A distributed real-time event correlation architecture for SCADA security

Abstract

Supervisory control and data acquisition (SCADA) systems require real-time threat monitoring and early warning systems to identify cyber attacks. Organizations typically employ intrusion detection systems to identify attack events and to provide situational awareness. However, as cyber attacks become more sophisticated, intrusion detection signatures of single events are no longer adequate. Indeed, effective intrusion detection solutions require the correlation of multiple events that are temporally and/or spatially separated. This paper proposes an innovative event correlation mechanism for cyber threat detection, which engages a semantic event hierarchy. Cyber attacks are specified via low-level events detected in the communications and computing infrastructure and correlated to identify attacks of a broader scope. The paper also describes a distributed architecture for real-time event capture, correlation and dissemination. The architecture employs a publish/sub-scribe mechanism, which decentralizes limited computing resources to distributed field agents in order to enhance real-time attack detection while limiting unnecessary communications overhead.