SPEAR: A Systematic Approach for Connection Pattern-based Anomaly Detection in SCADA Systems

The adoption of open and widely used standards led to an increase in the grade of exposure and vulnerability in Supervisory Control and Data Acquisition (SCADA) systems. Therefore, the development of novel Anomaly Detection Systems (ADSs) specifically for SCADA systems is receiving a considerable attention from the scientific community. This paper goes beyond existing proposals and provides not only a novel ADS, but also a novel methodology for automatically configuring Snort-based ADSs deployed in SCADA systems. The methodology includes a graphical interface, a formal language, and shell scripts, used to model SCADA topologies and to automatically generate ADS rules. The approach is validated through several experiments and shows good performance with large topologies involving 100 LANs, 1000 hosts and 100 ADSs.