Nils Ole Tippenhauer
Binbin Chen
ABSTRACT
Bump-in-the-wire (bump) devices can be used to protect critical endpoints in Industrial Control System (ICS) networks. However, bump devices cannot be used to authenticate incoming broadcast traffic, are complex to manage, and one bump is needed per host.
In this work, we propose a virtual bump-like solution called vBump, which allows to insert virtual bumps in front of Ethernet-based legacy ICS devices. The vBumps can be used to limit traffic to whitelisted destinations, inspect all traffic on or above Link-layer like a centralized intrusion detection systems (or monitoring systems), or even police the traffic like a centralized intrusion prevention systems. In particular, this also allows the network to apply fine-grained control on traffic between nodes that need to be in the same Link-layer broadcast domain. Compared to traditional bumps, vBumps do not require any changes in physical network topology, and the central server's global view allows for more informed decision, with less computational constraints. We implement the system in a high-fidelity ICS testbed, and demonstrate its capabilities to support even time-critical protection control traffic in smart grids. Our system can handle traffic rates of 150Mbps with one-way delay of ~1ms.
- "Russian hackers reach u.s. utility control rooms, homeland security officials say," 2017. [Online]. Available: https://www.wsj.com/articles/russian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110Google Scholar
- D. Quarta, M. Pogliani, M. Polino, F. Maggi, A. M. Zanchettin, and S. Zanero, "An experimental security analysis of an industrial robot controller," in Proceedings of the IEEE Symposium on Security and Privacy (SP), vol. 00, May 2017, pp. 268--286. [Online]. Available: doi.ieeecomputersociety.org/10.1109/SP.2017.20Google Scholar
- S. Kent and K. Seo, "Rfc 4301: Security architecture for the internet protocol," 2005.Google ScholarDigital Library
- D. Žagar, K. Grgić, and S. Rimac-Drlje, "Security aspects in ipv6 networks--implementation and testing," Computers & Electrical Engineering, vol. 33, no. 5--6, pp. 425--437, 2007.Google Scholar
- B. L. Chappell, D. T. Marlow, P. M. Irey, and K. O'Donoghue, "An approach for measuring ip security performance in a distributed environment," in Proceedings of the Workshops Held in Conjunction with the Parallel Processing Symposium and Symposium on Parallel and Distributed Processing. Springer Berlin Heidelberg, 1999, pp. 389--394.Google Scholar
- D. Mashima, P. Gunathilaka, and B. Chen, "Artificial command delaying for secure substation remote control: Design and implementation," IEEE Transactions on Smart Grid, vol. 10, no. 1, pp. 471--482, Jan 2019.Google ScholarCross Ref
- R. Mackiewicz, "Overview of iec 61850 and benefits," in Power Systems Conference and Exposition, 2006. PSCE'06. 2006 IEEE PES. IEEE, 2006, pp. 623--630.Google ScholarCross Ref
- IEEE Power and Energy Society, "IEEE Standard Communication Delivery Time Performance Requirements for Electric Power Substation Automation," 2004.Google Scholar
- J. Hong, Y. Chen, C.-C. Liu, and M. Govindarasu, Cyber-Physical Security Testbed for Substations in a Power Grid. Springer Berlin Heidelberg, 2015, pp. 261--301.Google Scholar
- IEC TC57, "IEC 61850-90-2 TR: Communication networks and systems for power utility automation -- part 90-2: Using iec 61850 for the communication between substations and control centres," International Electro technical Commission Std, 2015.Google Scholar
- D. Mashima, B. Chen, P. Gunathilaka, and E. L. Tjiong, "Towards a grid-wide, high-fidelity electrical substation honeynet," in Proceedings of the Conference on Smart Grid Communications (SmartGridComm). IEEE, 2017, pp. 89--95.Google Scholar
- M. El Hariri, T. Youssef, and O. Mohammed, "On the implementation of the iec 61850 standard: Will different manufacturer devices behave similarly under identical conditions?" Electronics, vol. 5, no. 4, p. 85, 2016.Google ScholarCross Ref
- P. P. Biswas, H. C. Tan, Q. Zhu, Y. Li, D. Mashima, and B. Chen, "A synthesized dataset for cybersecurity study of iec 61850 based substation," in Proceedings of Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm). IEEE, 2019.Google Scholar
- M. Cheminod, L. Durante, M. Maggiora, A. Valenzano, and C. Zunino, "Performance of firewalls for industrial applications," in Proceedings of the Symposium for ICS & SCADA Cyber Security Research (ICS-CSR), Aug. 2016.Google Scholar
- C. Jaggi, "Layer 2 encryptors for metro and carrier ethernet wans and mans," 2017.Google Scholar
- D. Mashima, B. Chen, T. Zhou, R. Rajendran, and B. Sikdar, "Securing substations through command authentication using on-the-fly simulation of power system dynamics," in Proceedings of the Conference on Smart Grid Communications (SmartGridComm). IEEE, 2018.Google Scholar
- E. Esiner, D. Mashima, B. Chen, Z. Kalbarczyk, and D. Nicol, "F-pro: a fast and flexible provenance-aware message authentication scheme for smart grid," in 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm). IEEE, 2019, pp. 1--7.Google Scholar
- F. Cleveland, "IEC TC57 WG15: IEC 62351 security standards for the power system information infrastructure," White Paper, 2012.Google Scholar
- "Crashoverride malware," [Online]. Available: https://www.us-cert.gov/ncas/alerts/TA17-163A, 2017, (Date last accessed on Feb. 4, 2019).Google Scholar
- D. Urbina, J. Giraldo, N. O. Tippenhauer, and A. Cárdenas, "Attacking fieldbus communications in ICS: Applications to the SWaT testbed," in Proceedings of Singapore Cyber Security Conference (SG-CRC), January 2016.Google Scholar
- R. Farrow, "VLAN insecurity, Mar. 2003. [Online]. Available: http://rikfarrow.com/Network/net0103.htmlGoogle Scholar
- S. Convery, "Hacking layer 2: Fun with ethernet switches," Blackhat [Online Document], 2002.Google Scholar
- T. Kiravuo, M. Sarela, and J. Manner, "A survey of ethernet lan security," IEEE Communications Surveys & Tutorials, vol. 15, no. 3, pp. 1477--1491, 2013.Google ScholarCross Ref
- U. Carmo, D. H. Sadok, and J. Kelner, "Iec 61850 traffic analysis in electrical automation networks," in Smart Grid Communications (SmartGridComm), 2015 IEEE International Conference on. IEEE, 2015, pp. 466--471.Google Scholar
- J. Zhang and C. A. Gunter, "Application-aware secure multicast for power grid communications," International Journal of Security and Networks, vol. 6, no. 1, pp. 40--52, 2011.Google ScholarDigital Library
- Netfilter Coreteam, "Ebtables: a filtering tool for a linux-based bridging firewall," 2018. [Online]. Available: http://ebtables.netfilter.orgGoogle Scholar
- B. Pfaff, J. Pettit, T. Koponen, E. J. Jackson, A. Zhou, J. Rajahalme, J. Gross, A. Wang, J. Stringer, P. Shelar et al., "The design and implementation of open vswitch," in Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2015.Google Scholar
- J. McCauley, "The pox network software platform," 2015. [Online]. Available: https://github.com/noxrepo/poxGoogle Scholar
- "GOOSE protocol parser for Zeek IDS," 2020. [Online]. Available: https://github.com/smartgridadsc/Goose-protocol-parser-for-ZeekGoogle Scholar
- S. HomChaudhuri and M. Foschiano, "Cisco systems' private vlans: Scalable security in a multi-client environment (rfc 5517)," Tech. Rep., 2010.Google Scholar
- T. M. Breslin, D. Kucharczyk, and J. A. Hinshaw, "Method, apparatus and system for inserting a vlan tag into a captured data packet," Sep. 9 2014, uS Patent 8,832,222.Google Scholar
- S. A. Naiksatam, K. Jiang, G. M. Maier, S. Ramasubramanian, S. D. Modi, R. W. Sherwood, M. S. Dhami, and M. Cohen, "Systems and methods for performing network service insertion," Jan. 17 2017, uS Patent 9,548,896.Google Scholar
- H. Li, H. Hu, G. Gu, G.-J. Ahn, and F. Zhang, "vnids: Towards elastic security with safe and efficient virtualization of network intrusion detection systems," in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2018, pp. 17--34.Google Scholar
- S. K. Fayaz, Y. Tobioka, V. Sekar, and M. Bailey, "Bohatei: Flexible and elastic ddos defense." in USENIX Security Symposium, 2015, pp. 817--832.Google Scholar
- R. Kumar, M. Hasan, S. Padhy, K. Evchenko, L. Piramanayagam, S. Mohan, and R. B. Bobba, "End-to-end network delay guarantees for real-time systems using sdn," in Proceedings of the Real-Time Systems Symposium (RTSS). IEEE, 2017, pp. 231--242.Google Scholar
- X. Dong, H. Lin, R. Tan, R. K. Iyer, and Z. Kalbarczyk, "Software-defined networking for smart grid resilience: Opportunities and challenges," in Proceedings of the ACM Workshop on Cyber-Physical System Security (CPSS). ACM, 2015, pp. 61--68.Google Scholar
Index Terms
- vBump: Securing Ethernet-based Industrial Control System Networks with VLAN-based Traffic Aggregation
Recommendations
A Distributed IDS for Industrial Control Systems
Cyber-threats are one of the most significant problems faced by modern Industrial Control Systems ICS, such as SCADA Supervisory Control and Data Acquisition systems, as the vulnerabilities of ICS technology become serious threats that can ultimately ...
A Novel IDS Securing Industrial Control System of Critical Infrastructure Using Deception Technology
The Industrial Control System (ICS) has become the key concept in the modern industrial world, enabling process monitoring and system control for general industrial systems and critical infrastructures. High-skilled hackers can invade an imperfect ...
A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems
HICSS '12: Proceedings of the 2012 45th Hawaii International Conference on System SciencesMODBUS RTU/ASCII Snort is software to retrofit serial based industrial control systems to add Snort intrusion detection and intrusion prevention capabilities. This article discusses the need for such a system by describing 4 classes of intrusion ...
Comments