Network Attack and Detection in Modbus/TCP SCADA Systems

SCADA networks for Industrial Control Systems (ICS), which rely on commercial off the shelf (COTS) communication equipment, are vulnerable to various attacks. In prior work, Prof. Wool and his students have suggested an extremely efficient model-based anomaly detection system for such networks. The system automatically constructs a sensitive semantic model based on a deep inspection of the traffic, yet the model’s enforcement can work in real time, at line speed, since it only relies on deterministic finite automata (DFA) at enforcement time. The approach was demonstrated to have extremely low false-positive rates over benign traffic recorded on the production system monitoring electricity usage in the TAU campus. However, evaluating the approach’s ability to detect true attacks is still open, primarily since it is very challenging to obtain access to a realistic ICS against-which one could launch attacks. Furthermore, we would like to evaluate the approach’s success on other ICSs. The goal of this research project is to address these open questions.

A key ingredient to the success of the project is the availability of the Hybrid Environment for Development and Validation (HEDVa) lab at the Israel Electric Company, managed by Dr. Lev. The HEDVa lab has been used in EU FP7 research projects and includes electrical and telecom equipment, virtual machine infrastructure, test-environment network-flow management infrastructure, a SCADA management system, an Electrical infrastructure simulator, and additional support components. The SCADA system implemented in HEDVa uses the Modbus/TCP protocol.

Another aspect of the project is a collaboration with the lab of Prof. Frank Kargl at U. Twente in the Netherlands. Prof. Kargl has access to Modbus/TCP traces recorded on production ICS systems of Dutch utilities, and is happy to collaborate with us. However, since the Dutch data is considered sensitive, and is owned by the utility companies, it must remain at U. Twente. Therefore, to evaluate our anomaly-detection system on this data, we need to perform the experiments on site in Twente.

Research plan

1. Developing network penetration-test tools specifically for the Modbus SCADA protocol. We plan to develop a suite of tools that can mount network-based attacks with variable levels of intrusiveness and stealth: from passive network monitoring to active connection attempts, with or without IP spoofing, targeting either the PLCs (equipment controllers) or the HMI (operator console). Our stealthiest attacks will involve TCP hijacking, placing the penetration-test device as a man-in-the-middle. In all penetration scenarios we plan to inject Modbus-level commands, either to take control of a PLC and/or to feed the HMI with fake data, or both. This task will be implemented by an M.Sc. student, under the supervision of Ph.D. candidate Amit Kleinmann.
2. Experimentation with the penetration tools: We plan to deploy the penetration-testing tools on the IEC HEDVa environment and evaluate their abilities, without deploying any counter-measures. This work will be done by a 2nd M.Sc. student, with significant support by several IEC staff members, with expertise in Networking, Server administration, and Industrial Control.
3. Testing the model-based anomaly-detection system on data from the IEC HEDVa environment and from U.Twente. We have already received some data traces from both environments (of benign traffic, without any attacks). Preliminary analysis by Amit indicates that the traffic is generally very well modeled by our system. However, we did observe some phenomena that did not manifest themselves in the TAU electricity monitoring system. We plan to generalize our system to allow modeling the benign traffic observed at both environments, with a minimal amount of false alarms. Analysis of the data from U.Twente will require Amit to travel to the Netherlands twice a year, and spend 2 weeks at Twente in every trip.
4. Testing the anomaly-detection system against the penetration tools: we plan repeat the experiments of step (2) in the HEDVa environment, and evaluate how well the anomaly-detection system (after the improvements of step (3)) can detect the attacks. This will require the involvement of all the TAU team members, supported by the IEC team.