Flow whitelisting in SCADA networks

Rafael Ramos Regis Barbosa, Ramin Sadre, Aiko Pras

    Research output: Contribution to journalArticleAcademicpeer-review

    96 Downloads (Pure)


    Supervisory control and data acquisition (SCADA) networks are commonly deployed in large industrial facilities. Modern SCADA networks are becoming more vulnerable to cyber attacks due to the common use of standard communications protocols and increased interconnections with corporate networks and the Internet. This paper describes an approach for improving the security of SCADA networks using flow whitelisting. A flow whitelist describes legitimate traffic based on four properties of network packets: client address, server address, server-side port and transport protocol. The proposed approach incorporates a learning phase in which a flow whitelist is learned by capturing network traffic over a period of time and aggregating it into flows. After the learning phase is complete, any non-whitelisted connection observed generates an alarm. The evaluation of the approach focuses on two important whitelist characteristics: size and stability. The applicability of the approach is demonstrated using real-world traffic traces captured at two water treatment plants and at an electric-gas utility.
    Original languageEnglish
    Pages (from-to)150-158
    Number of pages9
    JournalInternational journal of critical infrastructure protection
    Issue number3-4
    Publication statusPublished - Dec 2013
    Event7th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2013 - Washington, United States
    Duration: 18 Mar 201320 Mar 2013
    Conference number: 7


    • SCADA systems
    • EWI-24188
    • Network flow whitelisting
    • IR-88493
    • Intrusion Detection
    • METIS-300257


    Dive into the research topics of 'Flow whitelisting in SCADA networks'. Together they form a unique fingerprint.

    Cite this