Lightweight Journaling for Scada Systems via Event Correlation

Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 485)

Abstract

Industrial control systems are not immune to cyber incidents. However, the support for incident responders and forensic investigators is low. In particular, there are limited journaling capabilities for operator actions. Barring the preservation of full packet captures and operator workstation security logs, which can generate unmanageable amounts of data on production networks, it is generally not possible to attribute control events (e.g., opening a valve or operating a breaker) to individual operators. This information can be necessary to perform security investigations, especially in cases involving malicious insider activities. This chapter presents a lightweight journaling system for SCADA networks based on event correlation. By correlating network events and operating system logs, a journal is generated of all Modbus protocol write events along with the usernames of the operators who performed the actions. The journal is much more compact than a full packet capture, achieving compression ratios of around 570 to 1 in conservative conditions and more than 2,000 to 1 in typical operating conditions, allowing for the preservation of valuable information for security investigations.

Keywords

SCADA Networks Network forensics Journaling Event correlation 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    BBC News, Hack attack causes “massive damage” at steel works, December 22, 2014Google Scholar
  2. 2.
    Burks, D.: Security Onion Project (2016). github.com/Security-Onion-Solutions/security-onion
  3. 3.
    Cheng, B., Tseng, R.: A context adaptive intrusion detection system for MANET, Computer Communications, vol. 34(3), pp. 310–318 (2011)Google Scholar
  4. 4.
    Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework, Proceedings of the IEEE Symposium on Security and Privacy, pp. 202–215 (2002)Google Scholar
  5. 5.
    Ficco, M.: Security event correlation approach for cloud computing, International Journal of High Performance Computing and Networking, vol. 7(3), pp. 173–185 (2013)Google Scholar
  6. 6.
    Golden, T.: WMI 1.4.9 (2003). pypi.Python.org/pypi/WMI
  7. 7.
    Hoque, M., Mukit, M., Bikas, M.: An implementation of an intrusion detection system using a genetic algorithm, International Journal of Network Security and its Applications, vol. 4(2), pp. 109–120 (2012)Google Scholar
  8. 8.
    Jean, L.: modbus_tk 0.4.3 (2014). pypi.python.org/pypi/modbus_tk/0.4.3
  9. 9.
    Lemay, A., Fernandez, J., Knight, S.: An isolated virtual cluster for SCADA network security research, Proceedings of the First International Symposium for ICS and SCADA Cyber Security Research, pp. 88–96 (2013)Google Scholar
  10. 10.
    NETRESEC, Full Disclosure of Havex Trojans, Orsundsbro, Sweden (2014). www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans
  11. 11.
    Saad, S., Traore, I.: Extracting attack scenarios using intrusion semantics, Proceedings of the Fifth International Symposium on the Foundations and Practice of Security, pp. 278–292 (2013)Google Scholar
  12. 12.
    Sadighian, A., Fernandez, J., Lemay, A., Zargar, S.: ONTIDS: A highly flexible context-aware and ontology-based alert correlation framework, Proceedings of the Sixth International Symposium on the Foundations and Practice of Security, pp. 161–177 (2014)Google Scholar
  13. 13.
    SourceForge, ScadaBR (2016). sourceforge.net/projects/scadabr
  14. 14.
    Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.: Comprehensive approach to intrusion detection alert correlation, IEEE Transactions Dependable and Secure Computing, vol. 1(3), pp. 146–169 (2004)Google Scholar
  15. 15.
    Williams, T.: The Purdue Enterprise Reference Architecture, Computers in Industry, vol. 24(2-3), pp. 141–158 (1994)Google Scholar
  16. 16.
    Wireshark Foundation, tshark (2016). www.wireshark.org/docs/man-pages/tshark.html
  17. 17.
    Yusof, R., Selamat, S., Sahib, S.: Intrusion alert correlation technique analysis for heterogeneous log, International Journal of Computer Science and Network Security, vol. 8(9), pp. 132–138 (2008)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  • Antoine Lemay
    • 1
  • Alireza Sadighian
    • 1
    • 2
  • Jose Fernandez
    • 1
  1. 1.Department of Computer and Software EngineeringEcole Polytechnique de MontrealMontrealCanada
  2. 2.Groupe Access CompanyMontrealCanada

Personalised recommendations