SwRI creates cyber threat detection system

Listen to this article

SwRI’s team used programmable logic controllers connected to input/output modules as part of its test network. | Source: SwRI

Southwest Research Institute (SwRI) developed a cyber security intrusion detection system for industrial control systems. The team created the system by using algorithms to scan for cyber threats across network protocols that transmit industrial control data.

“Business trends and new technology — driven in part by a pandemic push toward automation — are revealing more cyber vulnerabilities across industrial systems,” Dr. Steven Dellenback, vice president of SwRI’s Intelligent Systems Division, said. “We are proud to support government and industry with multidisciplinary expertise in cybersecurity and automation technologies.”

In the past, it was easier to keep industrial networks secure, as they could simply be unplugged from information technology (IT) networks. Today, however, unplugging from IT networks isn’t usually an option, as industrial automation systems need to use the internet of things (IoT) to transmit data.

“Connecting IoT devices and other hardware exposes industrial networks to security vulnerabilities,” Peter Moldenhauer, an SwRI computer scientist specializing in cybersecurity, said. “Attacks can occur through an IoT device or even network protocols and outdated software.”

SwRI’s team focused on scanning for cyberattacks over the Modbus/TCP protocol, an ethernet-based networking protocol used in supervisory controls and data acquisition (SCADA) systems equipment. The team used algorithms originally developed to scan Controller Area Network (CAN) bus networks used in automotive hardware.

“We had to customize the previous algorithms to recognize the different ways the Modbus/TCP protocol grouped data packets in sequences and time signatures,” Jonathan Esquivel, an SwRI computer scientist, said.

The team created a test system for the algorithms using a Modbus/TCP protocol to send data packets over a network featuring an Ethernet switch. The switch connected personal computers, programmable logical controllers and input/output modules. These devices send commands and record data for autonomous robots and mechanized equipment.

When the team applied its adjusted algorithms to its test network, their algorithms were able to recognize normal Modbus/TCP traffic and identify cyberattack vectors, like out-of-band timing, address probing an data manipulation. The algorithm classifies data packets that come from an uncompromised industrial control device as “regular” and ones that come from an unexpected or compromised device as “attack.”