Abstract
Cyber attacks targeting the Supervisory Control and Data Acquisition (SCADA) systems are becoming more complex and more intelligent. Currently proposed security measures for the SCADA systems come under three categories: physical/logical network separation , communication message security , and security monitoring . However, the recent malwares which were used successfully to disrupt the critical systems show that these security strategies are necessary, but not sufficient to defend these malwares. The malware attacks on the SCADA system exploit weaknesses of host system software environment and take over the control of host processes in the SCADA system. In this paper, we explain how the malware interferes in the important process logics, and invades the SCADA host process by using Dynamic Link Library (DLL) Injection. As a security measure, we propose an algorithm to block DLL Injection efficiently, and show its effectiveness of defending real world malwares using DLL Injection technique by implementing as a library and testing against several DLL Injection scenarios. It is expected that this approach can prevent all the hosts in the SCADA system from being taken over by this kind of malicious attacks, consequently keeping its sanity all the time.
Highlights
The Supervisory Control and Data Acquisition (SCADA), more broadly the Industrial Control System (ICS), is a system to monitor and control geographically distributed large-scale process field devices
The network Intrusion detection system (IDS), which is currently proposed in the context of the SCADA/ICS systems, intends to detect anomaly behavior based on traffic patterns or contextual mismatch of message contents which are specified in the standard protocols such as Modbus, DNP3.0 and IEC 61850
In the aforementioned Dynamic Link Library (DLL) Injection approaches like Remote Thread, Windows Hook, and Asynchronous Procedure Call (APC), LoadLibrary API is called from a fixed location in operating system module
Summary
The Supervisory Control and Data Acquisition (SCADA), more broadly the Industrial Control System (ICS), is a system to monitor and control geographically distributed large-scale process field devices. In this paper, based on the analysis of the recent cyber attacks against SCADA/ICS systems, we explain how these SCADA-oriented malwares could interfere the important process logics, and exploit the code injection technique called Dynamic Link Library (DLL) Injection.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
