Xun Yi

SCADA Security


Скачать книгу

if one station, say the HMI station, fails, another HMI station will take over.

Schematic illustration of the second-generation SCADA architecture.

       Networked systems (Third Generation)

      2.1.3 Protocols

Schematic illustration of the third-generation SCADA architecture. Schematic illustration of the Modbus frame.

      2.2.1 SCADA Network‐Based

      A SCADA network‐based IDS (Valdes and Cheung, 2009; Gross et al., 2004; Ning et al., 2002; Linda et al., 2009) captures the data packets that are communicated between devices such as points‐to‐points in RTU/PLC, between RTU/PLCs and CTUs. The monitoring devices are always located throughout the network. The information in those captured data packets is evaluated to determine whether or not it is a threat. If the packet is suspicious, security team members will be alarmed for further investigation. The advantage of SCADA network‐based IDSs is their lower computation cost because only the information in the packet's header is needed for the investigation process, and therefore a SCADA network packet can be scrutinized on‐the‐fly. Consequently, a large amount of network data can be inspected in a satisfactory manner and within an acceptable time (Linda et al., 2009).

      However, when there is high network traffic, a SCADA network‐based IDS might experience problems in monitoring all the packets and might miss an attack being launched. The key weakness is that the operational meaning of the monitored SCADA system cannot be inferred from the information provided at the network level such as IP address, TCP port, etc. Therefore, if the payload of the SCADA network packet contains a malicious control message, which is crafted at the application level, the SCADA network‐based IDS cannot detect it if it is not violating the specifications of the protocol being used or the communication pattern between SCADA networked devices (Fovino et al., 2010a,2012; Carcano et al., 2011).

      2.2.2 SCADA Application‐Based