Electrical Engineering-Systems Dept.

*** SEMINAR ***

Niv Goldenberg

(M.Sc. student under the supervision of Prof. Avishai Wool)

on the subject:

Accurate Modeling of Modbus/TCP for Intrusion Detection in SCADA Systems

Modbus/TCP is used in SCADA networks to communicate between the Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). Therefore, deploying Intrusion Detection Systems (IDS) on Modbus networks is an important security measure.

In this talk, I introduce a model-based IDS specifically built for Modbus/TCP. The approach is based on a key observation: Modbus traffic to and from a specific PLC is highly periodic. As a result, we can model each HMI-PLC channel by its own unique deterministic finite automaton (DFA). Our IDS looks deep into the Modbus packets and produces a very detailed model of the traffic. Thus, out method is very sensitive, and is able to flag anomalies such as a message appearing out of its position in the normal sequence, or a message referring to a single unexpected bit. We designed an algorithm to automatically construct the channel’s DFA based on about 100 captured messages.

A significant contribution is that we tested our approach on a production Modbus system. Despite its high sensitivity, the system enjoyed a super-low false-positive rate: on 5 out of the 7 PLCs we observed a perfect match of the model to the traffic, without a single false alarm for 111 hours. Further, our system successfully flagged real anomalies that were caused by technicians troubleshooting the HMI system, and also helped uncover one incorrectly configured PLC.