Anomaly Detection of SCADA Networks through Network Measurement Study
Despite all the increasing research efforts in industrial control systems (ICS), these systems still fail to defend themselves at the time of some high-profile cyber attacks. The most high-profile attack events include but not limited to the Stuxnet attack on an Iranian nuclear power plant in 2010, the Industroyer malware attack on the Ukrainian power grid in 2016, and the recent ransomware attack on the U.S. Colonial pipeline in May 2021, which severely limit the fuel supply to half of the east coast.
The Supervisory Control and Data Acquisition (SCADA) networks expose themselves to a broader attack surface after the migration from serial communication network to TCP/IP compatible networks. Therefore, they are susceptible to cyber-attacks. Another main reason why the security and resilience of SCADA networks have limited improvements over the decade is that, the majority of the previous work does not have access to real-world systems or datasets. Because it is not possible to interrupt the production process with penetration tests, and not easy to earn the trust of the operators.
In the prelusive chapter of this dissertation, we first introduce the concepts of SCADA and industrial control protocols. Then we review the previous work divided by energy sectors in the critical infrastructure, which enables us to recognize contributions, identify limitations, raise research questions, and discover answers. With network captures from the SCADA networks in operational industrial control systems, specifically the power grid and the natural gas distribution network, we launch our project with the reversal of the SCADA network topology with different levels of system knowledge, and show that even in the least bliss, one can still conduct network discovery to the majority of network nodes. The later characteristics we extract from the communication conversations between substations and control servers challenge the long-term understanding of the SCADA network in the security community. The primary industrial protocol under investigation is IEC 60870-5-104, an application-layer protocol designed to control and monitor the physical processes in federated SCADA networks.
With the knowledge base obtained from network characterization, then we propose network flow based anomaly detection method by applying unsupervised clustering of the network flows, and process-based anomaly detection. The anomaly detection is based on profiling process variables, by applying gradient boosting tree algorithm and deep neural networks on time series datasets. Both work flows are experimented with datasets divided by our system knowledge levels range from the system operators help verifying the majority of network topology and hardware devices, to no support at all.
Approaching from the perspective of network measurements, our goal is to establish the normal behavior baseline of the anomaly detector by applying deep-packet inspection, and have captured several intriguing outliers and process anomalies that are not available in a simulation/emulation environment. After successfully training of the gradient boosting based detector, we use feature importance analysis to mitigate the existing limitation of black-boxed machine learning applications, and quantify the contribution of features leading to the detection result.
The contributions of this dissertation are as follows:- Provide solid testimonies that shred the security community's consensus of SCADA networks being stable and predictable, from the overall network topology to the subtleties in the process variables - Construct the first network characterization for an operational bulk power grid, that offers the first view of the unique difficulties in defending a federated SCADA network - Implement the first process-aware anomaly detector for two operational SCADA networks, one bulk power grid and one gas pipeline network, that successfully identifies the process anomalies and potentially dangerous mis-configuration errors - Present the discussion of the ambiguous understanding of false positives in the anomaly detection for ICS, with the valuable insight from the study of real-world datasets