering process between a SCADA network and a corporate network using firewalls is a considerable countermeasure to mitigate the potential threats. However, although modern firewalls are efficient for analysing traditional IT traffic, they are incapable of in‐depth analysis of the SCADA protocols. To design firewalls tailored to SCADA systems, the UK governments National Infrastructure Security Co‐ordination Center (NISCC) published its guidelines for the appropriate use of firewalls in SCADA networks (Byres et al., 2005). It was proposed that a microfirewall should be embedded within each SCADA device to allow only the traffic relevant to the host devices. However, the computational power of SCADA devices can be a challenging issue to support this type of firewall.

Firewalls can be configured using restrict‐constrained rules to control traffic in and out of the SCADA network; however, this will conflict with the feature allowing remote maintenance and operation by vendors and operators. Additionally, firewalls are assumed to be physically placed between the communication endpoints to examine each packet prior to passing it to the receiver. This may cause a latency that is not acceptable in real‐time networks. Since firewalls do not know the “normal” operational behavior of the targeted system, they cannot stop malicious control messages, which may drive the targeted system from its expected and normal behavior, when they are sent from a compromised unit that is often used to remotely control and monitor SCADA networks. Moreover, it is beyond the ability of firewalls when the attacks are initiated internally using an already‐implanted malicious code or directly by an employee. Stuxnet (Falliere et al., 2011), Duqu (Bencsáth et al., 2012), and Flame (Munro, 2012) are the recent cyber‐attacks that were initiated from inside automation systems. Therefore, the reliance only on firewalls is not sufficient to mitigate the potential threats to SCADA systems. Hence, an additional defense needs to be installed to monitor already predefined (or unexpected) patterns for either network traffic or system behavior in order to detect any intrusion attempt. The system using such a method is known in the information security area as an Intrusion Detection System (IDS).

There is no security countermeasures that can completely protect the target systems from potential threats, although a number of countermeasures can be used in conjunction with each other in order to build a robust security system. An IDS (Intrusion Detection System) is one of the security methods that has demonstrated promising results in detecting malicious activities in traditional IT systems. The source of audit data and the detection methods are the main, salient parts in the development of an IDS. The network traffic, system‐level events and application‐level activities are the most usual sources of audit data. The detection methods are categorized into two strategies: signature‐based and anomaly‐based. The former searches for an attack whose signature is already known, while the latter searches for activities that deviate from an expected pattern or from the predefined normal behavior.

Due to the differences between the nature and characteristics of traditional IT and SCADA systems, there has been a need for the development of SCADA‐specific IDSs, and in recent years this has become an interesting research area. In the literature, they vary in terms of the information source being used and in the analysis strategy. Some of them use SCADA network traffic (Linda et al., 2009; Cheung et al., 2007; Valdes and Cheung, 2009), system‐level events (Yang et al., 2006), or measurement and control data (values of sensors and actuators) (Rrushi et al., 2009b; Fovino et al., 2010a,2012; Carcano et al., 2011) as the information source to detect malicious, uncommon or inappropriate actions of the monitored system using various analysis strategies which can be signature‐based, anomaly‐based or a combination of both.

It is believed that modeling of measurement and control data is a promising means of detecting malicious attacks intended to jeopardize a targeted SCADA system. For instance, the Stuxnet worm is a sophisticated attack that targets a control system and initially cannot be detected by the antivirus software that was installed in the victim  (Falliere et al., 2011). This is because it used zero‐day vulnerabilities and validated its drivers with trusted stolen certificates. Moreover, it could hide its modifications using sophisticated PLC rootkits. However, the final goal of this attack cannot be hidden since the manipulation of measurement and control data will make the behavior of the targeted system deviate from previously seen ones. This is the main motivation of this book, namely to explain in detail how to design SCADA‐specific IDSs using SCADA data (measurement and control data)