MATEC Web of Conferences 173, 01011 (2018) https://doi.org/10.

1051/matecconf/201817301011
SMIMA 2018

Behavior Based Anomaly Detection Model in SCADA System

Xiaojun Zhou1,2, Zhen Xu1, Liming Wang1, Kai Chen1, Cong Chen1,2, Wei Zhang1,2
1StateKey Laboratory of Information Security, Institute of Information Engineering,Chinese Academy of Sciences, 100195 E-park C1
Norh, No. 80 Xingshikou Road, Haidian District, Beijing, China
2School of Cyber Security, University of Chinese Academy of Sciences, 100049 No.19(A) Yuquan Road, Shijingshan District, Beijing,

P.R.China

Abstract. With the arrival of Industry 4.0, more and more industrial control systems are connected with the
outside world, which brings tremendous convenience to industrial production and control, and also
introduces many potential security hazards. After a large number of attack cases analysis, we found that
attacks in SCADA systems can be divided into internal attacks and external attacks. Both types of attacks
are inevitable. Traditional firewalls, IDSs and IPSs are no longer suitable for industrial control systems.
Therefore, we propose behavior-based anomaly detection and build three baselines of normal behaviors.
Experiments show that using our proposed detection model, we can quickly detect a variety of attacks on
SCADA (Supervisory Control And Data Acquisition) systems.

1 Introduction security protection method. Since SCADA system

attacks are inevitable, we need to combine the SCADA
With the continuous development of the industrial system features within itself to develop security methods.
control system and the introduction of the concepts of As a result, this paper presents a method based on the
"Industry 4.0" and "Internet +", the industrial control entity behavior for security protection, the results of
system is no longer an isolated and closed operating experiments proved its efficiency and effectiveness.
environment. Instead, the control system has been a The structure of this paper is as follows: Section 2
combination of communication technology, computer depicts the structure and characteristics of the SCADA
network technology and industrial control technology. system, analyzes the security threats faced by the
The industrial control system has gradually evolved into SCADA system, and proposes a mechanism of security
a standard system of openness, intelligence and protection based on entity behavior. Part 3 details the
interaction to enhance the production efficiency and security framework based on entity behavior and the role
support large scale of production. However, the of each module, and analyzes the operating principles of
increasing risk of information security is accompanied each module. Section 4 uses experiments to validate our
by it. In 2010, the earthquake-stricken network proposed framework for entity-based behavior. The 5th
"STUXNET" attacked the SIMATIC WinCC monitoring part is the conclusion of the paper and 6th part gives an
system and SCADA system at the Iranian nuclear power introduction of future work. Finally, we make our
station[1], breaking the myth of the absolute security of a acknowledgements in Section 7.
"closed" industrial control system. Very similar to the
Stuxnet, duqu trojan mainly targets industrial control
systems for stealing private information [2] . Havex [3], a 2 SCADA system model
malware specifically targeting the ICS / SCADA system
The National Institute of Standards and Technology
in 2014, has the capability of disabling hydroelectric
(NIST) defines and describes an industrial control
dams and overloading nuclear power plants; hackers
system as such: Industrial Control Systems (ICSs) are a
have used it to attack industrial systems in Europe and
collective term for a class of control systems for
the United States. On December 23, 2015, the Ukrainian
industrial production that includes a supervisory control
power network was attacked by BlackEnergy's APT and
and data acquisition system (SCADA), Distributed
eventually the system crashed, resulting in a massive
Control Systems (DCS), and other small control systems
power outage[4].
commonly found in the industrial sector and critical
SCADA system, as the core control system of ICS
infrastructure such as programmable logic controllers
(industrial control system), faces the most serious
(PLCs). Now, let’s have a close look at the SCADA
security threats. After a lot of analysis, we found that
system components.
SCADA systems mainly face two types of attacks, i.e.
internal attacks and external attacks. However, at present,
the security protection for SCADA lacks a very effective

*
Corresponding author: [email protected]
© The Authors, published by EDP Sciences. This is an open access article distributed under the terms of the Creative Commons Attribution
License 4.0 (http://creativecommons.org/licenses/by/4.0/).
MATEC Web of Conferences 173, 01011 (2018) https://doi.org/10.1051/matecconf/201817301011
SMIMA 2018

2.1. SCADA system structure misuse, software contractors, third-party integrators, and
more. Due to the lack of authentication and encryption
A typical industrial network[5] shown in Figure 1,which mechanisms that limit user activity in most industrial
is the reference model of Purdue University. control systems, users have unfettered access to devices
on the network, even modifying device configuration
and operating parameters. Typical attacks include the
incident of Maluqi, Australia Vitek Boden, former
engineer of the technology service provider of the plant,
was deliberately repaying for being dissatisfied with the
renewal of his contract of work. A total of 1 million
liters of untreated sewage were drained directly into the
natural water system through storm drains. The United
States Davis-Besse nuclear power plant was attacked by
the Slammer worm [6].

Fig. 1. The architecture of SCADA system.

The complete industrial control system consists of

five parts: enterprise system, business planning and
logistics system, site manufacturing operations, area
supervisory controls, basic monitoring and control, and
physical processes. Among them, enterprise system,
business planning and logistics system are traditional IT Fig. 2. Threats faced by SCADA system.
systems that form the business information system of an
enterprise. The remaining layers make up the on-site
control system. SCADA system is the core control
system of the entire ICS. On the one hand, it controls
and dispatches the underlying on-site control equipment
according to the production instructions of the upper
level; on the other hand, it real-time monitors the
production status of the industrial site and collects
statistics to provide feedback for the upper control.

2.2 Threat analysis of SCADA system

Industrial control system is a complex system involving
Fig. 3. Commands and operations will be feflected on entity
a variety of computer technologies and network behaviors.
technologies. It has both computer operating system
level of industrial control software, monitoring programs, A supplier provided application software to the
database systems, but also network systems involved in server and established an unprotected T1 link at the back
the network protocol and data packet processing end of the nuclear plant's network firewall, through
mechanism. In addition, with the industrial control which the virus entered the nuclear power plant network.
system docking with the external network, to access The United States Hatch nuclear power plant automatic
open Internet, it has also become an integral part of the shutdown event [7], an engineer operates a computer of
Internet. The following describes major security threats the plant business network (used to collect diagnostic
faced by the SCADA system. data in the control network) for software updates to
According to the sources, the security threats to synchronize the business network and control data in the
industrial control systems mainly include external threats network, when the engineer restarts the computer, the
and internal threats (Figure 2). External threats are: APT synchronization program resets the data of the control
attacks, Trojans, malware, viruses, etc., which may be network, the control system experiences such a sudden
politically relevant or may be related to industrial drop in reactor water storage reservoir that it
espionage. automatically shuts down the entire unit. In view of the
Internal threats include: annoying employees many threats to industrial control, it is necessary to take
(including internal attacks and data breaches), employee effective security measures to ensure the safety, security

2
MATEC Web of Conferences 173, 01011 (2018) https://doi.org/10.1051/matecconf/201817301011
SMIMA 2018

and stable operation of industrial control systems. And II. Source Port (S-Port)
we come to the conclusion that all these threats and III. Target IP (D-IP)
attacks will be refelected on the behavior of IV. The target port (D-Port)
devices(Figure 3). V. Unit interval length (1s) (SegSize)
Since SCADA system attacks are inevitable, there is Then we use machine learning method to process all
a need for a method that can detect attacks in time and the information.
avoid attacks such as Stuxnet[8]. Therefore, we propose a
behavioral based anomaly detection mechanism.
3.2 Entity determination

3 Framework for behavior-based This step we want to uniquely identify an entity. Device
fingerprint is a series of device-related data that uniquely
anomaly detection mechanism depicts a device. This information includes: device
In this section, we will describe the model in detail. The operating system, configuration information, operational
framework is shown in Figure 4. behavior features, and more.
Generally, industrial control protocols (such as
Modbus) provide the query function, which can be used
to collect information. Moreover, the conversations in
industrial control systems have significant stability and
periodicity. Researchers can make fingerprints of
industrial control systems by using data sources such as
network traffic characteristics and interaction modes
based on time dimension.
Then we will determine the relationship between
entities and infer the topology. Industrial control systems
have their inherent characteristics and drawbacks over
conventional Internet and corporate LANs. First of all,
compared with the traditional IT systems, industrial
control devices in industrial control systems generally
have a longer life cycle; second, the industrial control
system has a stable network topology; Finally, in
industrial control systems, the role of a single device is
usually unique, with a fixed communication object.
Therefore, the network topology of the SCADA
system can be reconstructed based on the traffic in the
SCADA system.

Fig. 4. The framework of behavior-based anomaly detection.

3.3 Baseline construction
The basic anomaly detection steps include: After each communication object is uniquely identified,
information collection, uniquely entity determination, combining the topological relations among different
constructing three kinds of normal behavior baseline entities, we can construct a normal behavior baseline for
from different dimensions and using the baseline for each entity in the SCADA system.
anomaly detection. Below we describe each step in detail. The establishment of normal behavior baseline is
divided into three aspects:
3.1. Information collection (1) Historical Baseline. It is based on the notion that
a device's role and function are relatively fixed, and
We employ passive information collection to avoid any therefore today's behavior and historical behavior should
possible system interference. The best solution is to have have obvious similarities. If there is inconsistency
a transparent network snoop on the ICS system between the two, you can be judged as abnormal.
components. Passive recognition methods utilize PCAP (2) Peer Baseline. It is based on the behavior of peer
files generated by tools such as Wireshark or direct on- devices for analysis. Multiple devices in a SCADA
line sniffers for data analysis. It does not inject network system will perform the same functions. If there is a
traffic and does not respond to upcoming messages, thus large difference in behavior between devices of the same
ensuring that ICS system operations are not interrupted. type that perform the same function, they can be
In addition, not all network flow data is valuable. The determined to be abnormal.
pre-process step filters ICS network session-independent (3) Partner Baseline. According to the feedback from
data and dirty data (such as TCP retransmissions, the communication partner, if a certain machine
duplicate ACK packets, etc.). Five basic conversational suddenly bursts out frequently sending query
features were extracted and the eigenvalues were rated. information packets, it is considered as abnormal.
The five basic conversational features include:
I. Source IP (S-IP)

3
MATEC Web of Conferences 173, 01011 (2018) https://doi.org/10.1051/matecconf/201817301011
SMIMA 2018

3.4 Anomaly detection 4.2. Tampering attack

By building three behavioral baselines, you can quickly Tampering with packet attack is an attack that many
discover anomalous behavior. Moreover, based on attackers prefer. The main means of this kind of attack is
historical data, three baseline information can be verified to modify the instruction of the data packet, tamper with
against each other horizontally and vertically, so as to the data packet load, modify the measured value of the
ensure the authenticity and accuracy of alarms generated, data packet and so on. According to the historical
and to reduce the proportion of false alarms and false behavior, we can determine that such behavior is
negatives. The whole anomaly detection process is abnormal.
shown below in Figure 5.
4.3. Logical disorder attack
This kind of attack is more difficult to defend because all
the packets are valid and the communicating entity is
legal, but we can detect abnormalities in time by
recording the historical behavior of the communicating
partners.

5 Conclusion
This paper first analyzes the structure of SCADA system
and the security threats faced by SCADA system. Then it
introduces the framework of behavior-based anomaly
detection mechanism and introduces each module in the
framework in detail. Based on the collected information,
we construct three different normal behavior baseline
from multiple dimensions and use these to detect the
attack. Experiments show that the proposed detection
model can find fake attacks, data packet tampering
attacks and logical sequential attacks well.

6 Future work
Future work we intend to focus on the following two
research directions:
(1). Establish a defense-in-depth system[9] suitable
for industrial control systems. According to the
characteristics of industrial control system, the depth
defense system will be improved so that it can be better
applied to the security of industrial control systems[10].
(2). Establish a kill-chain model[11] specially for
Fig. 5. Anomaly detection process. industrial safety. The current kill chain model is rough,
ignoring a lot of details of attack. We intend to create a
kill chain model that is specific to industrial control
4 Experimental verification systems.
Let's experiment with the behavior-based anomaly
detection model we built. Acknowledgements
We thank our shepherds—Zhen Xu, Liming Wang in
4.1. Fake attack our research group, for providing insightful feedback of
Due to the lack of authentication of communication the draft that helped improve the final paper. We would
entities in SCADA systems, there is a large number of also like to thank Kai Chen, Zelong Chen and Zhenbo
counterfeit attacks. We have installed a PLC simulation Yan for their help in early discussions and providing
software in an experimental notebook, the laptop insightful comments. This work was supported by
disguised as PLC and communicated with host computer. Security Services for Informatization Applications
In this way, anomaly detection system installed on the Program, Institute of Information Engineering, Chinese
host computer will quickly detect abnormalities. Because Academy of Sciences, under grant No. XXH13505-02,
according to the uniqueness of the entity, you can for which we are grateful.
determine that PLC is fake which is now communicating
with the host computer.

4
MATEC Web of Conferences 173, 01011 (2018) https://doi.org/10.1051/matecconf/201817301011
SMIMA 2018

References
1. Langner R. Stuxnet: Dissecting a cyberwarfare
weapon[J]. IEEE Security & Privacy, 2011, 9(3):
49-51.
2. Bencsáth B, Pék G, Buttyán L, et al. Duqu: A
Stuxnet-like malware found in the wild[J]. CrySyS
Lab Technical Report, 2011, 14: 1-60.
3. HENTUNEN D T. A: Havex Hunts for ICS/SCADA
Systems [on-line][J]. 2014.
4. Case D U. Analysis of the cyber attack on the
Ukrainian power grid[J]. Electricity Information
Sharing and Analysis Center (E-ISAC), 2016.
5. Knapp E D, Langill J T. Industrial Network Security:
Securing critical infrastructure networks for smart
grid, SCADA, and other Industrial Control
Systems[M]. Syngress, 2014.
6. Moore D, Paxson V, Savage S, et al. Inside the
slammer worm[J]. IEEE Security & Privacy, 2003,
99(4): 33-39.
7. Krebs B. Cyber incident blamed for nuclear power
plant shutdown[J]. Washington Post, June, 2008, 5:
2008.
8. Byres E, Ginter A, Langill J. How Stuxnet spreads–
A study of infection paths in best practice systems[J].
Tofino Security, white paper, 2011.
9. Kuipers D, Fabro M. Control systems cyber security:
Defense in depth strategies[R]. Idaho National
Laboratory (INL), 2006.
10. Stouffer K, Falco J, Scarfone K. Guide to industrial
control systems (ICS) security[J]. NIST special
publication, 2011, 800(82): 16-16.
11. Greenert J, Welsh M. Breaking the kill chain[J].
Foreign Policy, 2013, 16.