Intrusion detection in SCADA systems by traffic periodicity and telemetry analysis

Supervisory control and data acquisition (SCADA) system is a vital component of critical infrastructures (CIs). However, most protocols in SCADA systems lack either authentication or integrity checking mechanisms, which makes them extremely vulnerable to cyber attacks when increasingly more SCADA systems are connected with external networks. Intrusion detection systems (IDSs) have been proposed to enhance the system security, but few of them can effectively resist response injection and denial of service attacks at the same time. In this paper we present an IDS named PT-IDS to fill this gap by investigating the periodicity and telemetry patterns of network traffic within typical SCADA systems. Firstly, we analyze the periodicity characteristics in SCADA networks and classify them into four categories through designing an analyzer algorithm. Furthermore, in order to effectively detect response injection attacks, we design an auxiliary module to analyze the network telemetry pattern. Results from both modules are considered simultaneously to promote the accuracy of intrusion detection, especially for denial of service attacks. Beyond that, our proposed system can give alarm reports including both warnings and matching severity information. The time complexity of both analyzer algorithms is polynomial and simulations demonstrate the effectiveness and efficiency of our IDS mechanism.