Siemens S7 SCADA模型精确建模与入侵检测方法
需积分: 7 35 浏览量
更新于2024-07-18
收藏 849KB PDF 举报
本文档标题为《Siemens S7 SCADA协议的精确建模:入侵检测与数字取证》(Accurate Modeling of the Siemens S7 SCADA Protocol for Intrusion Detection and Digital Forensics),发表于2014年的《数字取证、安全与法律杂志》(Journal of Digital Forensics, Security and Law) 第9卷第2期,文章编号为4。作者是Amit Kleinmann和Avishai Wool,均来自特拉维夫大学。
文章的核心内容聚焦在对西门子S7系列现场总线系统(SCADA)的精确模型构建上。SCADA系统在工业自动化领域扮演着关键角色,而其安全性和可审计性对于防止潜在的入侵至关重要。通过深入研究Siemens S7的通信协议,作者们旨在提供一种方法,用于检测和应对针对该系统的网络攻击,并为数字取证调查提供技术基础。
在数字取证方面,准确的SCADA协议模型可以帮助法医专家复现攻击行为,追踪恶意活动的痕迹,以及确定事件发生的时间和顺序。这在调查工业控制系统中的安全漏洞、黑客入侵或数据泄露时显得尤为关键。论文可能涉及到了解协议的细节,如数据包结构、加密算法、认证机制等,以便开发有效的防御策略和取证工具。
此外,文章还强调了遵循开放获取原则,可供公众免费阅读和下载,体现了学术界对知识共享的重视。引用该文章时,读者应参考提供的DOI(数字对象标识符)https://doi.org/10.15394/jdfsl.2014.1169,以及访问期刊的在线平台https://commons.erau.edu/jdfsl/volumes。
这篇文章为信息安全专业人员提供了深入理解Siemens S7 SCADA协议的重要视角,对提升工业控制系统的安全性以及进行有效的数字取证工作具有实际指导价值。
JDFSL V9N2 Accurate Modeling of the Siemens S7 SCADA ...
SCADA systems were originally designed for
serial communications, and were built on the
premise that all the operating entities would
be legitimate, properly installed, perform the
intended logic and follow the protocol. Thus,
many SCADA systems have almost no measures
for defending against deliberate attacks. Specif-
ically, SCADA network components do not ver-
ify the identity and permissions of other compo-
nents with which they interact (i.e., no authen-
tication and authorization mechanisms); they
do not verify message content and legitimacy
(i.e., no data integrity checks); and all the data
sent over the network is in plaintext (i.e., no en-
cryption to preserve confidentiality). Therefore,
deploying an Intrusion Detection Systems (IDS)
in a SCADA network is an important defensive
measure.
The Siemens S7 is one of the leading proto-
cols used in SCADA networks. Siemens S7 Pro-
grammable Logic Controllers (PLCs) (Siemens,
2014) are estimated to have over 30% of the
worldwide PLC market (Electrical Engineering
Blog, 2013). The platform is so popular that
other companies (e.g., (VIPA - A Yaskawa com-
pany, 2014)) offer compatible PLCs.
1.2 Related Work
Since the S7 protocol is proprietary, there is lit-
tle published information about attacks against
it. An exception is the work of (Beresford,
2011). The author showed that the standard
S7 protocol is not encrypted, or authenticated,
it is susceptible to spoofing, session hijacking,
Denial of Service (DoS) attacks, and other at-
tacks. Gaining access to the control network
gives the attacker full access to the PLCs and
allows attacks against the engineering worksta-
tion as well.
(Zhu, Joseph, & Sastry, 2011) evaluated sev-
eral SCADA-specific Network Intrusion Detec-
tion Systems (NIDSs), but they mentioned that,
to their best knowledge, none of the surveyed
systems has been tested on real operational
SCADA network. Due to the lack of access
to production ICS networks, many works deal
with the issue of building a SCADA testbed
that enables experimental capabilities of check-
ing vulnerabilities and validating security solu-
tions (Genge, Siaterlis, Nai Fovino, & Masera,
2012; Hahn et al., 2010; Mallouhi, Al-Nashif,
Cox, Chadaga, & Hariri, 2011). In contrast, one
of the important aspects of our work is that the
intrusion detection approach is evaluated using
real traffic from production SCADA networks.
(Yang, Usynin, & Hines, 2006) used an Auto
Associative Kernel Regression (AAKR) model
and applied it on a SCADA system looking for
matching patterns. The AAKR model used nu-
merous indicators, representing network traffic
and hardware-operating statistics to predict the
normal behavior. Hence, this model needs to
monitor different indicators for different intru-
sion methods, and must manage a large number
of potentially valuable variables.
Several recent studies (such as (Atassi, El-
hajj, Chehab, & Kayssi, 2014) & (Chen, Hsiao,
Yang, & Ou, 2013)) suggest anomaly-based de-
tection for SCADA systems that is based on
Markov chains. However, (Ye, Zhang, & Bor-
ror, 2004) showed that although the detection
accuracy of this technique is high, the number
of ‘false positive’ values is also high, as it is sen-
sitive to noise.
(Hadziosmanovic, Bolzoni, Hartel, & Etalle,
2011) used the logs generated by the control ap-
plication running on the HMI to detect anoma-
lous patterns of user actions on process control
application. The focus of this work was on the
threats that can be triggered by a single user
action. The authors acknowledged that “an at-
tacker could manipulate logs by sending false
data to the control application”. This model is
also susceptible to replay attacks.
(Barbosa, Sadre, & Pras, 2012) studied the
periodicity characteristics of SCADA traffic.
They measured dominant periods of between 1-
60 seconds in their datasets. They also observed
changes in the baseline patterns of the SCADA
traffic they collected, which they related to the
start (or end) of non periodic high throughput
flows. They speculated that these changes are
due to changes in the controlled environment,
such as water tanks becoming full and pipes be-
ing closed.
(Cheung et al., 2007) designed a model-based
Page 38
c
2014 ADFSL
剩余14页未读,继续阅读
2016-01-12 上传
2021-02-10 上传
2021-02-11 上传
2021-02-21 上传
2023-06-11 上传
2021-02-11 上传
2021-01-27 上传
2021-12-29 上传
2021-02-10 上传
weixin_43108933
- 粉丝: 0
- 资源: 2
我的内容管理
展开
