6533b7dbfe1ef96bd12703ad

RESEARCH PRODUCT

SCADA Intrusion Detection System Test Framework

Henrik Waagsnes

subject

IKT590ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKSVDP::Matematikk og Naturvitenskap: 400::Informasjons- og kommunikasjonsvitenskap: 420::Sikkerhet og sårbarhet: 424SCADAIDSSIEM

description

Master's thesis Information- and communication technology IKT590 - University of Agder 2017 Supervisory control and data acquisition (SCADA) systems play an important role in our critical infrastructure (CI). Several of the protocols used in SCADA communication are old and lack of security mechanisms. This master thesis presents a SCADA Intrusion Detection System Test Framework that can be used to simulate SCADA traffic and detect malicious network activity. The framework uses a signature-based approach and utilize two different IDS engines, Suricata and Snort. The IDS engines include rule-sets for the IEC 60870-5-104, DNP3 and Modbus protocols. The IDS engines ships detected events to a distributed cluster and visualize them using a web interface. The experiments carried out in this project show that there generally is little difference between Suricata and Snort's ability to detect malicious traffic. Suricata is compatible with signatures written in snort lightweight rules description language. I did however, discover some compatibility issues. The purposed framework applies additional latency to the analysis of IDS events. The perceived latency was generally higher for Snort events than for Suricata events. The reason for this is probably the additional processing time applied by the implemented log conversion tool. Keywords: SCADA, IDS, SIEM

yearjournalcountryeditionlanguage
2017-01-01
http://hdl.handle.net/11250/2455016