Modbus/DNP3 State-based Intrusion Detection System

The security of Industrial Critical Infrastructures is become a prominent problem with the advent of modern ICT technologies used to improve the performances and the features of the SCADA systems. In this paper we present an innovative approach to the design of Intrusion Detection Systems. The aim is to be able to detect complex attacks to SCADA systems, by monitoring its state evolution. By complex attack, we mean attacks composed of a set of commands that, while licit when considered in isolation on a single-packet basis, can disrupt the correct behavior of the system when executed in particular operating states. The proposed IDS detects these complex attacks thanks to an internal representation of the controlled SCADA system. We also present the corresponding rule language powerful enough to express the system's critical states. Furthermore, we present a prototype of the proposed IDS, able to monitor systems using the ModBus and DNP3 communication protocols.