Designed without cyber security in mind, most existing Supervisory Control And Data Acquisition (SCADA) systems make it a big challenge to modify the conventional Information Technology (IT) intrusion detection techniques, both to counter the threat of cyber attacks due to their standardization and connectivity to the Internet, and to achieve resilient control without fully retrofitting. The author presents a taxonomy and a set of metrics of SCAD-specific intrusion detection techniques by heightening their possible use in addition to explaining the nuance associated with such task and enumerating Intrusion Detection Systems (IDS) that have been proposed to undertake this endeavor. She identifies the deficits and voids in current research and offers recommendations on which strategies are most likely to succeed, in part through presenting a prototype of her efforts towards this goal. Specifically, she introduces an early anomaly detection and resilient estimation scheme consisting of a robust online recursive algorithm, which is based on the Kalman Filter in a state space model setting. This online window limited Robust Generalized Likelihood Ratio Test (RGLRT) that the author proposes identifies and detects outliers among real-time multidimensional measurements of dynamical systems without any a priori knowledge of the occurrence time or distribution of the outliers. It attains a low detection delay and an optimal stopping time that yields low rates in false alarm and miss detection while maintaining the optimal online estimation performance under normal conditions. The author proposes a set of qualitative and quantitative metric to measure its optimality in the context of cyber-physical systems.
TopIntroduction
From the massive espionage malware Flame that steals critical information of the Iranian oil industry and other Mideast energy sector (CrySyS Lab, 2012; Lee, 2012) to the destructive Stuxnet (Falliere & Chien, 2011), one of most sophisticated progress control system malware known to date, the game changer has arrived in the field of cyber-physical security in that the attackers not only know the IT content well enough but also understand the physical consequence to those cyber behaviors. In McAfee’s report (Baker, Filipiak, & Timlin, 2011), nearly half of those being surveyed in the electric industry said that they had found Stuxnet on their systems. Stuxnet has targeted Siemens Supervisory Control And Data Acquisition (SCADA) systems that are configured to control and monitor specific industrial processes, such as Iranian nuclear infrastructure in 2010.
What is SCADA? Being one of the primary categories of control systems, SCADA systems are generally used for large geographically dispersed distribution operations, such as electrical power grids, petroleum and gas pipelines, water and sewage systems and other critical infrastructures (Stouffer, Falco, & Kent, 2006). They not only provide management with remote access to real-time data from Distributed Control Systems (DCSs) and Programmable Logic Controllers (PLCs) but also enable operational control center to issue automated or operator-driven supervisory commands to remote station control devices.
One of the enabling elements in SCADA systems is the set of various communication protocols employed within the hierarchical system (Anderson, 2010; Dzung et al., 2005; Krutz, 2006). Their functionalities range from processing raw data transmission to handling high-level exchange between different networks and domains. These protocols have strong implications on the security of SCADA system. We name a few most popular ones: Modbus,
Profibus, Distributed Network Protocol (DNP3) and Utility Communications Architecture (UCA), Foundation Fieldbus, Common Industrial Protocol (CIP), Controller Area Network(CAN), Object Linking and Embedding (OLE) for Process Control (OPC) and Inter-Control Center Communications Protocol (Krutz, 2006).
Most industrial plants now employ networked process historian servers storing process data and other possible business and process interfaces, such as using remote Windows sessions to DCSs or direct file transfer from PLCs to spreadsheets. This integration of SCADA networks with other networks has made SCADA vulnerable to various cyber threats. The adoption of Ethernet and TCP/IP for process control networks and wireless technologies such as IEEE 802.x, Zigbee, Bluetooth, WiFi, plus WirelessHART and ISA SP100 (Dzung et al., 2005; Krutz, 2006) has further reduced the isolation of SCADA networks. The connectivity and de-isolation of the SCADA system is manifested in Figure 1.
Figure 1. Typical SCADA components; Source: United States Government Accountability Office Report GAO-04-354 (Pfleeger & Pfleeger, 2007)
Furthermore, the recent trend in standardization of software and hardware used in SCADA systems (Krutz, 2006) potentially makes it even easier to mount SCADA-specific attacks1. Instances such as Siemens Programmable Logic Controller (PLC) and Vx-Works2 vulnerability disclosures show the need to take security precaution in order to maintain the safety and performance of SCADA components and the overall system.