Flow whitelisting in SCADA networks

Rafael Ramos Regis Barbosa, Ramin Sadre, Aiko Pras

Research output: Contribution to journalArticleAcademicpeer-review

46 Downloads (Pure)

Abstract

Supervisory control and data acquisition (SCADA) networks are commonly deployed in large industrial facilities. Modern SCADA networks are becoming more vulnerable to cyber attacks due to the common use of standard communications protocols and increased interconnections with corporate networks and the Internet. This paper describes an approach for improving the security of SCADA networks using flow whitelisting. A flow whitelist describes legitimate traffic based on four properties of network packets: client address, server address, server-side port and transport protocol. The proposed approach incorporates a learning phase in which a flow whitelist is learned by capturing network traffic over a period of time and aggregating it into flows. After the learning phase is complete, any non-whitelisted connection observed generates an alarm. The evaluation of the approach focuses on two important whitelist characteristics: size and stability. The applicability of the approach is demonstrated using real-world traffic traces captured at two water treatment plants and at an electric-gas utility.
Original languageEnglish
Pages (from-to)150-158
Number of pages9
JournalInternational journal of critical infrastructure protection
Volume6
Issue number3-4
DOIs
Publication statusPublished - Dec 2013
Event7th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2013 - Washington, United States
Duration: 18 Mar 201320 Mar 2013
Conference number: 7

Fingerprint

Supervisory Control
Data Acquisition
Data acquisition
Servers
Network protocols
Water treatment plants
Server
Packet networks
Traffic
Transport Protocol
Network Flow
Communication Protocol
Network Traffic
Period of time
Interconnection
Internet
Trace
Attack
Gases
Water

Keywords

  • SCADA systems
  • EWI-24188
  • Network flow whitelisting
  • IR-88493
  • Intrusion Detection
  • METIS-300257

Cite this

Barbosa, Rafael Ramos Regis ; Sadre, Ramin ; Pras, Aiko . / Flow whitelisting in SCADA networks. In: International journal of critical infrastructure protection. 2013 ; Vol. 6, No. 3-4. pp. 150-158.
@article{762559e32a3b4633bb7436dc9afdefa9,
title = "Flow whitelisting in SCADA networks",
abstract = "Supervisory control and data acquisition (SCADA) networks are commonly deployed in large industrial facilities. Modern SCADA networks are becoming more vulnerable to cyber attacks due to the common use of standard communications protocols and increased interconnections with corporate networks and the Internet. This paper describes an approach for improving the security of SCADA networks using flow whitelisting. A flow whitelist describes legitimate traffic based on four properties of network packets: client address, server address, server-side port and transport protocol. The proposed approach incorporates a learning phase in which a flow whitelist is learned by capturing network traffic over a period of time and aggregating it into flows. After the learning phase is complete, any non-whitelisted connection observed generates an alarm. The evaluation of the approach focuses on two important whitelist characteristics: size and stability. The applicability of the approach is demonstrated using real-world traffic traces captured at two water treatment plants and at an electric-gas utility.",
keywords = "SCADA systems, EWI-24188, Network flow whitelisting, IR-88493, Intrusion Detection, METIS-300257",
author = "Barbosa, {Rafael Ramos Regis} and Ramin Sadre and Aiko Pras",
note = "Presented at the Seventh Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, 18-20 Mar 2013, Washington D.C., USA",
year = "2013",
month = "12",
doi = "10.1016/j.ijcip.2013.08.003",
language = "English",
volume = "6",
pages = "150--158",
journal = "International journal of critical infrastructure protection",
issn = "1874-5482",
publisher = "Elsevier",
number = "3-4",

}

Flow whitelisting in SCADA networks. / Barbosa, Rafael Ramos Regis; Sadre, Ramin; Pras, Aiko .

In: International journal of critical infrastructure protection, Vol. 6, No. 3-4, 12.2013, p. 150-158.

Research output: Contribution to journalArticleAcademicpeer-review

TY - JOUR

T1 - Flow whitelisting in SCADA networks

AU - Barbosa, Rafael Ramos Regis

AU - Sadre, Ramin

AU - Pras, Aiko

N1 - Presented at the Seventh Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, 18-20 Mar 2013, Washington D.C., USA

PY - 2013/12

Y1 - 2013/12

N2 - Supervisory control and data acquisition (SCADA) networks are commonly deployed in large industrial facilities. Modern SCADA networks are becoming more vulnerable to cyber attacks due to the common use of standard communications protocols and increased interconnections with corporate networks and the Internet. This paper describes an approach for improving the security of SCADA networks using flow whitelisting. A flow whitelist describes legitimate traffic based on four properties of network packets: client address, server address, server-side port and transport protocol. The proposed approach incorporates a learning phase in which a flow whitelist is learned by capturing network traffic over a period of time and aggregating it into flows. After the learning phase is complete, any non-whitelisted connection observed generates an alarm. The evaluation of the approach focuses on two important whitelist characteristics: size and stability. The applicability of the approach is demonstrated using real-world traffic traces captured at two water treatment plants and at an electric-gas utility.

AB - Supervisory control and data acquisition (SCADA) networks are commonly deployed in large industrial facilities. Modern SCADA networks are becoming more vulnerable to cyber attacks due to the common use of standard communications protocols and increased interconnections with corporate networks and the Internet. This paper describes an approach for improving the security of SCADA networks using flow whitelisting. A flow whitelist describes legitimate traffic based on four properties of network packets: client address, server address, server-side port and transport protocol. The proposed approach incorporates a learning phase in which a flow whitelist is learned by capturing network traffic over a period of time and aggregating it into flows. After the learning phase is complete, any non-whitelisted connection observed generates an alarm. The evaluation of the approach focuses on two important whitelist characteristics: size and stability. The applicability of the approach is demonstrated using real-world traffic traces captured at two water treatment plants and at an electric-gas utility.

KW - SCADA systems

KW - EWI-24188

KW - Network flow whitelisting

KW - IR-88493

KW - Intrusion Detection

KW - METIS-300257

U2 - 10.1016/j.ijcip.2013.08.003

DO - 10.1016/j.ijcip.2013.08.003

M3 - Article

VL - 6

SP - 150

EP - 158

JO - International journal of critical infrastructure protection

JF - International journal of critical infrastructure protection

SN - 1874-5482

IS - 3-4

ER -