Passive Security Monitoring for IEC-60870-5-104 based SCADA Systems

Abstract

Rapid changes in Supervisory-Control-and-Data- Acquisition (SCADA) systems used in power systems from traditional proprietary serial-based communication protocols to Internet-protocol (TCP/IP) based standard communication protocols such as IEC-60870-5-104 have made the smart grids susceptible to malicious cyber threats and attacks. Current hierarchical SCADA systems are vulnerable to cyber threats as their communication protocols are originally designed without any built-in security mechanisms, and they are well- documented protocols that help attackers exploit these vulnerabilities to sabotage the SCADA systems. It is necessary to develop security solutions tailored to power sector SCADA systems to sustain the reliability and availability of the power systems. This paper proposes white-list rules and a passive- monitoring based anomaly detector called security monitoring unit (SMU) to detect anomalous communication in the SCADA system. The proposed anomaly detector uses Deep Packet Inspection (DPI) based white-list rules as detection rules that are modelled specifically for IEC-60870-5-104 based SCADA systems. Along with the white-listed rule sets, the solution also includes data correlation, where the field data (sensor value) is mapped against data-in-transit from RTU to the controlling station to perform in-line message validation. The proposed rule-based solution can effectively detect known and as yet unknown zero-day attacks on the IEC-60870-5-104 based SCADA systems.