SCADA Intrusion Detection System

QUB logo

Researcher: Gavin McWilliams

Research Institution: Queen’s University Belfast


Gavin McWilliams from Queen’s University Belfast is seeking industry partners to provide use cases and scenarios for development and testing and to support the delivery of high quality training materials relating to SCADA network security.


• Key components for intrusion detection in SCADA based industrial control systems and critical infrastructures;
• These include a SCADA protocol-specific signature detection rule-set that is compatible with the SNORT IDS tool;
• The SCADA IDS is tailored for IEC-60870-5-104 and includes a comprehensive feature set including:
o Blacklist and whitelist functions at OSI layers 2-4
o Stateful protocol analysis and whitelist functions at the SCADA application layer
o Signatures developed to detect IEC-60870-5-104 misuse or misconfiguration
o DPI analysis of Application Service Data Unit transfers between telecontrol stations
• Research team has significant expertise in SCADA protocols, vulnerability analysis and test-bed development which can be made available as a professional service; and
• The ITACA platform facilitates the rapid development of bespoke traffic treatments and the research team can produce IDS components for a range of additional protocols in the SCADA suite.


• Electric power systems operators who need SCADA network monitoring capabilities;
• SIEM vendors who want to integrate advanced cyber monitoring technologies for the Smart Grid/Industrial Control System marketplace; and
• Control system operators required to retrofit communications monitoring capabilities to legacy systems.


• The SCADA IDS deployed using ITACA provides a flexible and low-cost software platform that enables a range of complementary functions to be integrated into a single IDS platform;
• Custom IDS models and signatures have been developed for IEC-60870 and C37.118 applications; and
• Existing SNORT signature based rules for SCADA protocols, such as DNP3 for example, can be ported to the SCADA IDS platform and enhanced with stateful protocol analysis and anomaly detection functions to provide more comprehensive threat detection capabilities than SNORT based products.


Industry partners are sought, including SCADA equipment manufacturers and industrial control system integrators, to provide use cases and scenarios which can be developed and tested. Industry partners are also sought to support the development and delivery of high quality training materials relating to SCADA network security and to provide ICS equipment donations for the Network Security Lab.

Contact Details:

Email Gavin McWilliams at

Go back to the Academic MarketPlace