Information Technology Reference
In-Depth Information
Safeguarding SCADA Systems with Anomaly Detection
John Bigham, David Gamez, and Ning Lu
Department of Electronic Engineering, Queen Mary, University of London
London, E1 4NS, UK
{john.bigham,david.gamez,ning.lu}@elec.qmul.ac.uk
Abstract.
This paper will show how the accuracy and security of SCADA sys-
tems can be improved by using anomaly detection to identify bad values caused
by attacks and faults. The performance of invariant induction and n-gram
anomaly-detectors will be compared and this paper will also outline plans for
taking this work further by integrating the output from several anomaly-
detecting techniques using Bayesian networks. Although the methods outlined
in this paper are illustrated using the data from an electricity network, this re-
search springs from a more general attempt to improve the security and depend-
ability of SCADA systems using anomaly detection.
1 Introduction
Over the last fifteen years a considerable amount of research has been done on the
protection of IP networks against malicious viruses and attacks. We now have intru-
sion detection systems, firewalls, virus detectors and even a certain amount of anom-
aly-detecting software making its way into commercial production [2]. SCADA sys-
tems play a vital control and information-gathering role in many industries, but until
recently very little effort has been expended on their security. The main reason for
this is that they have generally been run using obscure protocols and they have had
little connection to the outside world. Today this is changing: there is now an increas-
ing interconnectivity of everything, SCADA systems are moving over to standard
protocols, and the deregulation of many industries (especially the electricity industry)
makes their control systems more vulnerable to manipulation by malicious insiders.
Two approaches can be taken to securing SCADA systems. One is to identify prob-
lems at the perimeter of the system using virus and intrusion detection software to
identify known attacks and viruses. This provides a good defence against external
attackers, but it does nothing to prevent insiders from abusing the system and it is also
unable to detect unknown attacks and viruses. A second approach is to model the
normal data flows and control operations within the SCADA system to detect anoma-
lies caused by attempts to change or damage the system. This has the advantage that it
can detect unknown attacks and the actions of malicious insiders, but unless it is han-
dled carefully it can generate a lot of false alarms.
In the work on anomaly detection that has been carried out so far, the main empha-
sis has been on monitoring the
behaviour
of the system (sequences of function calls,
connections between machines, and so on) rather than the
data
passed around the
system. Since there is almost no open source SCADA software and many of the data-
gathering applications run on proprietary hardware, an analysis of functional behav-
