Authors:
Florian Patzer
1
;
Ankush Meshram
2
and
Maximilian Heß
1
Affiliations:
1
Fraunhofer Institute of Optronics, System Technologies and Image Exploitation (IOSB), Karlsruhe and Germany
;
2
Vision and Fusion Laboratory (IES), Karlsruhe Institute of Technology (KIT), Karlsruhe and Germany
Keyword(s):
Incident Response, SDN Security, Industrial Control Systems, ICS Security, Software-defined Networking.
Related
Ontology
Subjects/Areas/Topics:
Internet Technology
;
Intrusion Detection and Response
;
Web Information Systems and Technologies
Abstract:
Modern technologies and concepts for Industrial Control Systems (ICS) are evolving towards high flexibility of processes and respectively networks. Such dynamic networks are already functioning well, for example in data centres. This is enabled by application of the Software-defined Networking (SDN) paradigm. For this reason, ICS is currently adopting SDN. The concept of having a centralized view of the network and generating packet forwarding rules to control it enables performing automated responses to network events and classified incidents via SDN. This automation can provide timely and, due to the holistic view of the network, accurate incident response actions. However, availability, safety, real-time and redundancy requirements within the ICS domain restrict the application of such an automated approach. At present, SDN-based incident response (SDN-IR) does not take into consideration these requirements. In this work, we identify possible SND-based response actions to ICS inci
dents and introduce classification of assets and links. Furthermore, we present a concept for SDN-IR where a predefined rule set restricts the response actions based on the asset’s classification thereby satisfying ICS specific requirements. Subsequently, we describe and evaluate a prototype implementation of this concept, built with the open-source SDN platform OpenDaylight and the SDN protocol OpenFlow.
(More)