Detection and Mitigation Strategies

Intrusion Detection is the primary tool for protecting DNP3 environment from malicious behavior attempting to intercept the network, interrupting communication or manipulating data transmission. There are two types of intrusion detection, host based providing protection at the host level and network based that monitors traffic across the entire network. In our research we used the host based detection method, mitigations strategies and techniques as an attempt to prevent successful MITM attack on DNP3 environment.
In order to optimize our detection and mitigation procedures to eliminate cyber threats, we will utilize logs and machine-learning techniques such as statistical analysis to create and implement procedures for IED’s to detect cyber threats independently and/or collaboratively. Also, we can prevent attacks by implementing pattern recognition based on traffic analysis between the legitimate devices and the attacker(s). Measuring the average round trip time delay Trtrip between the legitimate communicating IED nodes for each request and response packet exchange and perform dynamic adjustments to the maximum allowed timeout to be equivalent to Trtrip+ ΔSM, This should prevent attackers from having enough time to initiate any attack by injecting traffic since their packets will be automatically dropped by the receiver.

Setting up the Round Trip Time Measurement

Steps for setting up the average round trip time measurement at the master or the outstation using Round Trip Timing Agent tool (RTTA developed internally):
1. Establish the dnp3 session between master and the slave.
2. Compute the average dnp3 round trip time delay for dnp3 packets (Trtrip) by running the
RTTA at the master and the slave.
3. An output text file is generated for the duration of the runtime that contains round trip time
(RTTD) for each dnp3 packet exchange.
4. An Average Round Trip Time Delay (Trtrip) is calculated.

Pass/ Drop Algorithm

During packet exchange between master and outstation, we will compute the round trip time delay (RTTD) for each DNP3 packet exchange and will be able to generate an average as a baseline Trtrip. We have the following equation similar to Eq. 2:
Δ = (T_{arrival}T_{transmitted} – ½ T_{rtrip) (5)
T_{arrival} and T_{transmitted} are actual time stamps for the returning packet and for symmetric exchange of packets between the master and the slave, ½ T_{rtrip will represent half the average round trip time delay for either request or response packets and Δ will represent the deviation from the average and if the deviation is between zero and a safety margin ΔSM then the master will accept the packet, otherwise the packet will be dropped. The safety margin ΔSM, must be carefully chosen to prevent attacker from having the needed time to perform the attack. The following scenario steps show the algorithm sequence in more details:
1. Each node will measure its average round trip time delay Trtrip for each exchange of DNP3 packets.

2. Master sends a DNP3 packet to the outstation encapsulated by TCP with Sequence Number (SN) and Acknowledgement Number (AN) in the segment header.
3. Outstation will send DNP3 response to master request.
4. The master will monitor the round trip time for the received response packet and perform a comparison against Trtrip and if the deviation exceeds the safety margin, then the packet will be dropped and a retransmission will occur.

Mitigation Techniques

Mitigation techniques will follow the retransmission strategy. In, two events have been defined to require this strategy, damaged TCP segments in transit is the first possible event and the segment fails to arrive as the more common one. In both cases, if segment does not arrive successfully, there is a timer associated with each segment and a retransmission will occur if the timer expire before acknowledging the segment. Therefore, it is a key design issue to evaluate the timer in TCP that encapsulate DNP3 packets, timer should not be too small to cause many unnecessary retransmissions or too large to cause response delay for lost segments. The timer is variable and it should be set larger than the round trip time delay.
Now, if we consider the DNP3 packet exchanges between the master and the outstation, they will follow the same analogy and if the timer is carefully set close to the round trip delay, MITM attacks could be prevented. Hence, any delays caused by the attacker exceeding the safety margin ΔSM will trigger a retransmission to the original packet by the sender.