On Cyber Attacks and Signature Based Intrusion Detection for Modbus Based Industrial Control Systems
Prior Publisher
The Association of Digital Forensics, Security and Law (ADFSL)
Abstract
Industrial control system communication networks are vulnerable to reconnaissance, response injection, command injection, and denial of service attacks. Such attacks can lead to an inability to monitor and control industrial control systems and can ultimately lead to system failure. This can result in financial loss for control system operators and economic and safety issues for the citizens who use these services. This paper describes a set of 28 cyber attacks against industrial control systems which use the MODBUS application layer network protocol. The paper also describes a set of standalone and state based intrusion detection system rules which can be used to detect cyber attacks and to store evidence of attacks for post incident analysis. All attacks described in this paper were validated in a laboratory environment. The detection rate of the intrusion detection system rules presented by attack class is also presented.
References
1. Amin, S., Litrico, X., Sastry, S., & Bayen, A. M. (2013a). Cyber security of Water SCADA systems -Part I: Analysis and experimentation of stealthy deception attacks. IEEE Transactions on Control Systems Technology, 21(5), 1963- 1970.
2. Beresford, D. (2011). Exploiting Siemens Simatic S7 PLCs. Black Hat USA Briefings & Training USA + 2011. July 30–August 4, 2011, Las Vegas, NV, USA.
3. Chandia, R., Gonzalez, J., Kilpatrick, T., Papa, M., & Shenoi, S. (2007). Security strategies for SCADA Networks. Critical Infrastructure Protection, 253, 117-131.
4. Falliere, N., O’Murchu, L., & Chien, E. (2001). W32. Stuxnet Dossier, Symantec Tech. Rep. 1.4. Retrieved on April 30, 2014 from http://www.symantec.com/content/en/us/enterp rise/media/security_response/whitepapers/w32 _stuxnet_dossier.pdf.
5. Fleury, T., Khurana, H., & Welch, V. (2009). Towards a taxonomy of attacks against energy control systems, in Critical Infrastructure Protection II, eds. M. Papa and S. Shenoi. Springer.
6. Huang, Y. Cardenas, A., Amin, S., Lin, Z., Tsai, H., & Sastry, S. (2009). Understanding the physical and economic consequences of attacks on control systems. International Journal of Critical Infrastructure Protection, 2(3), 73-83.
7. Huitsing. P., Chandia, R., Papa, M., & Shenoi, S., (2008). Attack taxonomies for the Modbus protocols. International Journal of Critical Infrastructure Protection, 1, 37-44.
8. Liu, Y., Reiter, M., & Ning, P. (2009). False data injection attacks against state estimation in electric power grids. 16th ACM Conference on Computer and Communications Security, November 9-13, 2009, Chicago, IL, USA.
9. Mallouhi, M., Al-Nashif, Y., Cox, D., Chadaga, T., & Hariri, S. (2011). A testbed for analyzing security of SCADA Control Systems (TASSCS). 2011 IEEE PES Innovative Smart Grid Technologies (ISGT), January 17-19, 2011, Anaheim, CA, USA.
10. MODBUS-IDA. (2006). MODBUS Application Protocol Specification V1.1b. Retrieved on April 30, 2014 from
11. www.modbus.org/docs/Modbus_Application_P rotocol_V1_1b.pdf.
12. Morris, T. & Pavurapu, K. (2010). A retrofit network transaction data logger and intrusion detection system for transmission and distribution substations. IEEE International Conference on Power and Energy (PECon). December 2-5, 2012, Sutera Harbour, Sabah, Malaysia.
13. Morris, T., Srivastava, A., Reaves, B., Gao, W., Pavurapu, K., & Reddi, R. (2011). A control system testbed to validate critical infrastructure protection concepts. International Journal of Critical Infrastructure Protection, 4(2), 88-103.
14. Morris, T., Vaughn, R., & Dandass, Y. (2012). A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems. 45th IEEE Hawaii International Conference on System Sciences (HICSS), January 4-7, 2012, Wailea, Maui, HI, USA.
15. Morris, T., Vaughn, R., & Dandass, Y. (2013). Deterministic intrusion detection rules for MODBUS protocols. 46th IEEE Hawaii International Conference on System Sciences (HICSS), January 7-10, 2012, Wailea, Maui, HI, USA.
16. Nance, K., Hay, B., & Bishop, M. (2009). Digital forensics: Defining a research agenda. 42nd Hawaii International Conference on System Sciences, January 5-8, 2009, Waikoloa, Big Island, HI, USA.
17. Poulsen, K. (2009). Slammer worm crashed Ohio nuke plant network. Retrieved on April 30, 2014 from http://www.securityfocus.com/news/6767.
18. Reaves, B., & Morris, T. (2012). Analysis and mitigation of vulnerabilities in short-range wireless communications for industrial control systems. International Journal of Critical Infrastructure Protection, 5(3-4), 154-174.
19. Slay, J., & Miller, M. (2007). Lessons learned from the Maroochy water breach, in Critical Infrastructure Protection, eds. E. Goetz and S. Shenoi. Springer.
20. Santorelli, S. (2009). Who is looking for your SCADA infrastructure? Retrieved on April 30, 2014 from http://www.teamcymru.org/ReadingRoom/Whi tepapers/2009/scada.pdf.
21. Slay, J., & Sitnikova, E. (2009). SCADA process control systems security forensics. Forensics in Telecommunications, Information and Multimedia, 8, 77-82.
22. Sridhar, S., & Manimaran, G. (2010). Data integrity attacks and their impacts on SCADA control system. 2010 IEEE Power and Energy Society General Meeting. July 25-29, 2010, Minneapolis, MN, USA.
23. Valli, C. (2009). SCADA forensics with Snort IDS. The 2009 World Congress in Computer Science, Computer Engineering, and Applied Computing (WORLDCOMP'09). July 13-16, 2009, Las Vegas, NV, USA.
24. Xie, L., Mo, Y., & Sinopoli, B. (2010). False data injection attacks in electricity markets. First IEEE International Conference on Smart Grid Communications (SmartGridComm), October 4-6, 2010, Gaithersburg, Maryland, USA.
25. Yan, J., Liu, C., & Govindarasu, M. (2011). Cyber intrusion of Wind Farm SCADA system and its impact analysis. IEEE/PES Power Systems Conference and Exposition (PSCE), March 20-23, 2011, Phoenix, AZ, USA.
Recommended Citation
Gao, Wei and Morris, Thomas H.
(2014)
"On Cyber Attacks and Signature Based Intrusion Detection for Modbus Based Industrial Control Systems,"
Journal of Digital Forensics, Security and Law: Vol. 9
, Article 3.
DOI: https://doi.org/10.15394/jdfsl.2014.1162
Available at:
https://commons.erau.edu/jdfsl/vol9/iss1/3
Included in
Computer Engineering Commons, Computer Law Commons, Electrical and Computer Engineering Commons, Forensic Science and Technology Commons, Information Security Commons