Supervisory Control And Data Acquisition (SCADA) networks are commonly deployed to aid the operation of large industrial facilities. Modern SCADA networks are becoming more vulnerable to network attacks, due to the now common use of standard communication protocols and increased interconnection to corporate networks and the Internet. In this work, we propose an approach to improve the security of these networks based on flow whitelisting. A flow whitelist describes the legitimate traffic solely using four properties of network packets: the client address, the server address, the server-side port, and the transport protocol. The proposed approach consists in learning a flow whitelist by capturing network traffic and aggregating it into flows for a given period of time. After this learning phase is complete, any non-whitelisted connection observed generates an alarm. The evaluation of the approach focuses on two important whitelist characteristics: size and stability. We demonstrate the applicability of the approach using real-world traffic traces, captured in two water treatment plants and a gas and electric utility.
|Number of pages||19|
|Publication status||Published - Mar 2013|
|Event||7th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2013 - Washington, United States|
Duration: 18 Mar 2013 → 20 Mar 2013
Conference number: 7
|Conference||7th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2013|
|Period||18/03/13 → 20/03/13|