Paper Topic: Stateful Intrusion Detection for IEC 60870-5-104 SCADA Security

1. Author(s): Yang, MCLaughlin, Sezer, Yuan, and Huang

2. Problem Definition: In SCADA system, it is important to telecontrol to different devices

in order to accomplish different tasks. IEC 60870-5-104 is one of the common protocol

used in SCADA system for telecontrol. The protocol is based on TCP/IP, and its transmit

message in clear text without any form of authentication mechanisms.

3. Previous Work: Some researchers used Snort to implement signature-based and model-

based detection approaches.

4. Proposed Work: Using a stateful protocol analysis approach to create a stateful Intrusion

Detection System (using state machine) for IEC 60870-5-104 protocol to analyze and

track state transitions in the application layer.

5. Method Used: A stateful protocol analysis compares predetermined profile of acceptable

protocol behaviors with observed activities to detect deviations and misbehaviors.

6. Design: The detection is done by using whitelist methodology (identification of

abnormal packet that go against predetermined/defined protocol state behavior). First, a

Detection State Machine (DSM), based on Finite State Machine (FSM), is designed, and

its used to describe dynamic behavior of the packet. Also, it is used to detect

misbehavior of packet. Thus, an alarm state is triggered whenever there is a deviation of

behavior from the state machine (predefined state). The DSM has set of protocol state

(S), guard conditions (G), finite tuple of transition actions (A), transition relations (T),

and set of alarm (Sa).

The Intrusion Detection System (IDS) monitors communication traffic between the client

and the server.

In this paper, two types of control field format are used, Information (I format) and

Supervisory function (S format)

7. Implementation: In this project, the Internet Traffic and Content Analysis (ITACA) is

used to implement IDS (because it allows implementation of plug-in for intrusion

 detection). The Stateful Protocol Analysis is developed in C/C++. The steps involved in

the implementation are:

a. ITACA analyze packet, and send it to the stateful IDS plug-in.
b. DSM is implemented in the stateful IDS plug-in
c. Captured packet and current state for state memory is compared by DSM, and DSM

will determine if it is normal or not.

8. Conclusion: Previous works focused on Modbus or DNP3, but this paper focused on

IEC 60870-5-104 protocol. The IDS can be used to monitor and detect anomalous

behavior in the system.