• shareshare
  • link
  • cite
  • add
auto_awesome_motion View all 3 versions
Publication . Conference object . 2018

Understanding IEC-60870-5-104 Traffic Patterns in SCADA Networks

Chih-Yuan Lin; Simin Nadjm-Tehrani;
Open Access
Published: 22 May 2018
Publisher: Linköpings universitet, Programvara och system
Country: Sweden

The IEC-60870-5-104 (IEC-104) protocol is commonly used in Supervisory Control and Data Acquisition (SCADA) networks to operate critical infrastructures, such as power stations. As the importance of SCADA security is growing, characterization and modeling of SCADA traffic for developing defense mechanisms based on the regularity of the polling mechanism used in SCADA systems has been studied, whereas the characterization of traffic caused by non-polling mechanisms, such as spontaneous events, has not been well-studied. This paper provides a first look at how the traffic flowing between SCADA components changes over time. It proposes a method built upon Probabilistic Suffix Tree (PST) to discover the underlying timing patterns of spontaneous events. In 11 out of 14 tested data sequences, we see evidence of existence of underlying patterns. Next, the prediction capability of the approach, useful for devising anomaly detection mechanisms, is studied. While some data patterns enable an 80% prediction possibility, more work is needed to tune the method for higher accuracy. Funding agencies: Swedish Civil Contingencies Agency (MSB) RICS (Resilient Information and Control Systems)

Subjects by Vocabulary

Microsoft Academic Graph classification: Computer science Distributed computing Anomaly detection Polling IEC 60870-5 Protocol (object-oriented programming) Mechanism (biology) Communications system Data sequences SCADA


iec-60870-5-104, probabilistic suffix tree(pst), scada, traffic patterns, Communication Systems, Kommunikationssystem

Related Organizations