Abstract
Supervisory control and data acquisition (SCADA) systems require real-time threat monitoring and early warning systems to identify cyber attacks. Organizations typically employ intrusion detection systems to identify attack events and to provide situational awareness. However, as cyber attacks become more sophisticated, intrusion detection signatures of single events are no longer adequate. Indeed, effective intrusion detection solutions require the correlation of multiple events that are temporally and/or spatially separated. This paper proposes an innovative event correlation mechanism for cyber threat detection, which engages a semantic event hierarchy. Cyber attacks are specified via low-level events detected in the communications and computing infrastructure and correlated to identify attacks of a broader scope. The paper also describes a distributed architecture for real-time event capture, correlation and dissemination. The architecture employs a publish/subscribe mechanism, which decentralizes limited computing resources to distributed field agents in order to enhance real-time attack detection while limiting unnecessary communications overhead.
Chapter PDF
Similar content being viewed by others
References
A. Bruce, Reliability analysis of electric utility SCADA systems, IEEE Transactions on Power Systems, vol. 13(3), pp. 844–849, 1998.
J. Buford, X. Wu and V. Krishnaswamy, Spatial-temporal event correlation, Proceedings of the IEEE International Conference on Communications, 2009.
G. Buttazzo, G. Lipari, L. Abeni and M. Caccamo, Soft Real-Time Systems: Predictability vs. Efficiency, Springer, New York, 2005.
J. Cannady and J. Harrell, A comparative analysis of current intrusion detection technologies, Proceedings of the Technology in Information Security Conference, pp. 212–218, 1996.
K. Erickson, E. Stanek, E. Cetinkaya, S. Dunn-Norman and A. Miller, Reliability of SCADA systems in offshore oil and gas platforms, in Stability and Control of Dynamical Systems with Applications: A Tribute to Anthony N. Michael, D. Liu and P. Antsaklis (Eds.), Birkhauser, Boston, Massachusetts, pp. 395–404, 2003.
N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier, Symantec, Mountain View, California, 2011.
G. Jiang and G. Cybenko, Temporal and spatial distributed event correlation for network security, Proceedings of the American Control Conference, vol. 2, pp. 996–1001, 2004.
R. Kalapatapu, SCADA protocols and communication trends, presented at the Instrumentation, Systems and Automation Society Conference, 2004.
LogMatrix, NerveCenter 6.0 Release Notes Windows and UNIX Version 6.0.02, NCRN60-02-03, Marlborough, Massachusetts, 2012.
R. McMillan, Siemens: Stuxnet worm hit industrial systems, Computerworld, September 14, 2010.
I. Nai Fovino, M. Masera, M. Guglielmi, A. Carcano and A. Trombetta, Distributed intrusion detection system for SCADA protocols, in Critical Infrastructure Protection IV, T. Moore and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 95–110, 2010.
National Communications System, Supervisory Control and Data Acquisition (SCADA) Systems, Technical Bulletin 04-1, Arlington, Virginia, 2004.
A. Patcha and J. Park, An overview of anomaly detection techniques: Existing solutions and latest technological trends, Computer Networks, vol. 51(12), pp. 3448–3470, 2007.
K. Sheers, HP OpenView event correlation services, HP Journal Online, article no. 4, 1996.
Star Controls, Reliability and Availability of SCADA Systems, Shanghai, China ( www.star-controls.com/Files/ReliabilityandAvailabil ityofSCADASystems.pdf ), 2010.
K. Stouffer, J. Falco and K. Kent, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security, NIST Special Publication 800-82, National Institute of Standards and Technology, Gaithersburg, Maryland, 2006.
J. Weiss, Protecting Industrial Control Systems from Electronic Threats, Momentum Press, New York, 2010.
D. Williams and D. Curtis, Magic Quadrant for IT Event Correlation and Analysis, Gartner RAS Core Research Note G00208774, Gartner, Stamford, Connecticut, 2010.
B. Zhu and S. Sastry, SCADA-specific intrusion detection/prevention systems: A survey and taxonomy, Proceedings of the First Workshop on Secure Control Systems, 2010.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Deng, Y., Shukla, S. (2013). A Distributed Real-Time Event Correlation Architecture for SCADA Security. In: Butts, J., Shenoi, S. (eds) Critical Infrastructure Protection VII. ICCIP 2013. IFIP Advances in Information and Communication Technology, vol 417. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-45330-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-45330-4_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-45329-8
Online ISBN: 978-3-642-45330-4
eBook Packages: Computer ScienceComputer Science (R0)