IDEAS home Printed from https://ideas.repec.org/a/eee/ijocip/v39y2022ics1874548222000579.html
   My bibliography  Save this article

Feasibility of critical infrastructure protection using network functions for programmable and decoupled ICS policy enforcement over WAN

Author

Listed:
  • Baxley, Stuart M.
  • Bastin, Nicholas
  • Gurkan, Deniz
  • Conklin, William Arthur

Abstract

Industrial control systems (ICS) represent a major component of our critical infrastructure. With the increasing need for more control and monitoring of such systems, ICS have seen an increase in connectivity to wide area networks (WAN) exposing aging equipment to rapidly evolving cybersecurity threats. Furthermore, the ICS data requires a reliability measure from the networks for critical functions for infrastructure monitoring and control. Especially when remote plant sites are involved such as pipelines, energy distribution networks, and transportation, WAN transport impairments most often provide a best effort delivery with no strict reliability guarantees. Network functions can provide a vendor agnostic, programmable critical infrastructure protection with a single maintenance, policy determination, and reliability assurance surface. A network function (NF) can be utilized for policy enforcement over the communication between remote entities and the main control office. This paper presents the research on transparent integration with existing ICS without disrupting communications, resulting in minimal downtime while decoupling the fast paced evolution of defensive security measures from the upgrade cycle of expensive long term hardware. We report our measurements on the resource requirements and overhead in the network for successful NF insertion under a wide variety of network impairments (network packet delay, reordering, and loss). Our paired NF implementation provides a policy enforcement platform extensible to cover myriad cybersecurity-related communication goals, including packet signing for verification, encryption for data privacy, packet filtering and data diode operation (i.e. protecting against eavesdropping, packet injection, and denial-of-service). Furthermore, bundling communication specifications into packet flows allows for tunability in applying policies as coarse- or fine-grained as the needs of the operator. We report on network function resource requirements in the form of required queue depth and network utilization overhead.

Suggested Citation

  • Baxley, Stuart M. & Bastin, Nicholas & Gurkan, Deniz & Conklin, William Arthur, 2022. "Feasibility of critical infrastructure protection using network functions for programmable and decoupled ICS policy enforcement over WAN," International Journal of Critical Infrastructure Protection, Elsevier, vol. 39(C).
    • Handle: RePEc:eee:ijocip:v:39:y:2022:i:c:s1874548222000579
    DOI: 10.1016/j.ijcip.2022.100573
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1874548222000579
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.ijcip.2022.100573?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Genge, Béla & Graur, Flavius & Haller, Piroska, 2015. "Experimental assessment of network design approaches for protecting industrial control systems," International Journal of Critical Infrastructure Protection, Elsevier, vol. 11(C), pages 24-38.
    2. Marcin Nawrocki & Thomas C. Schmidt & Matthias Wählisch, 2022. "Industrial control protocols in the Internet core: Dismantling operational practices," International Journal of Network Management, John Wiley & Sons, vol. 32(1), January.
    3. Ndonda, Gorby Kabasele & Sadre, Ramin, 2020. "Network trace generation for flow-based IDS evaluation in control and automation systems," International Journal of Critical Infrastructure Protection, Elsevier, vol. 31(C).
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. CHERIFI, Tarek & HAMAMI, Lamia, 2018. "A practical implementation of unconditional security for the IEC 60780-5-101 SCADA protocol," International Journal of Critical Infrastructure Protection, Elsevier, vol. 20(C), pages 68-84.
    2. Yadav, Geeta & Paul, Kolin, 2021. "Architecture and security of SCADA systems: A review," International Journal of Critical Infrastructure Protection, Elsevier, vol. 34(C).
    3. Jie, Xinchun & Wang, Haikuan & Fei, Minrui & Du, Dajun & Sun, Qing & Yang, T.C., 2018. "Anomaly behavior detection and reliability assessment of control systems based on association rules," International Journal of Critical Infrastructure Protection, Elsevier, vol. 22(C), pages 90-99.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijocip:v:39:y:2022:i:c:s1874548222000579. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-critical-infrastructure-protection .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.