Abstract
SCADA (supervisory control and data acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.
References
Agrawal, R., Srikant, R.: Fast algorithms for mining association rules in large databases. In: Bocca, J.B., Jarke, M., Zaniolo, C. (eds.) In: Proceedings of the 20th International Conference on VLDB, pp. 487–499. Morgan Kaufmann (1994)
Balducelli C., Lavalle L., Vicoli G.: Novelty detection and management to safeguard information-intensive critical infrastructures. Int. J. Emerg. Manag. 4(1), 88–103 (2007)
Begnum K., Burgess M.: Principle components and importance ranking of distributed anomalies. Mach. Learn. 58, 217–230 (2005)
Bellettini, C., Rrushi, J.: Vulnerability analysis of SCADA protocol binaries through detection of memory access taintedness. In: John Hill, L.T.C. (ed.) Proceedings of 8th IEEE SMC Information Assurance Workshop, pp. 341–348. IEEE Press (2007)
Bigham J., Gamez D., Lu, N.: Safeguarding SCADA systems with anomaly detection. In: Proceedings of 2nd International Workshop on Mathematical Methods, Models and Architectures for Computer Network Security, LNCS 2776, pp. 171–182. Springer (2003)
Brijs, T., Geurts, K., Wets, G., Vanhoof, K.: Profiling high frequency accident locations using association rules. In: Proceedings of 82nd Annual Transportation Research Board, Washington DC (USA), pp. 123–130. Transportation Research Board (2003)
Burdick D., Calimlim M., Flannick J., Gehrke J., Yiu T.: MAFIA: A maximal frequent itemset algorithm. IEEE Trans. Knowl. Data Eng. 17, 1490–1504 (2005)
Burns, L., Hellerstein, J.L., Ma, S., Perng, C.S., Rabenhorst, D.A., Taylor, D.J.: Towards discovery of event correlation rules. In: Proceedings of IEEE/IFIP International Symposium on Integrated Network Management, pp. 345–359 (2001)
Control Systems Security Program. Common cybersecurity vulnerabilities in industrial control systems. U.S. Department of Homeland Security (2011)
Goethals, B., Zaki, M. (eds.): FIMI ’03, Frequent itemset mining implementations, Florida, USA, vol. 90 of CEUR Workshop Proceedings (2003)
Grahne G., Zhu J.: Fast algorithms for frequent itemset mining using FP-Trees. IEEE Trans. Knowl. Data Eng. 17, 1347–1362 (2005)
Han J., Kamber M.: Data mining concepts and techniques, 2 pap edn. Morgan Kaufmann, San Francisco, CA (2006)
Hellerstein J.L., Ma S., Perng C.-S.: Discovering actionable patterns in event data. IBM Syst. J. 41, 475–493 (2002)
Hieb J., Graham J., Guan J.: An ontology for identifying cyber intrusion induced faults in process control systems. In: Palmer, C., Shenoi, S. (eds.) Critical Infrastructure Protection III, vol. 311 of IFIP Advances in Information and Communication Technolog, pp. 125–138. Springer, Boston (2009)
Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proceedings of 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’02, pp. 366–375. ACM, New York, NY, USA (2002)
Lee, W., Stolfo, S.: Data mining approaches for intrusion detection. In: Proceedings of 7th Conference on USENIX Security Symposium—vol. 7, pp. 6–6. Berkeley, CA, USA, USENIX Association (1998)
Lim, N., Singh, N., Yajnik, S.: A log mining approach to failure analysis of enterprise telephony systems. In: Proceedings of the IEEE International Conference on Dependable Systems and Networks with FTCS and DCC, pp. 398–403. (2008)
Lees F.P.: Less’ Loss Prevention in the Process Industries. 3rd edn. Butterworth-Heinemann, Guildford (2005)
Liu, Y., Ning, P., Reiter, M.: False data injection attacks against state estimation in electric power grids. In: Proceedings of 16th ACM Conference on Computer and Communications Security, CCS ’09, pp. 21–32. ACM, New York, NY, USA (2009)
Manganaris S., Christensen M., Zerkle D., Hermiz K.: A data mining analysis of RTID alarms. Comput. Netw. 34, 571–577 (2000)
Naedele, M., Biderbost, O.: Human-assisted intrusion detection for process control systems. Accepted for 2nd Int. Conf. on Applied Cryptography and Network Security (ACNS) (2004)
Narayanan N.H., Viswanadham N.: A methodology for knowledge acquisition and reasoning in failure analysis of systems. IEEE Trans. Syst. Man Cybern. 17(2), 274–288 (1987)
Oliner, A., Stearley, J.: What supercomputers say: a study of five system logs. In: Proceedings of 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 575–584. (2007)
Paxson V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)
Ponemon Institute.: State of it security: Study of utilities and energy companies, 2011. http://q1labs.com/resource-center/white-papers.aspx
Rantala, R.: Cybercrime against businesses. Technical report, U.S. Dept. of Justice, Office of Justice Programs, Bureau of Justice Statistics, Washington, DC (2004)
Rege-Patwardhan A.: Cybercrimes against critical infrastructures: a study of online criminal organization and techniques. Crim. Justice Stud. 22(3), 261–271 (2009)
Rouillard, J.: Real-time log file analysis using the simple event correlator (sec). In: Proceedings of 18th USENIX conference on System administration, pp. 133–150. USENIX Association, Berkeley, CA, USA (2004)
Salfner, F., Tschirpke, S.: Error log processing for accurate failure prediction. In: Proceedings of 1st USENIX conference on Analysis of system logs, WASL’08, pp. 4–4. USENIX Association, Berkeley, CA, USA (2008)
Salfner, F., Tschirpke, S., Malek, M.: Comprehensive logfiles for autonomic systems. In: Proceedings of 18th International Symposium on Parallel and Distributed Processing, p. 211 (2004)
Shaw, W.T.: Cybersecurity for SCADA Systems. PennWell Corp. Tulsa (2006)
Slay J., Miller M.: Lessons learned from the maroochy water breach. In: Goetz, E., Shenoi, S. (eds.) Critical Infrastructure Protection, vol. 253 of IFIP International Federation for Information Processing, pp. 73–82. Springer, Boston (2007)
Srivatanakul, T., Clark, J., Polack, F.: Effective security requirements analysis: Hazop and use cases. In: Information Security: 7th International Conference, LNCS 3225, pp. 416–427. Springer (2004)
Stouffer, K., Falco, J., Scarfone, K.: Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82. National Institute of Standards and Technology (2011)
Vaarandi, R.: Tools and technigues for event log analysis. PhD thesis, Tallinn University of Technology (2005)
Winther, R., Johnsen, O., Gran, B.: Security assessments of safety critical systems using hazops. In: SAFECOMP ’01: Proceedings of 20th International Conference on Computer Safety, Reliability and Security, LNCS 2187, pp. 14–24. Springer, London, UK (2001)
Xu, W., Huang, L., Fox, A., Patterson, D., Jordan, M.: Mining console logs for large-scale system problem detection. In: Proceedings of 3rd Conference on Tackling Computer Systems Problems with Machine Learning Techniques, SysML’08, pp. 4–4. USENIX Association, Berkeley, CA, USA (2008)
Open Access
This article is distributed under the terms of the Creative Commons Attribution License which permits any use, distribution, and reproduction in any medium, provided the original author(s) and the source are credited.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (https://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
About this article
Cite this article
Hadžiosmanović, D., Bolzoni, D. & Hartel, P.H. A log mining approach for process monitoring in SCADA. Int. J. Inf. Secur. 11, 231–251 (2012). https://doi.org/10.1007/s10207-012-0163-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-012-0163-8
Keywords
- ICS
- SCADA
- Security
- SCADA log
- Log analysis
- Frequent pattern mining
- Process related threat
- HAZOP
- PHEA
- MELISSA