Technical Field
The present disclosure relates generally to the field of supervisory control and data acquisition (SCADA) systems and, more particularly, to SCADA systems, in which an intrusion detection system (IDS) is used to detect authorized activity.
Background Discussion
A SCADA system refers to any hardware or software application that has the ability to control local and remote devices. A SCADA system typically includes or communicates with an Industrial Control System (ICS) network. The ICS network is typically isolated from corporate networks and the internet and is responsible for connecting field devices to SCADA servers. A common attack on SCADA systems involves sending unsolicited data to the SCADA system that is contrary to a physical state of the normal activities of the SCADA system. For instance, reporting to a SCADA system that a fluid level was low, while the fluid level was actually very high, could result in a pump running and overflowing a container. While this does not involve alteration any code of the SCADA system, the end result could be just as severe.
Traditional IDS implementations are very effective at detecting abnormal traffic on connected networks. An IDS is a device or software application that monitors a computing environment (e.g. network or system) for traffic that is unauthorized. IDSs conventionally include an internal storage of the environment's configuration to differentiate between authorized and unauthorized traffic. This internal storage may include a whitelist of applications, devices, or addresses that are authorized by the IDS for execution or to be accessed. When an IDS detects abnormal traffic, the IDS notifies other systems and users of a potential breach so that appropriate actions may be taken. IDSs are conventionally deployed on ICS networks to protect SCADA systems, networks, and connected devices. Traditional IDS designs generally use a dedicated appliance or a separate server to keep ICS configuration information up-to-date.