Abstract

Energy systems like smart grids are part of critical infrastructure and their interruption or blackout may have fatal consequences on energy production, distribution, and eventually the life of individual people. In order to secure communication in Industrial Control Systems (ICS) and detect cyber attacks on smart grids, we need to increase visibility of ICS communication so that an operator can see what commands are sent between ICS devices. Security monitoring of ICS transmission requires (i) retrieving monitoring data from ICS packets, (ii) processing and analyzing extracted data, (iii) visualizing the ongoing communication to the operator. The proposed work presents a concept of ICS flow monitoring system that extracts meta data from ICS packet headers and creates ICS flow records similarly to Netflow/IPFIX system. ICS flows represent communication in the smart grid network that is further visualized using dashboard and communication charts. Unlike traditional monitoring approach that works with network and transport layer data only, we extend flow monitoring to application layer with focus on ICS protocols. The proposed approach is demonstrated on monitoring IEC 60870-5-104 communication.

Highlights

  • With the progress of digitization and industrial automation, Industrial Control System (ICS) plays an essential role in monitoring and controlling industrial devices, processes and events

  • Passive monitoring using the IPFIX architecture enhanced by selected IEC 104 header values increases visibility of ICS communication

  • Many attacks became unnoticed by security devices that protect ICS network perimeter but do not prevent attacks from the inside of the system

Read more

Summary

INTRODUCTION

With the progress of digitization and industrial automation, Industrial Control System (ICS) plays an essential role in monitoring and controlling industrial devices, processes and events. It has been adopted to operate over standard Ethernet link layer and the Internet Protocol (IP) with UDP and TCP transport on top of IP This solution made possible to interconnect ICS networks over wide-area networks (WANs) and provide remote control and monitoring. Monitoring techniques that are widely deployed in IP networks include SNMP monitoring, see Presuhn et al (2002), IP flow monitoring, see Claise (2004), and system logging, see Gerhards (2009) These approaches can be applied on ICS systems to a certain extent. By analyzing and visualizing ICS monitoring data, we are able to get network statistics about the communication in a ICS network (number of connected hosts, transmitted data, etc.), detect cyber security incidents (unauthorized access, scanning, DoS attack), or system operation (detection of malfunctioning devices, misconfiguration, etc.)

Structure of the text
Contribution
STATE-OF-THE-ART
MONITORING IEC 104 COMMUNICATION
IEC 104 Protocol
Building IEC 104 Flows
TOWARDS IEC 104 VISIBILITY
Observing IEC 104 Activity
Activation of an IEC 104 device
Requesting Unknown Resources
Identifying Cyber Attacks
INCREASING IEC 104 VISIBILITY
IEC 104 flows
IP flows
Extended IEC 104 flows
Summary
CONCLUSIONS
Full Text
Paper version not known

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.