Enhancing Suricata intrusion detection system for cyber security in SCADA networks

Abstract

Industrial Control and SCADA (Supervisory Control and Data Acquisition) networks control critical infrastructure such as power plants, nuclear facilities, and water supply systems. These systems are increasingly the target of cyber attacks by threat actors of different kinds, with successful attacks having the potential to cause damage, cost and injury/loss of life. As a result, there is a strong need for enhanced tools to detect cyber threats in SCADA networks. This paper makes a number of contributions to advance research in this area. First, we study the level of support for SCADA protocols in well-known open source intrusion detection systems (IDS). Second, we select a specific IDS, Suricata, and enhance it to include support for detecting threats against SCADA systems running the EtherNet/IP (ENIP) industrial control protocol. Finally, we conduct a traffic-based study to evaluate the performance of the new ENIP module in Suricata - analyzing its performance in low performance hardware systems.