Abstract
Due to the increasing flexibility of processes in modern plants the need for the respective networks’ flexibility rises. Such dynamic networks are already performing well in, for example, data centres where they are based on the Software-defined Networking (SDN) paradigm. Because SDN has established itself in flexible, high performance environments, it is currently introduced into industrial networks as well. With the usage of SDN, a centralized view and controlling is added to these networks, which enables performing automated responses to network events. Such network events can be classified as incidents to which SDN can provide timely and, due to the holistic view on the network, appropriate, automated incident response, like immediate containment, monitoring or switching to redundancies. However, industrial networks generally have a high occurrence of availability-, safety- and time-critical communication which limit the scope for action of such an automated approach. Nevertheless, SDN-based incident response (SDN-IR) does not yet take into consideration these limitations, which prevent its application for industrial networks.
This article identifies possible response actions to industrial network incidents. Furthermore, it presents a concept for SDN-IR where a predefined rule set restricts the response actions based on asset and link classification. This way, SDN-IR is able to satisfy the before mentioned requirements of industrial networks. In addition, the article describes a prototype of this concept and its evaluation, elucidates the perspective of a device security status in the SDN-IR context and discusses security issues of the concept.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
References
Bierman, A., Bjorklund, M., Watsen, K.: RESTCONF protocol. RFC 8040, RFC Editor (January 2017). https://tools.ietf.org/html/rfc8040
Bjorklund, M.: YANG - a data modeling language for the network configuration protocol (NETCONF). RFC 6020, RFC Editor (October 2010). https://rfc-editor.org/rfc/rfc6020.txt
Bromiley, M.: The show must go on! The 2017 SANS Incident Response Survey (2017)
Cichonski, P., Millar, T., Grance, T., Scarfone, K.: Computer security incident handling guide: recommendations of the national institute of standards and technology. Natl. Inst. Stand. Technol. (2012). https://doi.org/10.6028/NIST.SP.800-61r2
Di Lallo, R., Griscioli, F., Lospoto, G., Mostafaei, H., Pizzonia, M., Rimondini, M.: Leveraging SDN to monitor critical infrastructure networks in a smarter way. In: Proceedings of the IM 2017–2017 IFIP/IEEE International Symposium on Integrated Network Management, pp. 608–611. IEEE, Piscataway (2017). https://doi.org/10.23919/INM.2017.7987341
Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983). https://doi.org/10.1109/TIT.1983.1056650
Falliere, N., Murchu, L.O., Chien, E.: W32. Stuxnet dossier. Symantec Corp. Secur. Response 5(6), 29 (2011)
Kim, H., Feamster, N.: Improving network management with software defined networking. IEEE Commun. Mag. 51(2), 114–119 (2013). https://doi.org/10.1109/MCOM.2013.6461195
Koulouris, T., Casassa Mont, M., Arnell, S.: SDN4S: software defined networking for security (2017)
Lee, R.M., Assante, M.J., Conway, T.: Analysis of the cyber attack on the Ukrainian power grid. Electr. Inf. Shar. Anal. Cent. (E-ISAC) (2016). https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
Martins, J.S.B., Campos, M.B.: A security architecture proposal for detection and response to threats in SDN networks. In: Proceedings of the 2016 IEEE ANDESCON, pp. 1–4. IEEE, Piscataway (2016). https://doi.org/10.1109/ANDESCON.2016.7836244
McKeown, N., et al.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69 (2008). https://doi.org/10.1145/1355734.1355746
Medved, J., Varga, R., Tkacik, A., Gray, K.: OpenDaylight: towards a model-driven SDN controller architecture. In: Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014, pp. 1–6. IEEE (June 2014). https://doi.org/10.1109/WoWMoM.2014.6918985
Patzer, F., Meshram, A., Heß, M.: Automated incident response for industrial control systems leveraging software-defined networking. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy, pp. 319–327. SCITEPRESS - Science and Technology Publications (2019). https://doi.org/10.5220/0007359503190327
Piedrahita, A.F.M., Gaur, V., Giraldo, J., Cardenas, A.A., Rueda, S.J.: Virtual incident response functions in control systems. Comput. Netw. 135, 147–159 (2018). https://doi.org/10.1016/j.comnet.2018.01.040
Rescorla, E.R.: The transport layer security (TLS) protocol version 1.3. RFC 8446, RFC Editor (August 2018). https://tools.ietf.org/html/rfc8446
Stoler, N.: Anatomy of the triton malware attack (July 2019). https://www.cyberark.com/threat-research-blog/anatomy-triton-malware-attack/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Patzer, F., Lüdtke, P., Meshram, A., Beyerer, J. (2020). Context-Aware Software-Defined Networking for Automated Incident Response in Industrial Networks. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2019. Communications in Computer and Information Science, vol 1221. Springer, Cham. https://doi.org/10.1007/978-3-030-49443-8_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-49443-8_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-49442-1
Online ISBN: 978-3-030-49443-8
eBook Packages: Computer ScienceComputer Science (R0)