Flow whitelisting in SCADA networks

Supervisory Control And Data Acquisition (SCADA) networks are commonly deployed to aid the operation of large industrial facilities. Modern SCADA networks are becoming more vulnerable to network attacks, due to the now common use of standard communication protocols and increased interconnection to corporate networks and the Internet. In this work, we propose an approach to improve the security of these networks based on flow whitelisting. A flow whitelist describes the legitimate traffic solely using four properties of network packets: the client address, the server address, the server-side port, and the transport protocol. The proposed approach consists in learning a flow whitelist by capturing network traffic and aggregating it into flows for a given period of time. After this learning phase is complete, any non-whitelisted connection observed generates an alarm. The evaluation of the approach focuses on two important whitelist characteristics: size and stability. We demonstrate the applicability of the approach using real-world traffic traces, captured in two water treatment plants and a gas and electric utility.

[1]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[2]  Aiko Pras,et al.  Difficulties in Modeling SCADA Traffic: A Comparative Analysis , 2012, PAM.

[3]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[4]  Anja Feldmann,et al.  NetFlow: information loss or win? , 2002, IMW '02.

[5]  Eric Y. Chen,et al.  A whitelist approach to protect SIP servers from flooding attacks , 2010, 2010 IEEE International Workshop Technical Committee on Communications Quality and Reliability (CQR 2010).

[6]  Weili Han,et al.  Anti-phishing based on automated individual white-list , 2008, DIM '08.

[7]  Aiko Pras,et al.  Simpleweb/University of Twente Traffic Traces Data Repository , 2010 .

[8]  Pieter H. Hartel,et al.  A log mining approach for process monitoring in SCADA , 2010, International Journal of Information Security.

[9]  Martín Casado,et al.  The Effectiveness of Whitelisting: a User-Study , 2008, CEAS.

[10]  MyungKeun Yoon,et al.  Using whitelisting to mitigate DDoS attacks on critical Internet sites , 2010, IEEE Communications Magazine.

[11]  Cristina L. Abad,et al.  An Analysis on the Schemes for Detecting and Preventing ARP Cache Poisoning Attacks , 2007, 27th International Conference on Distributed Computing Systems Workshops (ICDCSW'07).

[12]  Aiko Pras,et al.  Towards periodicity based anomaly detection in SCADA networks , 2012, Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012).

[13]  Karen A. Scarfone,et al.  SP 800-82. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) , 2011 .