1 “ An Anomaly Detection Mechanism for IEC 60870-5-104 Panagioti s Sari gianni dis Uni versi ty o f Western Mac edoni a psari gianni di s@uowm.gr
Auth thors 2 Under the H2020 SPEAR Project Antonios Sarigiannidis, Panagiotis Radoglou Georgios Efstathopoulos Dimitrios Margounakis, Grammatikis, Panagiotis Apostolos Tsiakalos Sarigiannidis University of Western SIDROCO Holdings 0INFINITY LIMITED Macedonia This project has received funding from the European Unions Horizon 2020 research and innovation programme under grant agreement No. 787011 (SPEAR).
Introductio In ion 3 An IDS system for the IEC 60870-5-104 protocol Summary After the study of the IEC 60870-5-104 (IEC-104) protocol, an Intrusion Detection System (IDS) for the IEC-104 protocol is provided. The efficiency of the proposed IDS is demonstrated by the Accuracy and the F1 score metrics that reach 98% and 87%, respectively. Sm Smart Grid Sec Security St Status The critical infrastructures and especially the electrical grid suffers from severe cybersecurity and privacy issues due to its insecure legacy and IoT assets. IEC 60 6087 870-5-104 4 Sec Security Iss ssue ues s IEC 60870-5-104 does not include essential security mechanisms, such as authentication and authorization, thus enabling various cyberattacks. IEC 60 6087 870-5-104 104 IDS DS It is based on access control and outlier detection mechanisms.
Rela lated Work 4 Previous Research Works related to IEC 60870-5-104 ◆ P. Maynard, K. McLaughlin, and B. Haberler, “Towards understandingman -in-the- 01 middle attacks on iec 60870-5- 104 scada networks,” in2ndInternational Symposium 2014 for ICS & SCADA Cyber Security Research2014 (ICS-CSR 2014) 2, 2014, pp. 30 – 42 ◆ E. Hodo, S. Grebeniuk, H. Ruotsalainen, and P. Tavolato , “ Anomalydetection for 02 2017 simulated iec-60870-5-104 trafiic ,” inProceedings of the12th International Conference on Availability, Reliability and Security,2017, pp. 1 – 7. ◆ C.-Y. Lin and S. Nadjm- Tehrani, “Understanding iec -60870-5-104 trafficpatterns in 03 2018 scada networks,” inProceedings of the 4th ACM Workshopon Cyber-Physical System Security, 2018, pp. 51 – 60 ◆ P. Radoglou-Grammatikis, P. Sarigiannidis, I. Giannoulakis, E. Kafetzakis, and E. 04 Panaousis, “Attacking iec -60870-5- 104 scada systems,” in2019 IEEE World Congress on 2019 Services (SERVICES), vol. 2642-939X,July 2019, pp. 41 – 46.
Contributions 5 3 Main Contributions St Study of of the IEC 60 6087 870-5-104 04 C1 C1 sec security iss issue ues IEC 60870-5-104 suffers from severe cybersecurity issues enabling various Providing an an IDS DS for or attacks, such as MiTM, unauthorized access IEC 60 6087 870-5-104 4 C2 C2 Developing an IDS for the IEC 60870-5-104 protocol, utilizing access control rules and outlier detection mechanisms. Eval aluation Ana Analysis C3 C3 Evaluation of three outlier detection algorithms, namely One Class SVM, LOF and Isolation Forest
6 Background IEC 60870-5-104 security, Typical IDS Architecture, Intrusion Detection Techniques, ML-based Detection and Outlier Detection Algorithms
IEC 60870-5-104 Security IE 7 Lack of Authentication and Authorisation Risk Assessment based on IEC 60870-5-104 Security Issues P. Radoglou-Grammatikis, P. Sarigiannidis, I. ✓ A severe security issue of IEC-104is Giannoulakis, E. Kafetzakis, and E. Panaousis, “Attacking the transmission of data without any iec-60870-5- 104 scada systems,” in2019 IEEE World encryption mechanism, thus making it Congress on Services (SERVICES), vol. 2642-939X,July possible to execute traffic analysis and 2019, pp. 41 – 46. MiTM attacks. In addition, many IEC- 104 commands, such as reset Traffic Analysis commands, interrogation commands, read commands do not integrate DoS authentication and authorisation procedures, thereb yallowing the Unauthorized unauthorised access. Access ✓ This vulnerability is crucial since a MITM cyberattacker is capable of controlling the field devicesand possibly, the overall operation of the infrastructure.
Typic ical l ID IDPS Archit itecture 8 3 Main Components Analysis Engine Analysis Engine is the core component of an IDS, which receives the information of the various Agents and Analysis implements the intrusion detection Engine process. Response Module Agents The Response Module notifies the Agents undertake to monitor the responsible operator. It can perform examined infrastructure, thus collecting Response Agents automate mitigation processes. and sometimes pre-processing the Module necessary data for the detection process.
Intr In trusio ion Detection Techniq iques 9 3 Main Intrusion Detection Techniques Signature-base Si sed Ano nomaly-base sed Spe Specification-based specific rules called signatures that reflect The anomaly-based detection applies Set of rules called now specifications that malicious patterns. If the characteristics of the statistical analysis and Artificial define the normal operation of the monitored system/infrastructure. If the characteristics of monitoring data match with those of the Intelligence (AI) methods. signatures, then a possible security violation the monitored data do not agree with those of the specifications, then a security violation takes place. is carried out.
ML ML-Base Detection 10 Three Main Steps Prep eprocessing Processes appropriately the input data so that it will be in accordance with the corresponding ML model. Usually, data-preprocessing methods are applied, such as min-max scaling, normalisation, standardisation, robust scaler and max abs scaler Training Supervised detection methods, unsupervised/oulier detection methods and semi-supervised/novelty detection methods Pred ediction The ML model can be deployed in order to predict unknown data after the execution of the same pre- processing tasks of the first phase
Outl tlier Detectio ion Alg lgorithms 11 Three Algorithms Loc Local Oili ilier Fact actor (L (LOF) One-Clas One ass s SVM VM Isol solation For orest Markus M. Breunig, Hans-Peter Kriegel, Bernhard Schölkopf, Robert C Fei Tony Liu, Kai Ming Ting and Zhi-Hua Raymond T. Ng and Jörg Sander in 2000 Williamson, Alex J Smola, John Shawe- Zhou in 2008. Taylor, John C Platt in 2000 One-Clas Support Vector Machine (SVM) LOF relies on the concept of a local density, The Isolation Forest algorithm finds aims to find a hyperplane that can separate where locality is given by k nearest anomalies by deliberately “overfitting” the vast majority of data from the origin neighbors, whose distance is utilised to models that memorize each data point. in the projected high dimensional space estimate the density. By comparing the local Since outliers have more empty space without making any assumptions about density of an object to the local densities of around them, they take fewer steps to their distribution. In particular, One-Class its neighbors, one can identify regions of memorize. The algorithm is using full SVM separates all the data points from the similar density, and points that have a decision trees (every leaf is a single data origin (in feature space) and maximises the substantially lower density than their point) and we measure the path length distance from this hyperplane to the origin. neighbors. These are considered to be between the root and each leaf (data point). This results in a binary function, which outliers. The final measure for each data point would captures regions in the input space where be the average path length. Abnormal data the probability density of the data lives. The points should be classified easily thus the idea of One-class SVM for anomaly average path should be relatively short. detection is to find a function that is positive for regions with a high density of points, and negative for small densities.
12 Proposed IE IEC 60870-5-104 ID IDS Architecture & Evaluation
Proposed IE IEC 60870-5-104 ID IDS 13 Architecture Sen Sensor It consist of three modules, namelya)Network Traffic Monitoring Module,b) Network Packet AccessControlandc) IEC-104 Flows Extraction Moduleresponsiblerespectively for monitoring and analysing the entire networktraffic generated in the infrastructure. Ser Server It is a centralized point where the anomaly detection processes take place, and the security events are stored. In particular, it is composed of an Elasticsearch database, the Anomaly Detection Module and the Response Module.
Recommend
More recommend