Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observation that S7 traffic to and from a specific PLC is highly periodic; as a result, each HMI-PLC channel can be modeled using its own unique Deterministic Finite Automaton (DFA). The resulting DFA-based IDS is very sensitive and is able to flag anomalies such as a message appearing out of its position in the normal sequence or a message referring to a single unexpected bit. The intrusion detection approach was evaluated on traffic from two production systems. Despite its high sensitivity, the system had a very low false positive rate - over 99.82% of the traffic was identified as normal.


Atassi, A., Elhajj, I. H., Chehab, A., & Kayssi, A. (2014). The state of the art in intrusion prevention and detection. Auerbach Publications.

Barbosa, R., Sadre, R., & Pras, A. (2012, April). A first look into SCADA network traffic. In Ieee network operations and management symposium (NOMS) (p. 518- 521).

Beresford, D. (2011, July). Exploiting Siemens Simatic S7 PLCs. In Black Hat USA.

Briesemeister, L., Cheung, S., Lindqvist, U., & Valdes, A. (2010). Detection, correlation, and visualization of attacks against critical infrastructure systems. In Eighth annual international conference on privacy security and trust (pst) (pp. 17–19).

Chen, C.-M., Hsiao, H.-W., Yang, P.-Y., & Ou, Y.-H. (2013, Aug). Defending malicious attacks in cyber physical systems. In IEEE 1st International Conference on Cyber-Physical Systems, Networks, and Applications (CPSNA) (p. 13-18).

Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., & Valdes, A. (2007). Using model-based intrusion detection for SCADA networks. In Proceedings of the SCADA security scientific symposium (pp. 127–134).

Electrical Engineering Blog. (2013, May). The top most used PLC systems around the world. Electrical installation & energy efficiency. (Available at: http:// engineering.electrical-equipment .org/electrical-distribution/ the-top-most-used-plc-systems -around-the-world.html)

Garitano, I., Uribeetxeberria, R., & Zurutuza, U. (2011). A review of SCADA anomaly detection systems. In E. Corchado, V. Snasel, J. Sedano, A. Hassanien, J. L. Calvo, & D. Slezak (Eds.), Soft computing models in industrial and environmental applications, 6th international conference soco 2011 (Vol. 87, p. 357-366).Springer Berlin Heidelberg.

Genge, B., Siaterlis, C., Nai Fovino, I., & Masera, M. (2012). A cyber-physical experimentation environment for the security analysis of networked industrial control systems. Computers & Electrical Engineering.

Goldenberg, N., & Wool, A. (2013, June). Accurate modeling of modbus/tcp for intrusion detection in scada systems. International Journal of Critical Infrastructure Protection, 6 (2), 63–75.

Hadziosmanovic, D., Bolzoni, D., Hartel, P. H., & Etalle, S. (2011, September). MELISSA: Towards automated detection of undesirable user actions in critical infrastructures. In Proceedings of the european conference on computer network defense, ec2nd 2011, gothenburg, sweden (pp. 41– 48). USA: IEEE Computer Society. http://eprints.eemcs.utwente.nl/20502/.

Hahn, A., Kregel, B., Govindarasu, M., Fitzpatrick, J., Adnan, R., Sridhar, S., & Higdon, M. (2010). Development of the PowerCyber SCADA security testbed. In Proceedings of the sixth annual workshop on cyber security and information intelligence research (p. 21).

Hergenhahn, T. (2011, February). LIBNODAVE, exchange data with Siemens PLCs. (Available at: http://libnodave .sourceforge.net)

ISO 8073: Information processing systems – open systems interconnection – connection oriented transport protocol specifi- cation (Vol. 1986) [Standard]. (1986). Geneva, CH.

Kepware Technologies. (n.d.). Siemens TCP/IP Ethernet - driver help. (Available at: http://www.kepware.com/ Support Center/SupportDocuments/ Help/siemens tcpip ethernet.pdf)

Mallouhi, M., Al-Nashif, Y., Cox, D., Chadaga, T., & Hariri, S. (2011). A testbed for analyzing security of SCADA control systems (tasscs). In IEEE innovative smart grid technologies (isgt) (pp. 1–7).

Marsching, S. (2013, October). A new EPICS device support for S7 PLCs. In Proceedings of the 14th international conference on accelerator & large experimental physics control systems (icalepcs2013). San Francisco, CA, USA.

McKenzie, A. M. (1984, April 1). RFC 905: ISO transport protocol specification ISO DP 8073.

Nardella, D. (2014, January). Snap7 1.2.0 - reference manual - rev. 3. (Available at: http://snap7.sourceforge.net)

Porras, P. A., & Neumann, P. G. (1997, oct). EMERALD: event monitoring enabling responses to anomalous live disturbances. In 1997 national information systems security conference.

Roesch, M. (1999). Snort - lightweight intrusion detection for networks. In Proceedings of the 13th usenix conference on system administration (pp. 229–238). Berkeley, CA, USA: USENIX Association.

Rose, M. T., & Cass, D. E. (1987, May 1). RFC 1006: ISO transport services on top of the TCP: Version 3. Siemens. (2013, August). SIMATIC NET, configuration limits for products of the SIMATIC NET PC software v12, application manual. (Available at: http:// support.automation.siemens.com/ dnl/jg/jgxNDg2NQAA 15227599 FAQ/ 15227599 QuantityStructure and PerformanceData V12 e.pdf)

Siemens. (2014). Modular PLC controllers SIMATIC S7. (Available at: http:// www.automation.siemens.com/mcms/ programmable-logic-controller/en/ simatic-s7-controller)

Stouffer, K. A., Falco, J. A., & Scarfone, K. A. (2013, May). Guide to industrial control systems (ICS) security (Tech. Rep. No. 800-82). Gaithersburg, MD: National Institute of Standards and Technology (NIST).

Valdes, A., & Cheung, S. (2009). Communication pattern anomaly detection in process control systems. In Ieee conference on technologies for homeland security (hst) (pp. 22–29).

VIPA - A Yaskawa company. (2014). VIPA control systems. (Available at: http://www.vipa.com/en/products/ control-systems)

Wiens, T. (2014, January). S7comm wireshark dissector plugin. (Available at: http://sourceforge.net/projects/ s7commwireshark)

Yang, D., Usynin, A., & Hines, J. (2006). Anomaly-based intrusion detection for SCADA systems. In 5th intl. topical meeting on nuclear plant instrumentation, control and human machine interface technologies (npic&hmit 05) (pp. 12– 16).

Ye, N., Zhang, Y., & Borror, C. (2004, March). Robustness of the markov-chain model for cyber-attack detection. IEEE Transactions on Reliability, 53 (1), 116-123.

Zhu, B., Joseph, A., & Sastry, S. (2011, Oct). A taxonomy of cyber attacks on SCADA systems. In Internet of things (iThings/CPSCom), 2011 international conference on and 4th international conference on cyber, physical and social computing (p. 380-388).



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.