Antoine Lemay , Jonathan Rochon , José M. Fernandez
October 2016
4th International Symposium for ICS & SCADA Cyber Security Research 2016 (ICS-CSR)
Cyber Security Research
23 - 25 August 2016
white listing, critical infrastructure protection, SCADA networks.
The blatant vulnerability of industrial control systems, including those controlling critical infrastructure, is now well known. There is a need for immediately applicable security solutions that do not interfere with normal operations. Intrusion detection through flow white listing is an approach that can detect multiple components of modern attacks such as pivoting and command and control channels. However, the white list approach is not compatible with current black listbased IDS technology. This paper presents a practical approach for implementing flow white listing in SCADA system. The approach extracts a flow white list from a known good packet capture and inverts the decision logic to programmatically generate a rule set that can be consumed by a black list-based IDS. A performance evaluation shows that the approach is viable for SCADA systems, where the number of communication pairs is limited and traffic is mostly deterministic.
This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/