Industrial Control System (ICS) are essential for process automation and control in critical infrastructures, like smart grids, water distribution and also food production, in our modern world. These industrial devices will be even more connected, due to the trend of Industry 4.0 and Internet of Things (IoT), to provide additional functionality. An example for a use case is predictive maintenance, where sensor data is required, to e.g. replace defective parts before outage. While connectivity enables easier and more efficient process management, it also increases the attack surface for cyber-attacks. To provide secure operation for interconnected ICSs additional protection measures, like asset management should be applied, to observe and maintain assets within a control network. One of the first steps to improve cyber-security with asset management is device identification in ICS networks. A common method for device identification is active network scanning, which adds additional network traffic to the ICS network. Because of the common segmentation with firewalls of ICS networks, scanner nodes in each sub-network are necessary. The distribution of active scan nodes typically adds additional cross connections within segmented ICS networks. In this paper, we introduce a secure scanning architecture for fragile ICS networks. Our architecture is based on scanning nodes, which use the concept of hardware-based data diodes to e.g. separate the critical control network from the office network. To ensure a gentle scan on fragile ICS networks, the scan node provide a bandwidth limitation of the scan, to reduce risk of influences within ICS networks. We implemented a Proof of Concept (PoC) system and evaluated it within our industrial testbed, to show the feasibility of our architecture.
[1]
Nicholas D. Matsakis,et al.
The rust language
,
2014,
HILT '14.
[2]
Eric D. Knapp,et al.
Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems
,
2011
.
[3]
Mark Fabro,et al.
Control Systems Cyber Security: Defense-in-Depth Strategies
,
2006
.
[4]
Georg Sigl,et al.
Network Scanning and Mapping for IIoT Edge Node Device Security
,
2019,
2019 International Conference on Applied Electronics (AE).
[5]
Bjarne Stroustrup,et al.
C++ Programming Language
,
1986,
IEEE Softw..
[6]
Dana J. Vanier,et al.
Why industry needs asset management tools
,
2001
.
[7]
Peter Maynard,et al.
Using Application Layer Metrics to Detect Advanced SCADA Attacks
,
2018,
ICISSP.
[8]
Leandros A. Maglaras,et al.
Vulnerability Analysis of Network Scanning on SCADA Systems
,
2018,
Secur. Commun. Networks.
[9]
Mauricio Papa,et al.
On the use of open-source firewalls in ICS/SCADA systems
,
2016,
Inf. Secur. J. A Glob. Perspect..
[10]
Kevin Jones,et al.
Automated Asset Discovery in Industrial Control Systems - Exploring the Problem
,
2015,
ICS-CSR.
[11]
Volker Roth,et al.
You Snooze, You Lose: Measuring PLC Cycle Times under Attacks
,
2018,
WOOT @ USENIX Security Symposium.
[12]
Linus Torvalds,et al.
Linux : a Portable Operating System
,
2011
.
[13]
Thelma Virginia Rodrigues,et al.
OpenPLC: An open source alternative to automation
,
2014,
IEEE Global Humanitarian Technology Conference (GHTC 2014).
[14]
Ιωάννης Μανώλης,et al.
Οδηγός για το Raspberry Pi 3 Model B
,
2017
.