Detection and mitigation of field flooding attacks on oil and gas critical infrastructure communication

Industrial Cyber-Physical Systems (ICPS) are highly dependent on Supervisory Control and Data Acquisi-tion (SCADA) for process monitoring and control. Such SCADA systems are known to communicate using various insecure protocols such as Modbus, DNP3, and Open Platform Communication (OPC) Data Access standards (providing access to real-time automation data), which are vulnerable to a range of attacks. This leads to increased cyber risks faced in critical infrastructures, especially in the Oil and Gas sector. One of the most popular and critical attacks deployed against such infrastructure is Denial of Service (DoS), as it can have severe consequences that range from financial loss to loss of life. Such attacks can disrupt the ability of an operator to control hazardous operations leading to potentially unsafe scenarios. A novel Field Flooding attack is described which takes advantage of the packet memory structure of the Modbus protocol to perform a DoS attack. This attack can cause overflowing of the memory bank allocated in the Programmable Logic Controller (PLC) for Modbus operations. The attack is deployed and evaluated on a real industrial testbed and its impact against the Mitre ATT&CK framework is assessed, in order to identify which tactics an adversary could use to compromise the system. A novel mechanism that utilises supervised machine learning to detect this attack in industrial control system networks is also described. Experimental results show that the proposed mechanism, using the XGBoost algorithm, can identify this attack with 99% accuracy.(c) 2022 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY license ( http://creativecommons.org/licenses/by/4.0/ )

Automated summary

Industrial Cyber-Physical Systems (ICPS) rely on Supervisory Control and Data Acquisition (SCADA) for process monitoring and control. However, communication through insecure protocols such as Modbus, DNP3, and OPC Data Access makes these SCADA systems vulnerable to various attacks, including denial of service (DoS) attacks. This paper introduces a novel Field Flooding attack that exploits the packet memory structure of the Modbus protocol to perform a DoS attack on Programmable Logic Controllers (PLCs). The proposed mechanism, utilizing supervised machine learning with the XGBoost algorithm, achieves 99% accuracy in detecting this attack.