Adrian Lauf, Jon Wiley, Tanya Roosta, William H. Robinson, Gabor Karsai
Citation
Adrian Lauf, Jon Wiley, Tanya Roosta, William H. Robinson, Gabor Karsai. "An Intrusion Detection System for Wireless Process Control Systems". Talk or presentation, 11, November, 2008.
Abstract
Wireless sensor networks employed in Supervisory Control and Data Acquisition (SCADA) networks, such as power plants, oil and gas pipelines, and industrial applications, can suffer from an inadequate provision of security resources to monitor intrusions which may threaten the normal operation of SCADA networks. While most SCADA infrastructures are equipped with an enterprise-grade firewall at the highest-level data infrastructure, recent publications suggest that such measures can be insufficient to protect the sensor and actuator networks from attacks that could render individual nodes inoperative, or cause a general failure in the overall control network.
Within the domain of the sensory and actuation device network, some nodes are being connected with low-power wireless network protocols, such as the ubiquitously-implemented 802.15.4 standard. This represents an evolution from wired networking to a mesh-networked wireless communications protocol. We begin with the assumption that such technologies are favorable in new and existing implementations, as they reduce wiring and location costs for sensory and actuation hardware. The sensors and actuators are controlled via embedded computers that receive and transmit control loop set points, and status information, respectively. The actual communication may be performed by the sensor/actuator node itself (in the case of the Intelligent Electronic Device) or by a remote terminal unit (RTU) to which the sensors are directly linked. In the case of the intelligent devices, we can use the networking capabilities of these devices to act as mesh routers for transmitting information between the farthest system node and a central access point. All communications between nodes are also performed via mesh networking.
Mesh routing allows the sensory and actuation infrastructure to be placed according to topological necessity, and given an efficient and reliable routing protocol, can ensure redundancy of data link paths among nodes. Methods such as Wireless HART exist to guarantee a high degree of link-level stability, ensuring virtually no data loss occurring on these network types. Furthermore, multiple encryption levels exist at various layers in the communications protocol that can ensure data integrity and confidentiality. However, this cannot and will not protect against all types of attacks.
Assuming that all encryption standards remain unchallenged (an assumption that will be discarded later on), jamming attacks, networking disruptions, and application-layer attacks can still be performed on the nodes without triggering any exception in the Wireless HART or similar protocol. For this reason, an intelligent monitoring system must be implemented to allow the system to identify intrusions based on deterministic information that presents itself during normal operation.
To meet this challenge, we have proposed and designed an intrusion detection system (IDS) mechanism that monitors key factors in the operation of the wireless mesh-routing network. Statistical information, such as: (1) the number of status updates, (2) mean packet size (remains nearly constant while using Wireless HART), (3) number of health packets, (4) link stability, (5) radio power usage, (6) MAC authentication failures, or (7) a difference in a packet’s expected absolute serial number (ASN) can be logged and identified. This information can provide evidence for abnormal behavior, and a possible intrusion based upon a reasonable deviation of a prescribed policy. By concentrating on data specific to the networking protocol, and less on the actual plant operations, protocol-specific exploits can be more easily identified without the need for collecting data on plant operations which will vary naturally.
The IDS strategy itself relies on specialized monitoring applications that collect information on the networking protocol’s operation from individual nodes and aggregates it into a logging system onboard the entity responsible for monitoring intrusions on the network. This logger is equipped with a policy management engine that reads in policy files stating acceptable operation on the network. Operation of the detection engine is separated into learning and monitoring phases, during which the system either “learns” acceptable network behavior, or begins to monitor and identify any behaviors that would signal the violation of a specified system policy. The policy and logging system itself is implemented in Java and runs on an optimized JVM designed for operation in low-power, low-resource embedded system devices.
We are currently in the process of adapting an existing SCADA client model to work with the intrusion detection mechanism. This involves taking a static pre-existing system, adding mesh-networking capabilities, and then instantiating the IDS where applicable. Data already exists for normal operation of the plant; attacks must be simulated by assessing the most critical weak points that can be targeted (i.e., which points can be jammed for maximum network disruption, or which sensors can be tampered with to cause a deviation in normal operating procedures as the result of altered data or control routines). When complete, it is expected that our system will add an extra layer of security and protection for physical infrastructures.
Electronic downloads
- 9%20-%20Lauf.pptx · application/vnd.openxmlformats-officedocument.presentationml.pre · 2987 kbytes
| Citation formats |
- HTML
Adrian Lauf, Jon Wiley, Tanya Roosta, William H. Robinson, Gabor Karsai. <a href="http://www.truststc.org/pubs/480.html" ><i>An Intrusion Detection System for Wireless Process Control Systems</i></a>, Talk or presentation, 11, November, 2008.
- Plain text
Adrian Lauf, Jon Wiley, Tanya Roosta, William H. Robinson, Gabor Karsai. "An Intrusion Detection System for Wireless Process Control Systems". Talk or presentation, 11, November, 2008.
- BibTeX
@presentation{LaufWileyRoostaRobinsonKarsai08_IntrusionDetectionSystemForWirelessProcessControlSystems, author = {Adrian Lauf and Jon Wiley and Tanya Roosta and William H. Robinson and Gabor Karsai}, title = {An Intrusion Detection System for Wireless Process Control Systems}, day = {11}, month = {November}, year = {2008}, abstract = {Wireless sensor networks employed in Supervisory Control and Data Acquisition (SCADA) networks, such as power plants, oil and gas pipelines, and industrial applications, can suffer from an inadequate provision of security resources to monitor intrusions which may threaten the normal operation of SCADA networks. While most SCADA infrastructures are equipped with an enterprise-grade firewall at the highest-level data infrastructure, recent publications suggest that such measures can be insufficient to protect the sensor and actuator networks from attacks that could render individual nodes inoperative, or cause a general failure in the overall control network. Within the domain of the sensory and actuation device network, some nodes are being connected with low-power wireless network protocols, such as the ubiquitously-implemented 802.15.4 standard. This represents an evolution from wired networking to a mesh-networked wireless communications protocol. We begin with the assumption that such technologies are favorable in new and existing implementations, as they reduce wiring and location costs for sensory and actuation hardware. The sensors and actuators are controlled via embedded computers that receive and transmit control loop set points, and status information, respectively. The actual communication may be performed by the sensor/actuator node itself (in the case of the Intelligent Electronic Device) or by a remote terminal unit (RTU) to which the sensors are directly linked. In the case of the intelligent devices, we can use the networking capabilities of these devices to act as mesh routers for transmitting information between the farthest system node and a central access point. All communications between nodes are also performed via mesh networking. Mesh routing allows the sensory and actuation infrastructure to be placed according to topological necessity, and given an efficient and reliable routing protocol, can ensure redundancy of data link paths among nodes. Methods such as Wireless HART exist to guarantee a high degree of link-level stability, ensuring virtually no data loss occurring on these network types. Furthermore, multiple encryption levels exist at various layers in the communications protocol that can ensure data integrity and confidentiality. However, this cannot and will not protect against all types of attacks. Assuming that all encryption standards remain unchallenged (an assumption that will be discarded later on), jamming attacks, networking disruptions, and application-layer attacks can still be performed on the nodes without triggering any exception in the Wireless HART or similar protocol. For this reason, an intelligent monitoring system must be implemented to allow the system to identify intrusions based on deterministic information that presents itself during normal operation. To meet this challenge, we have proposed and designed an intrusion detection system (IDS) mechanism that monitors key factors in the operation of the wireless mesh-routing network. Statistical information, such as: (1) the number of status updates, (2) mean packet size (remains nearly constant while using Wireless HART), (3) number of health packets, (4) link stability, (5) radio power usage, (6) MAC authentication failures, or (7) a difference in a packetâs expected absolute serial number (ASN) can be logged and identified. This information can provide evidence for abnormal behavior, and a possible intrusion based upon a reasonable deviation of a prescribed policy. By concentrating on data specific to the networking protocol, and less on the actual plant operations, protocol-specific exploits can be more easily identified without the need for collecting data on plant operations which will vary naturally. The IDS strategy itself relies on specialized monitoring applications that collect information on the networking protocolâs operation from individual nodes and aggregates it into a logging system onboard the entity responsible for monitoring intrusions on the network. This logger is equipped with a policy management engine that reads in policy files stating acceptable operation on the network. Operation of the detection engine is separated into learning and monitoring phases, during which the system either âlearnsâ acceptable network behavior, or begins to monitor and identify any behaviors that would signal the violation of a specified system policy. The policy and logging system itself is implemented in Java and runs on an optimized JVM designed for operation in low-power, low-resource embedded system devices. We are currently in the process of adapting an existing SCADA client model to work with the intrusion detection mechanism. This involves taking a static pre-existing system, adding mesh-networking capabilities, and then instantiating the IDS where applicable. Data already exists for normal operation of the plant; attacks must be simulated by assessing the most critical weak points that can be targeted (i.e., which points can be jammed for maximum network disruption, or which sensors can be tampered with to cause a deviation in normal operating procedures as the result of altered data or control routines). When complete, it is expected that our system will add an extra layer of security and protection for physical infrastructures. }, URL = {http://www.truststc.org/pubs/480.html} }
Posted by Jessica Gamble on 23 Jan 2009.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.