A Communications Validity Detector for SCADA Networks

Supervisory Control and Data Acquisition (SCADA) systems are a lucrative attack target due to physical impacts. A large percentage of these attacks are crafted input attacks. Buffer overflows, a relatively common form of crafted input attacks, are still common in SCADA systems and the Internet on the whole. Attackers can use such vulnerabilities to take over SCADA systems or force them to crash using vulnerabilities in software. These compromised devices could be used to issue SCADA commands to the other devices on the network and perform malicious actions. We present CVD, a novel SCADA forensics tool to help operators detect crafted input attacks and monitor a SCADA substation for harmful actions. CVD includes various Language-Theoretic Security-compliant parsers to ensure the syntactic validity of the SCADA communication, hence detecting many crafted packet zero days. CVD detects attacks triggered using legacy protocols widely used in SCADA networks such as Telnet, Web interfaces, or DNP3 protocols. CVD also includes command-line tools, GUIs, and tools to compare network traffic against various configuration files. To evaluate CVD, we first ran our parsers on an extensive collection of valid packets for all the SCADA protocols we support. Next, to ensure that our parsers were resilient to random data, we fuzz-tested our parsers against AFL++ and python-fuzz. To ensure that our network interfaces are resilient, we fuzz-tested the TCP Server endpoints using fuzzotron. Last, we also constructed various attack scenarios using malformed packets and invalid configurations and CVD was able to detect and visualize these attacks successfully.