Intrusion Detection System Test Framework for SCADA Systems

Henrik Waagsnes, Nils Ulltveit-Moe

Abstract

This paper presents a SCADA intrusion detection system test framework that simulates SCADA traffic and detects malicious network activity. The framework combines several existing components such as Kali Linux, Conpot, QTester104 and OpenMUC in a virtual machine based framework to provide realistic SCADA traffic. It is agnostic to Intrusion Detection System (IDS) type, and is demonstrated in a case study comparing two popular signature-based IDS engines: Suricata and Snort. The IDS engines include rule-sets for the IEC 60870-5-104 and other SCADA protocols. Detected events from IDS sensors are sent to a distributed Elastic cluster which visualises them using Kibana dashboards. The experiments show that there is some difference in behaviour between Suricata and Snort’s ability to detect malicious traffic using the same SCADA ruleset, but these issues are relatively easy to mitigate. The IDS test framework also measures the latency from detection and until the IDS alerts are presented in the incident management system, which shows that Suricata has slightly better performance than Snort.

References

Download


Paper Citation


in Harvard Style

Waagsnes H. and Ulltveit-Moe N. (2018). Intrusion Detection System Test Framework for SCADA Systems.In Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-282-0, pages 275-285. DOI: 10.5220/0006588202750285


in Bibtex Style

@conference{icissp18,
author={Henrik Waagsnes and Nils Ulltveit-Moe},
title={Intrusion Detection System Test Framework for SCADA Systems},
booktitle={Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2018},
pages={275-285},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006588202750285},
isbn={978-989-758-282-0},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Intrusion Detection System Test Framework for SCADA Systems
SN - 978-989-758-282-0
AU - Waagsnes H.
AU - Ulltveit-Moe N.
PY - 2018
SP - 275
EP - 285
DO - 10.5220/0006588202750285