You are here

Modeling message sequences for intrusion detection in industrial control systems

TitleModeling message sequences for intrusion detection in industrial control systems
Publication TypeConference Paper
Year of Publication2015
AuthorsCaselli, M, Zambon, E, Petit, JY, Kargl, F
Secondary AuthorsRice, M, Shenoi, S
Conference NameProceedings of the Ninth IFIP 11.10 International Conference
Date Published03/2015
PublisherSpringer Verlag
Conference LocationArlington, Virginia, US
KeywordsIndustrial control systems, Intrusion detection, sequence attacks

Compared with standard information technology systems, industrial control systems show more consistent and regular communications patterns. This characteristic contributes to the stability of controlled processes in critical infrastructures such as power plants, electric grids and water treatment facilities. However, Stuxnet has demonstrated that skilled attackers can strike critical infrastructures by leveraging knowledge about these processes. Sequence attacks subvert infrastructure operations by sending misplaced industrial control system messages. This chapter discusses four main sequence attack scenarios against industrial control systems. Real Modbus, Manufacturing Message Specification and IEC 60870-5-104 traffic samples were used to test sequencing and modeling techniques for describing industrial control system communications. The models were then evaluated to verify the feasibility of identifying sequence attacks. The results create the foundation for developing ?sequence-aware? intrusion detection systems.