Case Studies of SCADA Firewall Configurations and the Implications for Best Practices

Firewall configuration is an important activity for any modern day business. It is particularly a critical task for the supervisory control and data acquisition (SCADA) networks that control power stations, water distribution, factory automation, etc. Lack of automation tools to assist with this critical task has resulted in unoptimised, error prone configurations that expose these networks to cyber attacks. Automation can make designing firewall configurations more reliable and their deployment increasingly cost-effective. Best practices have been proposed by the industry for developing high-level security policy (e.g., ANSI/ISA 62443-1-1). But these best practices lack specification in several key aspects needed to allow a firewall to be automatically configured. For instance, the standards are vague on how firewall management policies should be captured at a high-level using its specifications. In this paper, we uncover these missing pieces and propose extensions. We apply our extended best-practice specification to real-world firewall case studies to achieve multiple objectives: 1) to evaluate the usefulness of the refined best-practice in the automated specification of firewalls and 2) to illustrate that even in simple cases, SCADA networks are often insecure due to their misconfigured firewalls.

[1]  Avishai Wool,et al.  Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese , 2010, IEEE Internet Computing.

[2]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[3]  Adriano Valenzano,et al.  A twofold model for the analysis of access control policies in industrial networked systems , 2015, Comput. Stand. Interfaces.

[4]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[5]  Tao Xie,et al.  First step towards automatic correction of firewall policy faults , 2012, TAAS.

[6]  S. Rouiller Virtual LAN security: Weaknesses and coun-termeasures , 2003 .

[7]  Alex X. Liu Formal Verification of Firewall Policies , 2008, 2008 IEEE International Conference on Communications.

[8]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[9]  Randy Bush,et al.  Configuration management and security , 2009, IEEE Journal on Selected Areas in Communications.

[10]  J. Qian,et al.  ACLA: A framework for Access Control List (ACL) Analysis and Optimization , 2001, Communications and Multimedia Security.

[11]  Matthew Roughan,et al.  Identifying the Missing Aspects of the ANSI/ISA Best Practices for Security Policy , 2015, CPSS@ASIACSS.

[12]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[13]  Robert M. Marmorstein,et al.  Firewall Analysis with Policy-based Host Classification , 2006, LISA.

[14]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[15]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[16]  Eric James Byres,et al.  NISCC good practice guide on ?rewall de-ployment for SCADA and process control networks , 2005 .

[17]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[18]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[19]  Miroslav Svéda,et al.  Improving security in SCADA systems through firewall policy analysis , 2013, 2013 Federated Conference on Computer Science and Information Systems.

[20]  Kathi Fisler,et al.  The Margrave Tool for Firewall Analysis , 2010, LISA.

[21]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[22]  Nate Foster,et al.  NetKAT: semantic foundations for networks , 2014, POPL.

[23]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[24]  Raouf Boutaba,et al.  Performance Modeling and Analysis of Network Firewalls , 2012, IEEE Transactions on Network and Service Management.

[25]  Joshua D. Guttman,et al.  Rigorous automated network security management , 2005, International Journal of Information Security.