Authors:
Matthias Niedermaier
;
Thomas Hanka
;
Florian Fischer
and
Dominik Merli
Affiliation:
HSA innos, Hochschule Augsburg University of Applied Sciences, Germany
Keyword(s):
Network, Security, Scanning, ICS, SCADA.
Abstract:
Industrial Control System (ICS) are essential for process automation and control in critical infrastructures, like smart grids, water distribution and also food production, in our modern world. These industrial devices will be even more connected, due to the trend of Industry 4.0 and Internet of Things (IoT), to provide additional functionality. An example for a use case is predictive maintenance, where sensor data is required, to e.g. replace defective parts before outage. While connectivity enables easier and more efficient process management, it also increases the attack surface for cyber-attacks. To provide secure operation for interconnected ICSs additional protection measures, like asset management should be applied, to observe and maintain assets within a control network. One of the first steps to improve cyber-security with asset management is device identification in ICS networks. A common method for device identification is active network scanning, which adds additional net
work traffic to the ICS network. Because of the common segmentation with firewalls of ICS networks, scanner nodes in each sub-network are necessary. The distribution of active scan nodes typically adds additional cross connections within segmented ICS networks. In this paper, we introduce a secure scanning architecture for fragile ICS networks. Our architecture is based on scanning nodes, which use the concept of hardware-based data diodes to e.g. separate the critical control network from the office network. To ensure a gentle scan on fragile ICS networks, the scan node provide a bandwidth limitation of the scan, to reduce risk of influences within ICS networks. We implemented a Proof of Concept (PoC) system and evaluated it within our industrial testbed, to show the feasibility of our architecture.
(More)