Abstract
The Modbus/TCP protocol is commonly used in SCADA systems for communications between a human-machine interface (HMI) and programmable logic controllers (PLCs). This paper presents a model-based intrusion detection system designed specifically for Modbus/TCP networks. The approach is based on the key observation that Modbus traffic to and from a specific PLC is highly periodic; as a result, each HMI-PLC channel can be modeled using its own unique deterministic finite automaton (DFA). An algorithm is presented that can automatically construct the DFA associated with an HMI-PLC channel based on about 100 captured messages. The resulting DFA-based intrusion detection system looks deep into Modbus/TCP packets and produces a very detailed traffic model. This approach is very sensitive and is able to flag anomalies such as a message appearing out of its position in the normal sequence or a message referring to a single unexpected bit. The intrusion detection approach is tested on a production Modbus system. Despite its high sensitivity, the system has a very low false positive rate-perfect matches of the model to the traffic were observed for five of the seven PLCs tested without a single false alarm over 111. h of operation. Furthermore, the intrusion detection system successfully flagged real anomalies that were caused by technicians who were troubleshooting the HMI system. The system also helped identify a PLC that was configured incorrectly.
Original language | English |
---|---|
Pages (from-to) | 63-75 |
Number of pages | 13 |
Journal | International Journal of Critical Infrastructure Protection |
Volume | 6 |
Issue number | 2 |
DOIs | |
State | Published - Jun 2013 |
Keywords
- Modbus/TCP
- Network intrusion detection system
- SCADA systems
All Science Journal Classification (ASJC) codes
- Modelling and Simulation
- Safety, Risk, Reliability and Quality
- Computer Science Applications
- Information Systems and Management