Accurate Modeling of The Siemens S7 SCADA Protocol For Intrusion Detection And Digital Forensic

The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observati...

Full description

Bibliographic Details
Main Authors: Amit Kleinmann, Avishai Wool
Format: Article
Language:English
Published: Association of Digital Forensics, Security and Law 2014-09-01
Series:Journal of Digital Forensics, Security and Law
Online Access:http://ojs.jdfsl.org/index.php/jdfsl/article/view/262
Description
Summary:The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observation that S7 traffic to and from a specific PLC is highly periodic; as a result, each HMI-PLC channel can be modeled using its own unique Deterministic Finite Automaton (DFA). The resulting DFA-based IDS is very sensitive and is able to flag anomalies such as a message appearing out of its position in the normal sequence or a message referring to a single unexpected bit. The intrusion detection approach was evaluated on traffic from two production systems. Despite its high sensitivity, the system had a very low false positive rate - over 99.82% of the traffic was identified as normal.
ISSN:1558-7215
1558-7223