Text size
  • Small
  • Medium
  • Large
  • Standard
  • Blue text on blue
  • High contrast (Yellow text on black)
  • Blue text on beige

    Bro in SCADA: dynamic intrusion detection policies based on a system model

    5th International Symposium for ICS & SCADA Cyber Security Research 2018 (ICS-CSR 2018)

    29 - 30 August 2018, University of Hamburg, Germany.


    Justyna Chromik, Anne Remke & Boudewijn Haverkort



    We present an online monitoring tool for SCADA systems based on the network monitor Bro, which can be used locally at field stations. The tool generates alerts when suspicious and erroneous commands and sensor readings are detected. It can hence been seen as a local Intrusion Detection System, as well as an safety enhancement. It maintains a model of the local system, which is updated with incoming packets containing sensor readings and commands. Focusing on the protocol IEC-104, a parser was developed and the packet content was directly fed into the system model. Adaptive policies are implemented in Bro, which formulate physical constraints and safety requirements and allow to check whether SCADA traffic complies to these rules in real time. A case study with a real IEC-104 traffic trace shows the feasibility of our approach.


    PDF file PDF Version of this Paper 636(kb)