COPS SPADE (SCADA Protocol Anomaly Detector) is a passive security monitoring solution targeting the security of remote terminal units (RTU). SPADE actively detects anomalous communication (between RTU and master) and works on deep packet inspection (DPI) and deep content inspection (DCI) based analytics engine. Analytics engine uses white-listed rules and it is modeled specifically for IEC IEC-60870 -5-104 based SCADA systems. SPADE can detect known and unknown zero-day attacks on the SCADA systems effectively.

1. Monitor all communication between RTU and master, detect and report any abnormalities/ attacks at RTU

2. Detects attacks on RTU such as DoS, malfunctioning of RTU/master, brute-force attacks, zero day attacks.

1. Plug-in solution without affecting architecture of the existing system

2. Can detect zero day attacks

3. Single dash board (SCADA Vision) at control centre to monitor status of all RTUs

4. Can be deployed whether RTUs are modern/ legacy/ proprietary 

5. Analyzes exchanged messages and commands initiated from master to perform integrity checks, detect any suspicious events.

6. Detects attacks on RTU such as DoS, malfunctioning of RTU/master, brute-force attacks, zero day attacks.

SPADE works on two phases i.e. learning phase and operational phase

• Learning phase is to prepare white list tables based on meta data and uniform data

Classification 

• In operational phase, SPADE sniffs real time data and applies DPI/ DCI methodologies with support of protocol based rule sets, pattern based state machines and provide these results to analytics engine 

• Analytics engine works based on behavior profiling, decision trees, model based anomaly detection and generates alarms/ events/ incidents based on risk level

• Takes a separate feed of sensors raw value without affecting RTU operations to detect

anomalies

• Real time dashboard with incident tracking and risk prioritized alarms/ events/ incidents support.

Name : Lagineni Mahendra

E-mail Id : rtsg@cdac.in