论文信息 - A Practical flow white list approach for SCADA systems

A Practical flow white list approach for SCADA systems

The blatant vulnerability of industrial control systems, including those controlling critical infrastructure, is now well known. There is a need for immediately applicable security solutions that do not interfere with normal operations. Intrusion detection through flow white listing is an approach that can detect multiple components of modern attacks such as pivoting and command and control channels. However, the white list approach is not compatible with current black list-based IDS technology. This paper presents a practical approach for implementing flow white listing in SCADA system. The approach extracts a flow white list from a known good packet capture and inverts the decision logic to programmatically generate a rule set that can be consumed by a black list-based IDS. A performance evaluation shows that the approach is viable for SCADA systems, where the number of communication pairs is limited and traffic is mostly deterministic.

José M. Fernandez | Antoine Lemay | Jonathan Rochon

[1] Ulf Lindqvist,et al. Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[2] Béla Genge,et al. A connection pattern-based approach to detect network traffic anomalies in critical infrastructures , 2014, EuroSec '14.

[3] Christos Siaterlis,et al. SPEAR: A Systematic Approach for Connection Pattern-based Anomaly Detection in SCADA Systems , 2014 .

[4] Antoine Lemay,et al. DEFENDING THE SCADA NETWORK CONTROLLING THE ELECTRICAL GRID FROM ADVANCED PERSISTENT THREATS , 2013 .

[5] José M. Fernandez,et al. An isolated virtual cluster for SCADA network security research , 2013, ICS-CSR.

[6] Aiko Pras,et al. Flow whitelisting in SCADA networks , 2013, Int. J. Crit. Infrastructure Prot..

[7] Aiko Pras,et al. A first look into SCADA network traffic , 2012, 2012 IEEE Network Operations and Management Symposium.

[8] Ragnar Schierholz,et al. Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration , 2009, 2009 IEEE Conference on Emerging Technologies & Factory Automation.