SCADA Intrusion Detection System Test Framework
Abstract
Supervisory control and data acquisition (SCADA) systems play an important role in our
critical infrastructure (CI). Several of the protocols used in SCADA communication are old
and lack of security mechanisms. This master thesis presents a SCADA Intrusion
Detection System Test Framework that can be used to simulate SCADA traffic and detect
malicious network activity. The framework uses a signature-based approach and utilize
two different IDS engines, Suricata and Snort. The IDS engines include rule-sets for the
IEC 60870-5-104, DNP3 and Modbus protocols. The IDS engines ships detected events
to a distributed cluster and visualize them using a web interface.
The experiments carried out in this project show that there generally is little difference
between Suricata and Snort's ability to detect malicious traffic. Suricata is compatible with
signatures written in snort lightweight rules description language. I did however, discover
some compatibility issues.
The purposed framework applies additional latency to the analysis of IDS events. The
perceived latency was generally higher for Snort events than for Suricata events. The
reason for this is probably the additional processing time applied by the implemented log
conversion tool.
Keywords: SCADA, IDS, SIEM
Description
Master's thesis Information- and communication technology IKT590 - University of Agder 2017