Journal:SCADA system testbed for cybersecurity research using machine learning approach

From LIMSWiki
Revision as of 00:09, 12 March 2019 by Shawndouglas (talk | contribs) (Saving and adding more.)
Jump to navigationJump to search
Full article title SCADA system testbed for cybersecurity research using machine learning approach
Journal Future Internet
Author(s) Teixeira, Marcio Andrey; Salman, Tara; Zolanvari, Maede;
Jain, Raj; Meskin, Nader; Samaka, Mohammed
Author affiliation(s) Federal Institute of Education, Science, and Technology of Sao Paulo,
Washington University in Saint Louis, Qatar University
Primary contact Email: marcio dot andrey at ifsp dot edu dot br
Year published 2018
Volume and issue 10(8)
Page(s) 76
DOI 10.3390/fi10080076
ISSN 1999-5903
Distribution license Creative Commons Attribution 4.0 International
Website https://www.mdpi.com/1999-5903/10/8/76/htm
Download https://www.mdpi.com/1999-5903/10/8/76/pdf (PDF)

Abstract

This paper presents the development of a supervisory control and data acquisition (SCADA) system testbed used for cybersecurity research. The testbed consists of a water storage tank’s control system, which is a stage in the process of water treatment and distribution. Sophisticated cyber-attacks were conducted against the testbed. During the attacks, the network traffic was captured, and features were extracted from the traffic to build a dataset for training and testing different machine learning algorithms. Five traditional machine learning algorithms were trained to detect the attacks: Random Forest, Decision Tree, Logistic Regression, Naïve Bayes, and KNN. Then, the trained machine learning models were built and deployed in the network, where new tests were made using online network traffic. The performance obtained during the training and testing of the machine learning models was compared to the performance obtained during the online deployment of these models in the network. The results show the efficiency of the machine learning models in detecting the attacks in real time. The testbed provides a good understanding of the effects and consequences of attacks on real SCADA environments.

Keywords: cybersecurity, machine learning, SCADA system, network security

Introduction

Supervisory control and data acquisition (SCADA) systems are industrial control systems (ICS) widely used by industries to monitor and control different processes such as oil and gas pipelines, water distribution systems, electrical power grids, etc. These systems provide automated control and remote monitoring of services being used in daily life. For example, state and municipal governments use SCADA systems to monitor and regulate water levels in reservoirs, pipe pressure, and water distribution.

A typical SCADA system includes components like computer workstations, a human-machine interface (HMI), programmable logic controllers (PLCs), sensors, and actuators.[1] Historically, these systems had private and dedicated networks. However, due to the wide-range deployment of remote management, open IP networks (e.g., the internet) are now used for SCADA system communication.[2] This exposes SCADA systems to the cyberspace and makes them vulnerable to cyber-attacks using the internet.

Machine learning (ML) and artificial intelligence techniques have been widely used to build intelligent and efficient intrusion detection systems (IDS) dedicated to ICS. However, researchers generally develop and train their ML-based security system using network traces obtained from publicly available datasets. Due to malware evolution and changes in attack strategies, these datasets fail to protect the system from new types of attacks, and consequently, the benchmark datasets should be updated periodically.

This paper presents the deployment of a SCADA system testbed for cybersecurity research and investigates the feasibility of using ML algorithms to detect cyber-attacks in real time. The testbed was built using equipment deployed in real industrial settings. Sophisticated attacks were conducted on the testbed to develop a better understanding of the attacks and their consequences in SCADA environments. The network traffic was captured, including both abnormal and normal traffic. The behavior of both types of traffic (abnormal and normal) was analyzed, and features were extracted to build a new SCADA-IDS dataset. This dataset was then used for training and testing ML models, which were further deployed in the network. The performance of the ML model depends highly on the available datasets. One of the main contributions of this paper is building a new dataset updated with recent and more sophisticated attacks. We argue that IDS using ML models trained with a dataset generated at the process control level could be more efficient, less complicated, and more cost-effective as compared to traditional protection techniques. Five traditional machine learning algorithms were trained to detect the attacks: Random Forest, Decision Tree, Logistic Regression, Naïve Bayes, and KNN. Once trained and tested, the ML models were deployed in the network, where real network traffic was used to analyze the effectiveness and efficiency of the ML models in a real-time environment. We compared the performance obtained during the training and test phase of the ML models with the performance obtained during the online deployment of these models in the network. The online deployment is another contribution of this paper since most of the published papers present the performance of the ML models obtained during the training and test phases. We conducted this research to build an IDS software based on ML models to be deployed in ICS/SCADA systems.

The remainder of this paper is organized as follows. The next section presents a brief background of the ICS-SCADA system reference model and related works. Afterwards, we describe the developed SCADA system testbed, and then we describe the ML algorithms and the performance measurements used in this work. The last three sections show conducted attack scenarios and the main features of the dataset used to train the algorithms, the results and the interoperations behind them, and a summary of the main points and outcomes.

Background

In this section, we briefly present a description of the ICS-SCADA reference model and some related works in the domain of ML algorithms for SCADA system security.

ICS reference model

"ICS" is a general term that covers numerous control systems, including SCADA systems, distributed control systems, and other control system configurations.[3] An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that are used to achieve various industrial objectives (e.g., manufacturing, transportation of matter or energy). Figure 1 shows an example of an ICS reference model.[4]


Fig1 Teixeira FutureInternet2018 10-8.png

Fig. 1 Industrial control systems (ICS) reference model[4]

As can be seen from Figure 1, the ICS model is divided into four levels, from 3 to 0. Level 3 (the corporate network) consists of traditional information technology, including the general deployment of services and systems, such as file transfer, websites, mail servers, resource planning, and office automation systems. Level 2 (the supervisory control local area network) includes the functions involved in monitoring and controlling the physical processes and the general deployment of systems such as HMIs, engineering workstations, and history logs. Level 1 (the control network) includes the functions involved in sensing and manipulating physical processes, e.g., receiving the information, processing the data, and triggering outputs, which are all done in PLCs. Level 0 (the I/O network) consists of devices (sensors/actuators) that are directly connected to the physical process.

As shown in Figure 1, Level 3 is composed of the traditional IT infrastructure system (internet access service, file transfer protocol server, virtual private network (VPN) remote access, etc.). Levels 2, 1, and 0 represent a typical SCADA system, which is composed of the following components:

  • HMI: Used to observe the status of the system or to adjust the system parameters for processes control and management purposes
  • Engineering workstation: Used by engineers for programming the control functions of the HMI
  • History logs: Used to collect the data in real-time from the automation processes for current or later analysis
  • PLCs: Slave stations in the SCADA architecture that are connected to sensors or actuators

The SCADA communication protocol

There are several communication protocols developed for use in SCADA systems. These protocols define the standard message format for all inter-device communications in the network. One popular protocol, which is widely used in SCADA system environments, is the Modbus protocol.[5] Modbus is an application-layer messaging protocol that provides the client/server communications between devices connected to an Ethernet network and offers services specified by function codes. The function codes tell the server what action to take. For example, a client can read the status of the discrete outputs or the values of digital inputs from the PLC; or it can read/write the data contents of a group of registers inside the PLC. Figure 2 illustrates an example of Modbus client/server communication.


Fig2 Teixeira FutureInternet2018 10-8.png

Fig. 2 Modbus client/server communication example

The Modbus register address type consists of four data reference types[5][6] which are summarized in Table 1. The “xxxx” following a leading digit represents a four-digit address location in the user data memory.

Table 1. Data reference types[6][7]
Reference Range Description
0xxxx 00001–09999 Read/Write Discrete Outputs or Coils
1xxxx 10001–19999 Read Discrete Inputs
3xxxx 30001–39999 Read Input Registers
4xxxx 40001–49999 Read/Write-Output or Holding Registers

Related works

Cyber-attacks are continuously evolving and changing behavior to bypass security mechanisms. Thus, the utilization of advanced security mechanisms is essential to identify and prevent new attacks. In this sense, the development of real testbeds advances the research in this area.

Morris et al.[7] describe four datasets to be used for cybersecurity research. The datasets include network traffic, process control, and process measurement features from a set of attacks against testbeds which use Modbus application layer protocol. The authors argue there are several datasets developed to train and validate IDS associated with traditional information technology systems, but in the SCADA security area there is a lack of availability and access to SCADA network traffic. In our work, a new dataset with new types of attacks was created. So, once our dataset is available, we are providing a resource that could be used by researchers to train, validate, and compare their results with other datasets.

In order to investigate the security of the Modbus/TCP protocol, Miciolino et al.[8] explored a complex cyber-physical testbed, conceived for the control and monitoring of a water system. The analysis of the experimental results highlights the critical characteristics of the Modbus/TCP as a popular communication protocol in ICS environments. They concluded that by obtaining sufficient knowledge of the system, an attacker is able to change the commands of the actuators or the sensor readings in order to achieve its malicious objectives. Obtaining knowledge of the system is the first step in attacking a system. This attack is also known as a reconnaissance attack. Hence, in our work, our ML models are trained to recognize this kind of attack.

Rosa et al.[9] describe some practical cyber-attacks using an electricity grid testbed. This testbed consists of a hybrid environment of SCADA assets (e.g., PLCs, HMIs, process control servers) controlling an emulated power grid. The work explains their attacks and discusses some of the challenges faced by an attacker in implementing them. One of the attacks is the reconnaissance network attack. The authors argue that this kind of attack can be used not only to discover devices and types of services but also to perform fingerprinting and discover PLCs behind the gateways. Hence, in our work, advanced reconnaissance attacks were carried out, and ML algorithms were used to detect them.

Keliris et al.[10] developed a process-aware supervised learning defense strategy that considers the operational behavior of an ICS to detect attacks in real-time. They used a benchmark chemical process and considered several categories of attack vectors on their hardware controllers. They used their trained SVM model to detect abnormalities in real-time and to distinguish between disturbances and malicious behavior as well. In our work, we used five ML algorithms to identify the abnormal behavior in real-time and evaluated their detection performance.

Tomin et al.[11] presented a semi-automated method for online security assessment using ML techniques. They outline their experience obtained at the Melentiev Energy Systems Institute, Russia in developing ML-based approaches for detecting potentially dangerous states in power systems. Multiple ML algorithms were trained offline using a resampling cross-validation method. Then, the best model among the ML algorithms was selected based on performance and was used online. They argue that the use of ML techniques provides reliable and robust solutions that can resolve the challenges in planning and operating future industrial systems with an acceptable level of security.

Cherdantseva et al.[12] reviewed the state of the art in cybersecurity risk assessment of SCADA systems. This review indicates that despite the popularity of the machine learning techniques, research groups in ICS security have reported a lack of standard datasets for training and testing machine learning algorithms. The lack of standard datasets has resulted in an inability to develop robust ML models to detect the anomalies in ICS. Using the testbed proposed in this paper, we built a new dataset for training and testing ML algorithms.

The SCADA system testbed

In this section, we describe the configuration of our SCADA system testbed for cybersecurity research.

The purpose of our testbed is to emulate real-world industrial systems as closely as possible without replicating an entire plant or assembly system [13]. The utilization of a testbed allows us to carry out real cyber-attacks. Our testbed is dedicated to controlling a water storage tank, which is a part of the process of water treatment and distribution. The components used in our testbed are commonly used in real SCADA environments. Figure 3 shows the SCADA testbed framework for our targeted application and Table 2 shows a brief description of the equipment used to build the testbed.


Fig3 Teixeira FutureInternet2018 10-8.png

Fig. 3 The testbed framework/blockquote>

Table 2. Description of the devices used in the testbed
Device Description
On button Turns on the level control process of the water storage tank
Off button Turns off the level control process of the water storage tank
Light indicator Indicates whether the system is on or off
Level sensor 1 (LS1) Monitors the maximum water level in the tank; when the water reaches the maximum level, the sensor sends a signal to PLC
Level sensor 2 (LS2) Monitors the maximum water level in the tank; when the water reaches the minimum level, the sensor sends a signal to PLC
Valve Controls the water level in the tank. When the water reaches the maximum level, the valve opens, and when the water reaches the minimal level, the valve closes. This logic is implemented in PLC using the ladder language.
Water pump 1 Fills up the water tank
Water pump 2 Draws water from the tank when the valve is open
PLC Controls the physical process. The logic of the water control system is in PLC, which receives signals from the input devices (buttons, sensors), executes the program, and sends signals to the output devices (water pumps and valve).
HMI Used by the administrator to monitor and control the water storage system in real-time. The administrator can also display the devices’ state and interact with the system through this interface.
Data history Used to store logs and events of the SCADA system.

As shown in Figure 3, the storage tank has two level sensors: Level Sensor 1 (LS1) and Level Sensor 2 (LS2) that monitor the water level in the tank. When the water reaches the maximum level defined in the system, the LS1 sends a signal to the PLC. The PLC turns off Water Pump 1 used to fill up the tank, opens the valve, and turns on Water Pump 2 to draw the water from the tank. When the water reaches the minimal level defined in the system, LS2 sends a signal to the PLC, which closes the valve, turns off Water Pump 2, and turns on Water Pump 1 to fill up the tank. This process starts over when the water level reaches LS1. The SCADA system gets data from the PLC using the Modbus communication protocol and displays them to the system operator through the HMI interface.

There are other ICS protocols which could be used instead of Modbus in our testbed. For example, DNP3 is an ICS protocol that provides some security mechanisms.[13][14] However, in recent research, Li et al.[15] reported that they found 17,546 devices connected to the internet using the Modbus protocol spread all over the world. They did not count the amount of equipment not directly connected to the internet. Although there are other ICS protocols, many industries still use SCADA systems with Modbus protocol because their equipment does not support other protocols. In this case, solutions to detect attacks can be cheaper than other solutions, for example, changing the devices.

PLC Schneider model M241CE40[16] is used in our testbed to control the process of the water storage tank. The logic programming of the PLC is done using the LADDER programming language[17](not covered in this paper). The sensors described in Table 2 are connected to the digital inputs of the PLC. The pumps and valves are connected to the output of the PLC.

Machine learning algorithms and performance measurements

In this section, we describe the ML algorithms used in our work as well as the measurements used to evaluate their performances.

Machine learning algorithms

References

  1. Aragó, A.S.; Martínez, E.R.; Clares, S.S. (2014). "SCADA Laboratory and Test-bed as a Service for Critical Infrastructure Protection". Proceedings of the 2nd International Symposium on ICS & SCADA Cyber Security Research 2014: 25–9. doi:10.14236/ewic/ics-csr2014.4. 
  2. Communication Technologies, Inc. (October 2004). "Supervisory Control and Data Acquisition (SCADA) Systems" (PDF). Technical Information Bulletin 04-1. National Communications System. https://www.cedengineering.com/userfiles/SCADA%20Systems.pdf. Retrieved 08 August 2018. 
  3. Filkins, B. (2 February 2016). "IT Security Spending Trends". SANS Analyst Papers. SANS Institute. https://www.sans.org/reading-room/whitepapers/analyst/membership/36697. Retrieved 05 June 2018. 
  4. 4.0 4.1 Stouffer, K.; Pilitteri, V.; Lightman, S. et al. (May 2015). "Guide to Industrial Control Systems (ICS) Security" (PDF). NIST Special Publication 800-82 Revision 2. National Institute of Standards and Technology. doi:10.6028/NIST.SP.800-82r2. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf. Retrieved 05 June 2018. 
  5. 5.0 5.1 "Modbus Technical Resources". Modbus Organization, Inc. http://www.modbus.org/tech.php. Retrieved 05 December 2017. 
  6. 6.0 6.1 "Modbus Application Protocol Specification V1.1b3" (PDF). Modbus Organization, Inc. 26 April 2012. http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf. Retrieved 08 August 2018. 
  7. 7.0 7.1 Morris, T.; Wei, G. (2014). "Industrial Control System Traffic Data Sets for Intrusion Detection Research". Proceedings from the International Conference on Critical Infrastructure Protection VIII: 65–78. doi:10.1007/978-3-662-45355-1_5. 
  8. Miciolino, E.E.; Bernieri, G; Pascucci, F.; Setola, R. (2015). "Communications network analysis in a SCADA system testbed under cyber-attacks". Proceedings of the 23rd Telecommunications Forum TELFOR: 341-344. doi:10.1109/TELFOR.2015.7377479. 
  9. Rosa, L.; Cruz, T.; Simões, P. et al. (2017). "Attacking SCADA systems: A practical perspective". IFIP/IEEE Symposium on Integrated Network and Service Management: 741-746. doi:10.23919/INM.2017.7987369. 
  10. Keliris, A.; Salehghaffari, H.; Cairl, B. et al. (2016). "Machine learning-based defense against process-aware attacks on Industrial Control Systems". Proceedings from the 2016 IEEE International Test Conference: 1-10. doi:10.1109/TEST.2016.7805855. 
  11. Tomin, N.V.; Kurbatsky, V.G.; Sidorov, D.N. et al. (2016). "Machine Learning Techniques for Power System Security Assessment". IFAC-PapersOnLine 49 (27): 445–50. doi:10.1016/j.ifacol.2016.10.773. 
  12. Cherdantseva, Y.; Burnap, P.; Blyth, A. et al. (2016). "A review of cyber security risk assessment methods for SCADA systems". Computers & Security 56: 1–27. doi:10.1016/j.cose.2015.09.009. 
  13. "Overview of the DNP3 Protocol". DNP User Group. https://www.dnp.org/Pages/AboutDefault.aspx. Retrieved 03 June 2018. 
  14. Darwish, I.; Igbe, O.; Saadawi. et al. (2015). "Experimental and theoretical modeling of DNP3 attacks in smart grids". Proceedings from the 36th IEEE Sarnoff Symposium: 155–60. doi:10.1109/SARNOF.2015.7324661. 
  15. Li, Q.; Feng, X.; Wang, H. et al. (2018). "Understanding the Usage of Industrial Control System Devices on the Internet". IEEE Internet of Things Journal 5 (3): 2178–89. doi:10.1109/JIOT.2018.2826558. 
  16. "Modicon M241 Micro PLC - TM241CE40R". Schneider Electric. https://www.schneider-electric.us/en/product/TM241CE40R/controller-m241-40-io-relay-ethernet/. Retrieved 08 August 2018. 
  17. Erickson, K.T. (2011). Programmable Logic Controllers: An Emphasis on Design and Application (2nd ed.). Dogwood Valley Press. ISBN 9780976625902. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added.