Flow whitelisting in SCADA networks

Rafael Ramos Regis Barbosa, Aiko Pras, Ramin Sadre

    Research output: Contribution to conferencePaper

    69 Citations (Scopus)
    924 Downloads (Pure)

    Abstract

    Supervisory Control And Data Acquisition (SCADA) networks are commonly deployed to aid the operation of large industrial facilities. Modern SCADA networks are becoming more vulnerable to network attacks, due to the now common use of standard communication protocols and increased interconnection to corporate networks and the Internet. In this work, we propose an approach to improve the security of these networks based on flow whitelisting. A flow whitelist describes the legitimate traffic solely using four properties of network packets: the client address, the server address, the server-side port, and the transport protocol. The proposed approach consists in learning a flow whitelist by capturing network traffic and aggregating it into flows for a given period of time. After this learning phase is complete, any non-whitelisted connection observed generates an alarm. The evaluation of the approach focuses on two important whitelist characteristics: size and stability. We demonstrate the applicability of the approach using real-world traffic traces, captured in two water treatment plants and a gas and electric utility.
    Original languageEnglish
    Number of pages19
    Publication statusPublished - Mar 2013
    Event7th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2013 - Washington, United States
    Duration: 18 Mar 201320 Mar 2013
    Conference number: 7

    Conference

    Conference7th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2013
    Abbreviated titleICCIP
    Country/TerritoryUnited States
    CityWashington
    Period18/03/1320/03/13

    Keywords

    • IR-85833
    • METIS-296406

    Fingerprint

    Dive into the research topics of 'Flow whitelisting in SCADA networks'. Together they form a unique fingerprint.

    Cite this