The SUPPRESS research group has developed a scalable demonstrator model for intrusion detection and security event monitoring in industrial control networks. That system detects
security events from network traffic, which is transparently monitored. The current and past security events can be analyzed with the aim of incident detection or support for forensic
analysis.
The industrial control system of the demonstrator comprises the lower levels of the automation pyramid (field, control and supervision). An industrial pilot plant for process control managing several variables is taken as the physical system. Control is performed by a master PLC, which communicates with a slave PLC with the I/O modules that acquire signals from the pilot plant. Supervision is performed in a SCADA that monitors process variables and alarms. Communication among the different elements of the automation is based on the Modbus
TCP/IP standard and its Schneider Electric variant used as configuration protocol.
IDS probes monitor traffic in the control and supervisory networks of the system. Their appropriate configuration can allow the detection of denial of service attacks or other events potentially linked to a security incident, e.g., download/upload of control strategies, use of forbidden Modbus function codes, firmware update attempts, etc.