Abstract
Industrial control systems are not immune to cyber incidents. However, the support for incident responders and forensic investigators is low. In particular, there are limited journaling capabilities for operator actions. Barring the preservation of full packet captures and operator workstation security logs, which can generate unmanageable amounts of data on production networks, it is generally not possible to attribute control events (e.g., opening a valve or operating a breaker) to individual operators. This information can be necessary to perform security investigations, especially in cases involving malicious insider activities. This chapter presents a lightweight journaling system for SCADA networks based on event correlation. By correlating network events and operating system logs, a journal is generated of all Modbus protocol write events along with the usernames of the operators who performed the actions. The journal is much more compact than a full packet capture, achieving compression ratios of around 570 to 1 in conservative conditions and more than 2,000 to 1 in typical operating conditions, allowing for the preservation of valuable information for security investigations.
Chapter PDF
Similar content being viewed by others
References
BBC News, Hack attack causes “massive damage” at steel works, December 22, 2014
Burks, D.: Security Onion Project (2016). github.com/Security-Onion-Solutions/security-onion
Cheng, B., Tseng, R.: A context adaptive intrusion detection system for MANET, Computer Communications, vol. 34(3), pp. 310–318 (2011)
Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework, Proceedings of the IEEE Symposium on Security and Privacy, pp. 202–215 (2002)
Ficco, M.: Security event correlation approach for cloud computing, International Journal of High Performance Computing and Networking, vol. 7(3), pp. 173–185 (2013)
Golden, T.: WMI 1.4.9 (2003). pypi.Python.org/pypi/WMI
Hoque, M., Mukit, M., Bikas, M.: An implementation of an intrusion detection system using a genetic algorithm, International Journal of Network Security and its Applications, vol. 4(2), pp. 109–120 (2012)
Jean, L.: modbus_tk 0.4.3 (2014). pypi.python.org/pypi/modbus_tk/0.4.3
Lemay, A., Fernandez, J., Knight, S.: An isolated virtual cluster for SCADA network security research, Proceedings of the First International Symposium for ICS and SCADA Cyber Security Research, pp. 88–96 (2013)
NETRESEC, Full Disclosure of Havex Trojans, Orsundsbro, Sweden (2014). www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans
Saad, S., Traore, I.: Extracting attack scenarios using intrusion semantics, Proceedings of the Fifth International Symposium on the Foundations and Practice of Security, pp. 278–292 (2013)
Sadighian, A., Fernandez, J., Lemay, A., Zargar, S.: ONTIDS: A highly flexible context-aware and ontology-based alert correlation framework, Proceedings of the Sixth International Symposium on the Foundations and Practice of Security, pp. 161–177 (2014)
SourceForge, ScadaBR (2016). sourceforge.net/projects/scadabr
Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.: Comprehensive approach to intrusion detection alert correlation, IEEE Transactions Dependable and Secure Computing, vol. 1(3), pp. 146–169 (2004)
Williams, T.: The Purdue Enterprise Reference Architecture, Computers in Industry, vol. 24(2-3), pp. 141–158 (1994)
Wireshark Foundation, tshark (2016). www.wireshark.org/docs/man-pages/tshark.html
Yusof, R., Selamat, S., Sahib, S.: Intrusion alert correlation technique analysis for heterogeneous log, International Journal of Computer Science and Network Security, vol. 8(9), pp. 132–138 (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 IFIP International Federation for Information Processing
About this paper
Cite this paper
Lemay, A., Sadighian, A., Fernandez, J. (2016). Lightweight Journaling for Scada Systems via Event Correlation. In: Rice, M., Shenoi, S. (eds) Critical Infrastructure Protection X. ICCIP 2016. IFIP Advances in Information and Communication Technology, vol 485. Springer, Cham. https://doi.org/10.1007/978-3-319-48737-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-48737-3_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48736-6
Online ISBN: 978-3-319-48737-3
eBook Packages: Computer ScienceComputer Science (R0)