Solana enhances Suricata Open Source Intrusion Detection System (IDS) to support Industrial Control Systems and SCADA Networks

Ottawa, ON – 
Sep 3, 2015

As part of a Public Safety Canada contract, Solana has recently completed a software implementation based on the Suricata Open Source IDS (Intrusion Detection System) to enhance its capabilities to defend against cyber threats in Industrial Control Networks.

Modern society depends on the continuous and uninterrupted operation of critical infrastructures, ranging from the electrical power grid, to Oil and Gas pipelines, and water and wastewater treatment facilities.  These systems serve as the backbone of much of Canada's critical infrastructure.  Today, these vital systems are operated by very complex and sophisticated engineering software systems known as Supervisory Control and Data Acquisition (SCADA) systems.  From a central control room, operators can remotely monitor and control these vital infrastructures.  They can increase the pressure in pipelines by closing valves or decrease the electric load on the power grid by opening and closing breakers, with just the click of a mouse.  There is a growing evidence that cyber threat actors are targeting SCADA systems and are installing backdoors, which could be used to disrupt or destroy vital infrastructures. 

Intrusion detection systems (IDS) are a key element of the defensive cyber security posture for all organizations. IDS systems enable detection of cyber attacks by examining packets for patterns which match signatures for known threats. Signatures, protocol parsing and pattern matching support needs to be implemented in IDS systems for every unique protocol against which cyber threats can be launched. Industrial Control or SCADA networks utilize a unique set of protocols for control of devices such as PLCs (Programmable Logic Controllers) which control physical and industrial process operations. This includes well known protocols such as Modbus, Profinet, DNP3 and Ethernet/IP (ENIP).

Solana Networks enhanced Suricata to enable support for detection of cyber threats launched against devices running the ENIP protocol. The software design and implementation work was completed on Linux-based systems and is in the process of being contributed back to the open source community.

As part of the project, Solana conducted a gap analysis, studying popular IDS systems such as Snort, Bro and Suricata. The study confirmed that support for SCADA protocols was limited in these platforms, although it had improved over the last 2 years. There remains a strong and urgent need to broaden the set of SCADA protocols supported by IDS systems such as Suricata.