Professional Documents
Culture Documents
net/publication/254051771
A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII
Industrial Control Systems
CITATIONS READS
88 1,354
3 authors, including:
Thomas Morris
University of Alabama in Huntsville
78 PUBLICATIONS 1,959 CITATIONS
SEE PROFILE
All content following this page was uploaded by Thomas Morris on 16 October 2014.
RTU
classifiers can be used to build the statistical model,
Gateway
PC
including neural networks, linear methods, regres- MTU
PC
sion models, and Bayesian networks. There are two
Historian
types of inaccuracies in intrusion detection systems:
false positives and false negatives. False positives RTU
= serial Snort node
generate a false alarm when there is no intrusion,
electronic
while false negatives miss an actual intrusion. False =
security perimeter
positives may lead to dropping a valid communica-
Figure 1. Example industrial control system commu-
tion packet which can have catastrophic results on an nications architecture
industrial control system. Snort uses pattern match- The diagram in Figure 1 includes 4 networked
ing to deterministically detect rule violations. Cor- devices HMI, MTU, Historian, and RTU. Often mul-
rectly formed rules will not generate false positives. tiple kinds of communication links are used within
Because Snort is deterministic, validated rules may an industrial control system. In the example net-
be used with Snort in intrusion prevention mode; a work, the security gateway connects to the HMI host
mode which drops illegal network packets. and the historian via an Ethernet link. The HMI host
is connected to the MTU via a RS-232 serial link.
3. Industrial control system overview The MTU communicates with the RTU via an RS-
232 or RS-485 serial link. The MTU to RTU link
Industrial control systems are distributed cyber- includes a proprietary radio link. Radio links are
physical systems. Figure 1 shows an example of a often used to connect device over distance without
typical industrial control system. Remote terminal the need to install a wired link. The HMI to MTU
units are connected to sensors and actuators to inter- and the MTU to RTU links use the MODBUS RTU
face directly with the controlled physical system. or MODBUS ASCII protocol. The system dia-
RTU store control parameters and execute algorith- gramed in Figure 1 matches control systems in the
2339
MSU SCADA Security Laboratory which includes network will back off and wait to transmit until the
multiple industrial control systems using commercial offender stops transmitting. In practice such an attack
hardware and software and laboratory scale function- stops communication between the MTU and RTU.
al physical process from various critical industries. This causes the HMI to no longer update with fresh
There are many variations on the system shown physical process measurements and causes the opera-
in Figure 1. Contemporary systems often replace the tor to see stale process measurements. Without an
serial links with Ethernet links. Many types of wire- intrusion detection system the operator may not
less links and many application layer protocols are know that an attack is in progress. The only symp-
available. tom is that HMI inputs seem to have no affect on the
This article describes a Snort based intrusion de- controlled process. This attack may be executed via
tection and prevention system for serial based continuous transmission of invalid data such as
MODBUS networks (MODBUS RTU and MOD- streams of random numbers, or as continual trans-
BUS ASCII). MODBUS was chosen for initial de- mission of otherwise valid MODBUS traffic. In ei-
velopment because of its prevalence in industrial ther case Snort rules can be used to detect the attack.
control systems. The methods described in this ar- Such a rule can be based upon packet length, such as
ticle can be extended to support other communica- exceeding MODBUS/TCP maximum length, or on
tion protocols which also use serial communication. the volume of traffic in a given time frame. The
Quickdraw tool includes a Snort rule to detect pack-
4. Detecting attacks against industri- ets of illegal length. MODBUS RTU/ASCII Snort
al control systems times out on continuous transmission of greater than
300 bytes and transmits the captured traffic as a
TCP/IP packet to allow Snort to detect the large con-
Four types of attacks against industrial control
tinuous streams of data.
system communication networks are denial of ser-
The network stack implemented in MODBUS
vice, response injection, command injection, and
MTU and RTU devices may not be sophisticated
reconnaissance attacks.
enough to handle receipt of malformed communica-
Denial of Service (DOS) attacks attempt to break
tion traffic. Some devices will reset themselves or
the communication link between the remote terminal
hang when a malformed packet is received. This
and master terminal or human machine interface.
problem has been recognized by many equipment
Breaking the communication link between master
vendors and contemporary devices often include
terminal or human machine interface and the remote
more robust network stacks. However, many serial
terminal breaks the feedback control loop and makes
systems in existing control systems are legacy devic-
process control impossible. DOS attacks take many
es with no support for malformed packet checks. The
forms. Many DOS attacks attempt to overwhelm
Quickdraw tool [6] includes a Snort rule to detect
hardware or software on one end of a communication
non MODBUS/TCP traffic on the network. That
link so that it is no longer responsive. Other DOS
particular rule checks a field which is not used in
attacks send ill timed or malformed network packets
MODBUS RTU/ASCII protocols and therefore this
which cause errors in a remote device’s network
rule is not applicable for these protocols. However,
stack and cause the remote device to become unres-
the length check rules described above serves as a
ponsive.
minimal malformed packet check. Also, some mal-
MODBUS devices include configuration settings
formed packets are possible with MODBUS
to allow operators to remotely force a RTU into lis-
RTU/ASCII protocols. For example, only addresses
ten only mode, remotely restart communications, and
in the range 0-247 are allowed in a field which can
remotely clear RTU counters and diagnostic regis-
hold numbers greater than 247. A Snort rule could
ters. Each of these features can be used by an attack-
check for a packet with an illegal address. Many oth-
er to execute a denial of service attack. The Quick-
er rules related to detecting malformed packets are
draw tool [6] includes Snort rules to detect these con-
possible.
figuration exploits. With MODBUS RTU/ASCII
RTU and PLC control algorithms often perform
Snort MODBUS serial based control systems can
mathematical computations on device measurements.
also be protected against these threats.
When such computations include the division opera-
In [5] Reaves et al. discuss how to discover and
tion care must be taken to ensure the denominator is
connect to a proprietary SCADA radio used to form
never zero to avoid divide by zero exceptions. Many
the MTU to RTU communication link (such as
RTU halt the running program when a divide by zero
shown in Figure 1). This penetration enables an at-
exception occurs. Halting the program in turn stops
tacker to execute a denial of service attack against
process control until the program is restarted. Snort
industrial control systems. The industrial radio used
rules can be used to prevent RTU coils and registers
to demonstrate this attack uses a carrier sense and
from being remotely loaded with values which will
back off arbitration scheme to regulate slave device
lead to a divide by zero exception. Such rules are
wireless transmissions. If a single device continually
transmits without breaks other slave radios in the
2340
specific to the controlled process and cannot be gene- alerts for packets larger than legal MODBUS packets
ralized. would detect this attack.
A device which has been attacked may exhibit Control systems often read measurement values
symptoms of the attack by continually reporting that such as pipe pressure, voltage, or current. Often
it is busy when queried. The Quickdraw tool includes these values are transmitted in fields of a type which
Snort rules to detect excessive device busy responses can hold values which are physically impossible
and acknowledge exception code responses. The measurements. For instance, floats can hold negative
fields used for these rules are also used for MOD- numbers; however, a pipeline pressure can never be
BUS RTU and MODBUS ASCII systems and there- negative. Other measurements may have legal
fore can be used to detect similar symptoms with ranges which correspond to the physical properties of
serial MODBUS control systems. a specific system. In both cases, Snort rules can be
Response injection attacks inject false responses developed to alert when measurements fall outside
into a control system. Since control systems rely on predefined ranges.
feedback control loops which monitor physical Command injection attacks inject false control
process data before making control decisions, pro- and configuration commands into a control system.
tecting the integrity of the sensor measurements is Control injection can be classified into 2 categories.
critical. False response injection can be used by First, human operators oversee control systems and
hackers to cause control algorithms and operators to occasionally intercede with supervisory control ac-
make misinformed decisions. tions, such as opening a breaker. Hackers may at-
In a MODBUS RTU or MODBUS ASCII net- tempt to inject false supervisory control actions into
work the MTU regularly queries the RTU to read a control system network. Second, remote terminals
registers associated with the physical process state. and intelligent electronic devices are generally pro-
In normal operation the RTU responds to the MTU grammed to automatically monitor and control the
queries with data from the requested registers. If two physical process directly at a remote site. This pro-
responses to a single query are received the MTU gramming takes the form of ladder logic, C code, and
accepts the first received response and rejects subse- registers which hold key control parameters such as
quent responses. The proprietary wireless vulnera- high and low limits gating process control actions.
bility described in [5] (and mentioned above) can be Hackers can use command injection attacks to over-
exploited to eavesdrop on MTU to RTU communica- write ladder logic, C code, and remote terminal regis-
tions and to inject false RTU to MTU communica- ter settings.
tion packets. This exploit can be used to inject falsi- System specific rules can be developed to block
fied MODBUS response packets after a query is is- commands not supported for a given control system.
sued. The attacker monitors the radio network for MODBUS supports RTU addresses in the range 0-
MODBUS queries. If the attacker’s falsified re- 247; however, most control systems will use a small
sponse arrives at the MTU before the valid response, portion of this allowed set. MODBUS supports func-
the false response is accepted. Responding faster tion codes in the range 0 to 255. Many function
than the RTU can be achieved in two ways. First, the codes are reserved for common functions, while oth-
attacker can take advantage of the periodic nature of ers are available for custom functions. Finally,
MTU queries and queue a false response before the MODBUS read and write calls include a start ad-
MTU query transmission completes. In this case a dress, within RTU memory, and the number of
Snort rule can be developed to alert when multiple (bytes, coils, inputs) to be read or written. Snort
MODBUS responses are received with the same ad- rules can be developed to detect unsupported RTU
dress and same function code within a time period to addresses, unsupported function codes, and unsup-
small to normally receive 2 responses. Two res- ported read/write address and size combinations.
ponses in less than the normal query period would RTU often have registers which hold system set-
indicate an attack. points; such as target measurement values for a PID
In a second version of this attack there is only scheme, limits to generate a system alarm, or limits
one response because the attacker stops all transmis- to generate on/off control actions. Snort rules can be
sions from the radio connected to the legitimate RTU developed to detect invalid register values which
via the continuous transmission DOS attack men- may cause incorrect or unsafe process functionality.
tioned above. The attacker inserts the falsified Reconnaissance attacks allow cyber attackers to
MODBUS response within the continuous stream of reconnoiter a system before attacking. For example,
DOS traffic. The proprietary radio network ex- NMAP is used to identify connected systems and
ploited for these attacks uses slotted communications then finger print the system. Finger printing allows
with dedicated slots for MTU to RTU communica- an attacker to learn which ports are open, the identity
tion and RTU to MTU communication. The MTU and version of the remote operating system, and the
continues to query the RTU during the DOS attack. identity and version of remote network stack dae-
In this case, the Snort rule mentioned above which mons. With this information the attacker can plan a
more effective attack. MODBUS systems can be
2341
scanned to learn connected RTU addresses, sup- RTU transactions and the LRC for MODBUS ASCII
ported function codes of connected RTU, and sup- transactions.
ported address ranges of MODBUS inputs and coils.
MODBUS RTU/ASCII PROTOCOL DATA UNIT (PDU)
Quickdraw includes rules for detecting function code
ADDR FC PAYLOAD CRC/LRC
scans and scans to learn supported address ranges of
MODBUS inputs and coils. These rules also apply to
MODBUS/TCP APPLICATION DATA UNIT (ADU)
MODBUS RTU and MODBUS ASCII systems. MBAP
FC PAYLOAD
MODBUS RTU/ASCII Snort places the MODBUS HEADER
RTU/ASCII RTU address value in the MOD-
MBAP HEADER
BUS/TCP Unit Identifier field. This allows rules to TRANSACTION PROTOCOL UNIT
LENGTH
be developed to detect RTU address scans. IDENTIFIER IDENTIFIER IDENTIFIER
The vulnerabilities, exploits, and associated rules
Figure 2. MODBUS RTU/ASCII to MODBUS TCP/IP
described in this section are relevant for MODBUS conversion
and other serial port protocols. Snort can be used for
intrusion detection and prevention on systems using The MODBUS/TCP application data unit (ADU),
other serial port protocols as well. shown in Figure 2 includes a MBAP header, a func-
tion code (FC), and payload. The MBAP header
5. MODBUS RTU/ASCII Snort im- includes a transaction identifier, a protocol identifier,
plementation a length field, and a unit identifier. The transaction
identifier is a unique number for each MOD-
MODBUS RTU/ASCII Snort is software devel- BSUS/TCP query and response pair. The protocol
oped to allow Snort to monitor and analyze MOD- identifier is a 2 byte field to identify the protocol
BUS RTU and MODBUS ASCII traffic. The soft- encapsulated. Currently only one value is supported,
ware can run on an existing PC connected to the seri- 0, which indicates MODBUS. The length field indi-
al link, such as on the PC hosting the human machine cates the length of the MODBUS ADU after the
interface software. The software can also be run on length field, i.e. the length of the unit identifier, the
single board industrial computers and placed in an function code, and the payload. The unit identifier
inline or tap configuration to monitor MODBUS field is a 1 byte field to provide a unique ID for each
traffic. MODBUS RTU/ASCII Snort is a retrofit connected slave device. The function code and payl-
device intended to add Snort intrusion detection and oad in the MODBUS/TCP ADU are the same as the
prevention capabilities to previously installed function code and payload in the MODBUS
MODBUS RTU/ASCII control systems. RTU/ASCII PDU.
Snort can be run in passive or inline mode. In Converting a MODBUS RTU/ASCII PDU to
passive mode Snort analyzes traffic for matches MODBUS/TCP ADU requires a few steps. MOD-
against a predefined set of rules. Packets which BUS RTU/ASCII transactions are captured separate-
match rules are logged for review off line by a net- ly from the MTU and RTU. Transactions which
work or system administrator. In inline mode Snort originate from the MTU are queries and transactions
acts an intrusion prevention system. Special rules, which originate from the RTU are responses. The
drop rules, are used to detect network traffic which capture tool at the MTU keeps a linear count of que-
should be dropped. ries. This value is placed in the ADU MBAP header
MODBUS RTU/ASCII Snort captures MODBUS transaction identifier field of the MODBUS/TCP
RTU and MODBUS ASCII network traffic using an query. The capture tool at the RTU keeps the last
existing retrofit data logger [12]. Captured traffic is transaction identifier received from the MTU and
converted to MODBUS TCP/IP and transmitted over places it in the response ADU. The protocol identifi-
a closed virtual Ethernet network to allow Snort to er field is always 0. The ADU length is calculated
capture the traffic. Snort parses the captured traffic by adding the payload length and the unit identifier
to detect rule matches. Rule matches lead to logging length (1 byte) and the function code length (1 byte).
and or dropping of packets. The MODBUS RTU/ASCII address (ADDR) is
placed in the MODBUS/TCP unit identifier field.
5.1 MODBUS RTU/ASCII to MODBUS The function code and payload from the MODBUS
TCP/IP Conversion RTU/ASCII PDU are copied to the same fields in the
MODBUS/TCP ADU. The MODBUS RTU/ASCII
Figure 2 shows the contents of MODBUS RTU CRC/LRC fields are not used in the MODBUS/TCP
and MODBUS ASCII protocol data units (PDU). ADU. The TCP CRC is used for error checking in
The PDU contains a slave address (ADDR), a func- MODBUS/TCP. The ADU is encapsulated in a TCP
tion code (FC), a payload, and a cyclic redundancy packet for transmission over an Ethernet TCP/IP
check (CRC) or linear redundancy check (LRC) network.
check sum value. The CRC is used for MODBUS
2342
5.2 MODBUS RTU/ASCII Snort software second Ethernet links are approximately 1000 times
components faster than common serial link speeds. The differ-
ence is more dramatic for gigabit Ethernet.
After conversion from MODBUS RTU/ASCII to A laboratory scale gas pipeline control system
MODBUS/TCP, packets are transmitted over an was used to measure the delay added by the Snort
Ethernet network for Snort to capture and analyze. host in inline mode. Latency added by the Snort host
MODBUS RTU/ASCII Snort uses two virtual ma- averaged 3.5 milliseconds per byte when operated at
chines. One virtual machine (VM1 in Figure 3) cap- 9600 bits per second. For the maximum length
tures MODBUS RTU/ASCII traffic from the MTU MODBUS RTU packet (256 bytes) this equates to
or upstream direction. The second virtual machine 903 milliseconds added latency. The acceptability of
(VM2 in Figure 3) captures MODBUS RTU/ASCII this value depends upon the polling rate of the HMI
traffic from the RTU or downstream direction. Cap- in a control system and is a system specific decision.
tured traffic is converted to MODBUS/TCP and then
transmitted from one virtual machine to the other. In
passive mode, VM1 runs Snort to capture and ana-
lyze the traffic. In inline mode Snort is run on both MTU VM1 VM2 RTU
virtual machines to enable drop rules to supervise snort host
traffic from either direction.
MODBUS TCP/IP
MODBUS RTU/ASCII
Figure 4. MODBUS RTU/ASCII Snort inline configu-
ration
VM1 VM2
A significant speedup is available for the inline
configuration by leveraging the YASIR method [13].
snort host YASIR forwards bytes of a MODBUS packet
through an intermediate node while simultaneously
MTU RTU performing computations to make a pass or drop
MODBUS TCP/IP decision. Passed packets receive the benefit of the
MODBUS RTU/ASCII parallel decision and transmit logic. Dropped packets
Serial Tap Cable are not dropped but sabotaged by intentionally alter-
Figure 3. MODBUS RTU/ASCII Snort passive (tap) ing the CRC or LRC to cause the MODBUS ap-
configuration pliance receiving the packet to ignore it. This me-
thod offers a significant speed-up over a traditional
In the passive configuration a serial tap cable is store and forward solution.
used to capture traffic. Serial tap cables typically
sample the RX pin of an RS-232 cable but do not 5.3 MODBUS RTU/ASCII Snort placement
include a TX pin and therefore cannot transmit. Fig- within a MODBUS RTU/ASCII Network
ure 3 shows a passive configuration. The MTU’s RX
pin is provided to VM1 and the RTU’s RX pin is MODBUS RTU/ASCII Snort can be placed in
provided to VM2. The passive configuration has the multiple locations within the control system network.
advantage of not adding delay to the packet transmis-
sion time from MTU to RTU. However, the passive MTU
Snort RTU
Host
configuration can only monitor transmissions, it can-
not block transmissions.
Outstation
Figure 4 shows a MODBUS RTU/ASCII Snort
HMI HOST
host in an inline configuration. In the inline configu-
HMI
ration MODBUS RTU/ASCII traffic is captured by Snort Snort
MTU
the first virtual machine, transmitted over Ethernet to Snort Host Host
Host
the second virtual machine, and then forwarded to
the endpoint by the Snort host. Placing the Snort host
VIRTUAL
inline adds the ability to drop traffic at the cost of SERIAL PORT Control Room
additional transmission delay. MODBUS Figure 5. MODBUS RTU/ASCII Snort placement op-
RTU/ASCII systems typically operate between 1200 tions
bits per second and 19200 bits per second (bps). The Figure 5 shows Snort host placement in the out-
increased delay associated with the inline configura- station (at the RTU) and in the control room. In all
tion is dominated by the delay associated with stor- cases Figure 5 shows the Snort hosts in an inline
ing and forwarding a packet at serial port speeds. configuration. A passive tap configuration is also
The Ethernet transmission delay has only a second supported. A passive tap configuration is shown in
order impact. This is true because 10 megabit per Figure 3.
2343
At the outstation a Snort host can be used to cap- queries and responses through MODBUS
ture and analyze MODBUS traffic before it is re- RTU/ASCII Snort. All 11 rules functioned correctly.
ceived by the RTU. The Snort host at the outstation
can monitor traffic for illegal configuration com- 6. Future Works
mands sent to the RTU, illegal values written to set-
point registers, and attempts to overwrite device The Quickdraw rules mentioned above represent
firmware. Intrusion traffic may originate at a com- a good start for rules for industrial control systems.
promised HMI host, MTU device, or from a device Additional rules sets should be developed which per-
which has penetrated the radio network between the form deep packet inspection to confirm control sys-
MTU and RTU. tem setpoints are within legal ranges. Denial of ser-
Figure 5 shows three potential locations for vice and false response injection vulnerabilities asso-
MODBUS RTU/ASCII Snort in the control room. ciated with the radio attack described in [5] were
First, a Snort host may be added as a virtual device discussed in section 4. A snort rule should be written
on the existing computer which hosts the human ma- to detect the presence of multiple responses asso-
chine interface software. Second, a Snort host may ciated with the same query to detect an exploit re-
be added on a standalone platform between the HMI lated to the false response injection vulnerability.
host and the MTU. Finally, a Snort host may be In addition to rules development, a YASIR like
added on a standalone platform between the MTU speed-up for MODBUS RTU/ASCII Snort inline
and the radio link. Each location offers different configuration would significantly improve the feasi-
intrusion detection/prevention capabilities. All three bility of using the system as an intrusion prevention
locations can capture traffic from the RTU(s) and system.
any intruders on the radio network between the MTU Finally, MODBUS RTU/ASCII Snort was devel-
and RTU(s). Both the Snort hosts between the HMI oped for MODBUS only. However the technology is
and the MTU can capture traffic from a compro- applicable to DNP3 and other serial based industrial
mised HMI before the traffic reaches the MTU. The control system technologies. The tool should be ex-
Snort hosts between the HMI and MTU are redun- tended for other protocols to demonstrate its flex-
dant and only one of the two is required. The choice ibility.
of which to use, a virtual or standalone host, will
primarily be made on cost and HMI host perfor-
mance capabilities. The Snort host between the
7. Conclusions
MTU and the radio link can capture traffic from a
compromised HMI or MTU before it is transmitted MODBUS RTU/ASCII Snort is software to retro-
to the RTU. The Snort host between the MTU and fit serial based industrial control systems to add
the radio link cannot protect the HMI from traffic Snort intrusion detection and intrusion prevention
from a compromised MTU. In summary, one Snort capabilities. Such a system is motivated by the exis-
host between the HMI and MTU and one Snort host tence of worms such as Stuxnet, which has been
between the MTU and radio link provide the most shown to have altered remote terminal unit firmware
intrusion detection/prevention coverage. over the communication link between a human ma-
chine interface (HMI) host and the remote terminal
unit, after compromising the HMI host. Additional-
5.4 MODBUS RTU/ASCII Snort validation ly, industrial radios used to wirelessly extend serial
links in many critical industries have been shown to
MODBUS RTU/ASCII Snort was validated using be vulnerable to intrusions [5]. MODBUS
rules available from Digital Bond, Inc. in their RTU/ASCII Snort converts MODBUS traffic on a
Quickdraw software package [6]. serial link to Ethernet TCP/IP traffic and transmits it
The Quickdraw tool includes 14 Snort rules for on a closed private network to enable Snort based
MODBUS/TCP implementations. Some rules found intrusion and intrusion prevention features. MOD-
in the Quickdraw tool do not apply to MODBUS BUS RTU/ASCII Snort was validated in simulation
RTU and MODBUS ASCII systems. Quickdraw and in the laboratory with industrial control systems
includes two rules to detect reads and writes from which use commercial hardware and software to con-
unsupported master IP addresses. Since MODBUS trol laboratory scale fully functional physical
RTU and MODBUS ASCII do not have a source IP processes.
address these rules do not apply. Quickdraw also
includes a rule to confirm the value of the MOD-
BUS/TCP Protocol Identifier field is 0. This field 8. References
also does not exist in MODBUS RTU and MODBUS
[1] North American Electric Reliability Corporation.
ASCII and therefore the rule does not apply.
Standard CIP–005–4a - Cyber Security - Electronic
The other 11 rules were tested by developing a Security Perimeter(s). January 2011.
program to send illegal MODBUS RTU and ASCII http://www.nerc.com/files/CIP-005-4a.pdf
2344
[2] Caswell, B. Bealeand, J., Foster, J. and Faircloth, J. ternational Conference on Technologies for Homel-
“Snort2.0 Intrusion Detection,” Syngress, Feb. 2003. and Security. Waltham, MA. May 11-12, 2009.
[3] O'Murchu, L. Last-minute paper: An indepth look into [9] Valdes, A., Cheung, S. Intrusion Monitoring in
Stuxnet. The 20th Virus Bulletin International Confe- Process Control Systems. Proceedings of the 42nd
rence. September 29 – October 1, 2010, Vancouver, Hawaii International Conference on System Sciences.
BC, Canada. 2009.
[4] Falliere, N., Murchu, L., Chien, E., W32.Stuxnet Dos- [10] Rrushi, J., Kang, K., Detecting Anomalies in Process
sier, Version 1.3. Symantec Security Repsonse. No- Control Networks. IFIP International Federation for
vember 2010. http://tinyurl.com/36y7jzb Information Processing 2009.
[5] Reaves, B., Morris, T. Discovery, Infiltration, and [11] Gao, W., Morris, T., Reaves, B., Richey, D. On
Denial of Service in a Process Control System Wire- SCADA Control System Command and Response In-
less Network. IEEE eCrime Researchers Summit. Oc- jection and Intrusion Detection, in the Proceedings of
tober 20-21, 2009. Tacoma, WA 2010 IEEE eCrime Researchers Summit. Dallas, TX.
[6] Peterson, D. "Quickdraw: Generating Security Log Oct 18-20, 2010.
Events for Legacy SCADA and Control System De- [12] Morris, T., Pavurapu, K. A Retrofit Network Transac-
vices," Conference for Homeland Security, 2009. tion Data Logger and Intrusion Detection System for
CATCH '09. Cybersecurity Applications & Technol- Transmission and Distribution Substations, in the
ogy , vol., no., pp.227-229, 3-4 March 2009 Proceedings of 2010 IEEE International Power and
[7] Roosta, T. Nilsson, D., Lindqvist, U. Valdes, A. An Energy Conference. Kuala Lumpur, Malaysia. Nov
intrusion detection system for wireless process control 29, 2010.
systems. 5th IEEE International Conference on Mo- [13] Patrick P. Tsang, Sean W. Smith: YASIR: A Low-
bile Ad Hoc and Sensor Systems, pp866-872, Atlanta, Latency, High-Integrity Security Retrofit for Legacy
GA, 2008. SCADA Systems. SEC 2008: 445-459.
[8] Cheung, S., Valdes, A. Communication Pattern Ano-
maly Detection in Process Control Systems. IEEE In-
2345