Академический Документы
Профессиональный Документы
Культура Документы
Abstract — Industrial Control and SCADA (Supervisory Opening up of ICS networks has led to a number of security
Control and Data Acquisition) networks control critical issues. This is because the specialized protocols at the heart of
infrastructure such as power plants, nuclear facilities, and water ICS devices such as PLCs (Programmable Logic Controllers)
supply systems. These systems are increasingly the target of were designed for an environment which did not consider the
cyber attacks by threat actors of different kinds, with successful impact that networking would have on security of such systems
attacks having the potential to cause damage, cost and injury/loss - leaving the ICS systems susceptible to cyber security threats.
of life. As a result, there is a strong need for enhanced tools to
detect cyber threats in SCADA networks. This paper makes a In seeking to protect ICS networks from cyber attacks,
number of contributions to advance research in this area. First, security tools including firewalls and Intrusion Detection
we study the level of support for SCADA protocols in well-known Systems (IDS) must support the different specialized SCADA
open source intrusion detection systems (IDS). Second, we select protocols - support which has been limited to date.
a specific IDS, Suricata, and enhance it to include support for
detecting threats against SCADA systems running the This paper presents the results of research focused on
EtherNet/IP (ENIP) industrial control protocol. Finally, we broadening the coverage of IDS systems to support additional
conduct a traffic-based study to evaluate the performance of the SCADA protocols. As part of the study, we analyzed multiple
new ENIP module in Suricata - analyzing its performance in low open source IDS systems and implemented support in the
performance hardware systems. well-known Suricata IDS to detect cyber threats against
industrial controllers running the ENIP (EtherNet/IP) protocol -
Keywords—SCADA; Industrial Control; Cyber Security; a protocol widely used in the manufacturing sector. Finally,
Intrusion Detection Systems, IDS, Suricata; EtherNet/IP Protocol through an experimental study, we evaluated the performance
of running the ENIP-enabled version of Suricata on resource
I. INTRODUCTION constrained hardware. This is important because it would allow
the solution to be deployed on small form factor industrial
Industrial Control Systems (ICS) refer to the networked
grade hardware which could be cheaply and widely deployed
equipment and software used to control and monitor industrial
in a large number of places in an industrial control network -
processes. Such systems are used in critical infrastructure
thus ensuring higher cyber security coverage.
sectors and other industries including electrical, water,
wastewater, oil and natural gas, chemical, manufacturing and The rest of this paper is organized as follows. Section 2
transport. These systems may be localized, as in the case of a discusses related work. Section 3 evaluates open source IDS
manufacturing facility, or highly distributed, as in the case of systems for SCADA protocol support. Sections 4 and 5 analyze
an oil or gas pipeline or electrical grid. ICS are composed of the Suricata IDS design and present enhancements to support
specialized components including Programmable Logic ENIP. Section 6 provides a description of the performance
Controllers (PLCs), Distributed Control Systems (DCSs), and study and results. Section 7 concludes the document.
Supervisory Control and Data Acquisition (SCADA) systems.
In this paper we use the term SCADA and ICS interchangeably II. RELATED WORK
as is common in the literature - noting however, that SCADA
systems are but one component of ICS networks. Signature based intrusion detection systems are one of the
key components of a cyber security solution in IT networks. In
Historically, proprietary technologies were utilized for [1], the authors studied and compared the performance of the
SCADA and ICS networks including specialized protocols three most popular open source Intrusion Detection System
such as Modbus, DNP3, Profinet, BACnet and EtherNet/IP (IDS) tools - Snort, Suricata[2] and Bro. In the study, each IDS
(not to be confused with either the Ethernet or IP protocols). was built with default settings. The throughput of the multi-
This proprietary nature greatly assisted in their security – a threaded Suricata IDS is striking in comparison to the other
factor sometimes referred to as “security by obscurity”. The two systems - Snort in particular. In [3] the authors study the
standardization of various elements of ICS networks over the performance of Snort and Suricata on the Windows and Linux
last few years coupled with the trend of connecting these operating systems. However, none of these studies focus on
systems to WAN (Wide Area Networks), Enterprise Networks SCADA protocols specifically.
and the Internet, has opened up access to such networks.
-1-
There have been attempts to utilize Snort and Suricata in vulnerabilities for various SCADA related threats related to
SCADA networks as well. However, support for SCADA other technologies such as ODBC and ActiveX.
protocols is limited for these IDS systems. The Digital Bond
project Quickdraw provided signatures for the Modbus and As part of the Quickdraw project DigitalBond also
DNP3 protocols. These modules have been part of the Snort developed SCADA IDS preprocessors and plugins for the
distribution since 2012. Quick draw also appears to have Snort IDS. Early in the project, rules were also developed for
support [4] for the EtherNet/IP protocol which can be utilized the ICCP protocol, but ongoing support for the rules was
with Snort. As of November 2014, the Suricata IDS only dropped as they were found to be ineffective without a
supported signatures and detection of attacks against the preprocessor, which apparently had not been developed [8].
Modbus protocol. The SCADA preprocessors allow the usage of keywords
Academic research on intrusion detection for SCADA that can be used in Snort rules to evaluate the decoded content
systems has continued. In one example, signatures for ICS of the preprocessor. In 2011 the Open Information Security
protocols used in electrical utilities were developed [5] by a Foundation [9] announced that work would be carried out to
team in the United Kingdom and added as a module to Snort. ensure that these preprocessors would be updated to work with
In [6], Niventhan and Papa proposed a framework for dynamic the latest versions of Snort. However, this no longer appears to
be part of the plans. DigitalBond dropped support for the
rule generation and deep packet inspection. Their approach is
applicable for both Snort and Suricata. preprocessors and moved the signatures to GitHub around
April 2015 [10]. In addition, Emerging Threats does not
While the majority of work on signature based methods in appear to have done any work to upgrade the signatures or
Academia has focused on the popular Snort IDS, Lin et al. [7] preprocessor.
examined adapting the well-known Bro IDS to support
SCADA protocols. Like Quickdraw, while this research B. Findings and Proposed Approach
initially presents an add-on product to an existing open source TABLE I. presents a summary of our findings. Our study
IDS, aspects of this research have since been integrated into the indicates that Snort had the best support with preprocessor and
mainline Bro distribution signatures for all three SCADA protocols under review, while
Bro had support for Modbus and DNP3. At the time, Suricata
III. OPEN SOURCE IDS-COVERAGE OF SCADA PROTOCOLS only had support (under development) for Modbus. At the time
Our initial research focused on studying the level of support of publication we understand that DNP3 support may also be
available in existing open source IDS tools to detect cyber available in a future distribution of Suricata.
threats against SCADA networks. IDS systems almost
exclusively rely on signature based threat detection in which TABLE I. SUPPORT FOR SCADA PROTOCOLS IN OPEN SOURCE
network packets are examined to find traffic which matches the IDS (AS OF JANUARY 2016)
bit patterns (signature) for known threats. Due to a variety of
reasons, IDS support for SCADA protocols lags behind IDS Protocol Preprocessor Signatures
support for more commonly used IT network protocols. Such Snort Modbus Yes Yes
systems lack both extensive libraries of signatures, and base DNP3 Yes Yes
support for decoding the protocols themselves. EtherNet/IP No Yes
Suricata Modbus Yes Yes
A. Study of SCADA Protocol Coverage DNP3 No Yes
EtherNet/IP No Yes
Our work covered multiple open source IDS systems with
Bro Modbus Yes Modbus Events
particular focus on the three most widely deployed systems-
DNP3 Yes DNP Events
Snort, Suricata, and Bro. We initially sought to study the level
EtherNet/IP No No
of support for a wide-range of SCADA protocols. However,
due to the paucity of support, we refocused our efforts on three
of the more popular SCADA protocols - Modbus, DNP3, and As a result of the above, steps were taken to design and
EtherNet/IP. implement a new module for Suricata with support for the
We examined two aspects of protocol support, first whether EtherNet/IP protocol. Suricata was selected because it had
the system included a pre-processor capable of handling the more widespread deployment relative to Bro, provides
protocol specifically, and whether the systems could employ significant performance advantages over Snort, and yet had
signatures for known threats. A pre-processor is important less SCADA preprocessor support than the other 2 older open
because in its absence, cyber attackers can use packet source IDS tools.
fragmentation to defeat the signature matching engines.
IV. SURICATA IDS
The Quickdraw package referenced earlier in this paper
took an important first step to enhance Snort with SCADA Suricata [2] is a newer IDS. It was initially funded by the
protocol support. The package provides a number of Snort Department of Homeland Security's Directorate for Science
SCADA rules that can be used by Snort and Suricata. There and Technology and is designed to work with the Snort
are 23 DNP3 rules, 16 EtherNet/IP rules, and 14 Modbus TCP rulesets. Rule sets are available from Emerging Threats or
rules in total. In addition there are rules to identify 85 Emerging Threats Pro.
-2-
2017 IEEE 30th Canadian Conference on Electrical and Computer Engineering (CCECE)
Suricata was developed to be a “next generation IDS V. DESIGN TO SUPPORT ENIP PROTOCOL
engine” with IPS (Intrusion Prevention System) capabilities In order to develop support for a new protocol in an IDS
designed to be backwards compatible with Snort rulesets. system it is first important to understand and deconstruct the
Suricata was designed as a multi-threaded system, enabling it protocol. EtherNet Industrial Protocol (EtherNet/IP) is an
to take advantage of multiple cores. On a single core machine, industrial network protocol that combines standard Ethernet
Snort has been shown to outperform Suricata. However, technologies with the media-independent Common Industrial
Suricata exhibits superior performance on multi-core machines Protocol (CIP). CIP is widely used as a unified communication
with rulesets optimized for Suricata. As a result, it can easily architecture in the manufacturing sector.
examine large volumes of traffic without having to reduce the
number of rules. Suricata is also distinguished by its ability to The EtherNet/IP encapsulation protocol can be used over
provide visibility into the Application layer and faster parsing TCP and UDP. The same reserved port number (44818) is
of HTTP Streams. It can examine HTTP traffic regardless of used for TCP/UDP communications on EtherNet/IP devices.
the port number used and does not rely on port numbers to EtherNet/IP can be viewed as consisting of two parts: (i) the
identify traffic. Suricata also allows inspection inside protocol EtherNet/IP encapsulation and (ii) CIP. The EtherNet/IP
streams and as a result can extract files from HTTP sessions for encapsulation header contains data describing the connections,
further examination [2]. sessions, and methods of communications. The CIP portion
contains the information on objects, instances, attributes and
values.
CIP connected messages fall into one of 7 transport classes
(labeled 0 through 6). Class 0 and 1 connections are
transmitted using UDP, while class 2 and 3 are transmitted
using TCP. In both cases the messages are encapsulated using
the encapsulation protocol (with a full Encapsulation Header
and Encapsulated Data section). Classes 4, 5 and 6 do not use
the encapsulation protocol described here.
-3-
2017 IEEE 30th Canadian Conference on Electrical and Computer Engineering (CCECE)
a second based on examination of packet streams. The second package. We also expanded the HOME_NET and
solution was ultimately adopted and accepted for integration as EXTERNAL_NET in the suricata.yaml configuration file so no
part of the main distribution of Suricata. The remainder of this packets would be filtered based on IP addresses.
paper concentrates on the second solution.
We elaborate briefly on the parser design. The parser B. Test Approach - Traffic Generation
performs the task of decoding the EtherNet/IP encapsulation An offline test approach was utilized to test Suricata which
header as well as most of the encapsulated data and placing it relied on replaying previously captured traffic. Since it is not
in a data structure for use by the Match function. As illustrated easy to obtain large traffic traces from SCADA networks we
in Fig. 2, the packet parser call graph involves: created a synthetic traffic trace as described below.
1. Add session initializer to store EtherNet/IP packet data To generate traffic during the tests, we used a packet
capture (pcap) file made available by the makers of
2. Parse EtherNet/IP packet based on specification details TCPREPLAY. This file (smallFlows.pcap) is often used for
outlined earlier in this document benchmarking the performance of IDS systems. We merged
3. If command is of type SendUnitData, parse common this file with a pcap file from Digital Bond which contained
packet format with DecodeCommonPacketFormat(). EtherNet/IP traffic - CL5000EIP-FirmwareChange.pcap. Care
Otherwise, skip and continue. was taken to ensure that disparate timing and IP addresses in
the two files did not conflict.
4. DecodeCommonPacketFormat() would determine if we
are looking at a Connected data item. If so then we The original packet trace was 12.265Mb in size consisting
would call DecodeCIP() which would parse the CIP of a 5 minute packet capture which included 24,988 packets,
portion of the common packet format. 83pkt/per second rate, with 229 conversations (bi-directional
flows between the same end-points). This original trace
5. DecodeCIP() would decode the CIP requests and generated traffic at a rate of 324Kbps.
responses. The requests and responses may have
multiple services within them so we would need to be In order to replay the traffic at a faster rate, we used the Bit-
able to parse each one. Twist Libpcap-based EtherNet packet generator. Bit-Twist read
the packet traces and replayed the packets from the traffic
6. For the individual service request/response we would generation computer to the host running Suricata. We ran Bit-
need a decoder to extract the CIP service code. Twist with the "-l 0 -m 0" options which configures Bit-Twist
7. A parser can be added for the CIP path but it will be to run in a loop and send out the packets as fast as possible.
unused - a decision needs to be taken whether to add Replaying a single file as fast as possible generated traffic at a
the parser at this time or leave this as a future task. rate of approximately 18Mbps. In order to achieve higher rates,
multiple instances of Bit-Twist were run.
8. Store all data from the above steps in ENIP_PACKET
structure. C. Results & Analysis
The experiments involved running each test 5 times at
VI. PERFORMANCE STUDY AND EVALUATION different throughput rates. Each time we recorded the
We sought to experimentally evaluate the performance of percentage of packet drops and the CPU usage percentage.
the new Suricata ENIP module to match signatures against The same experiments were repeated while limiting the
monitored packet traffic. We were particularly interested in the memory usage of Suricata. One test limited Suricata to using
performance when Suricata was run on a hardware platform 750MB while the other ran with 1.5GB of Memory. The
with low resource footprint (small memory and CPU), following figures capture the results of the tests and represent
potentially allowing one hardware unit with Suricata to be the average rate seen over a 1 minute run of Bit-Twist.
deployed in front of each PLC deployed in a field network.
-4-
2017 IEEE 30th Canadian Conference on Electrical and Computer Engineering (CCECE)
REFERENCES
-5-