A Secure Network Scanner Architecture for Asset Management in Strongly Segmented ICS Networks

Matthias Niedermaier, Thomas Hanka, Florian Fischer, Dominik Merli

Abstract

Industrial Control System (ICS) are essential for process automation and control in critical infrastructures, like smart grids, water distribution and also food production, in our modern world. These industrial devices will be even more connected, due to the trend of Industry 4.0 and Internet of Things (IoT), to provide additional functionality. An example for a use case is predictive maintenance, where sensor data is required, to e.g. replace defective parts before outage. While connectivity enables easier and more efficient process management, it also increases the attack surface for cyber-attacks. To provide secure operation for interconnected ICSs additional protection measures, like asset management should be applied, to observe and maintain assets within a control network. One of the first steps to improve cyber-security with asset management is device identification in ICS networks. A common method for device identification is active network scanning, which adds additional network traffic to the ICS network. Because of the common segmentation with firewalls of ICS networks, scanner nodes in each sub-network are necessary. The distribution of active scan nodes typically adds additional cross connections within segmented ICS networks. In this paper, we introduce a secure scanning architecture for fragile ICS networks. Our architecture is based on scanning nodes, which use the concept of hardware-based data diodes to e.g. separate the critical control network from the office network. To ensure a gentle scan on fragile ICS networks, the scan node provide a bandwidth limitation of the scan, to reduce risk of influences within ICS networks. We implemented a Proof of Concept (PoC) system and evaluated it within our industrial testbed, to show the feasibility of our architecture.

Download


Paper Citation


in Harvard Style

Niedermaier M., Hanka T., Fischer F. and Merli D. (2021). A Secure Network Scanner Architecture for Asset Management in Strongly Segmented ICS Networks.In Proceedings of the 7th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-491-6, pages 347-355. DOI: 10.5220/0010191603470355


in Bibtex Style

@conference{icissp21,
author={Matthias Niedermaier and Thomas Hanka and Florian Fischer and Dominik Merli},
title={A Secure Network Scanner Architecture for Asset Management in Strongly Segmented ICS Networks},
booktitle={Proceedings of the 7th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2021},
pages={347-355},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010191603470355},
isbn={978-989-758-491-6},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 7th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Secure Network Scanner Architecture for Asset Management in Strongly Segmented ICS Networks
SN - 978-989-758-491-6
AU - Niedermaier M.
AU - Hanka T.
AU - Fischer F.
AU - Merli D.
PY - 2021
SP - 347
EP - 355
DO - 10.5220/0010191603470355