Abstract

The potential eectiveness of cyber-attacks against SCADA systems could be increased because they are connected to the Internet for several purposes. The Distributed Network Protocol Version 3 (DNP3) protocol is widely used in SCADA systems as a means of communicating observed sensor state information back to a control center. Previous DNP3 security researches are based on such specifications as attack signatures and protocol-based authorization. The provision of an exact and detailed specification is a good security criterion, but the drafting of proper specifications tends to be a time-consuming and error-prone process. In general, utilities that use the DNP3 protocol repeat their own limited operations, so a whitelist-based approach is clearly suitable for network intrusion detection. A burst is a group of consecutive packets with shorter inter-arriving time than packets arriving before or after the burst of packets. When utilities communicate on the DNP3 protocol, one transaction at the application-level is mapped to one burst. We collected and analyzed the DNP3 network trac of a real-world SCADA system and, based on the results obtained from the analysis, produced a burst-based whitelist model for utilities using the DNP3 protocol. The proposed model can be used for intrusion detection and abnormal behaviors in the SCADA system.