Biblio

Many critical industrial control systems integrate a mixture of state-of-the-art and legacy equipment. Legacy installations lack advanced, and often even basic security features, risking entire system security. Existing research primarily focuses on the development of secure protocols for emerging devices or protocol translation proxies for legacy equipment. However, a robust security framework not only needs encryption but also mechanisms to prevent reconnaissance and unauthorized access to industrial devices. This paper proposes a novel Edge Security Gateway (ESG) that provides both, communication and endpoint security. The ESG is based on double ratchet algorithm and encrypts every message with a different key. It manages the ongoing renewal of short-lived session keys and provides localized firewall protection to individual devices. The ESG is easily customizable for a wide range of industrial application. As a use case, this paper presents the design and validation for synchrophasor technology in smart grid. The ESG effectiveness is practically validated in detecting reconnaissance, manipulation, replay, and command injection attacks due to its perfect forward and backward secrecy properties.

Traditional firewalls, Intrusion Detection Systems(IDS) and network analytics tools extensively use the `flow' connection concept, consisting of five `tuples' of source and destination IP, ports and protocol type, for classification and management of network activities. By analysing flows, information can be obtained from TCP/IP fields and packet content to give an understanding of what is being transferred within a single connection. As networks have evolved to incorporate more connections and greater bandwidth, particularly from ``always on'' IoT devices and video and data streaming, so too have malicious network threats, whose communication methods have increased in sophistication. As a result, the concept of the 5 tuple flow in isolation is unable to detect such threats and malicious behaviours. This is due to factors such as the length of time and data required to understand the network traffic behaviour, which cannot be accomplished by observing a single connection. To alleviate this issue, this paper proposes the use of additional, two tuple and single tuple flow types to associate multiple 5 tuple communications, with generated metadata used to profile individual connnection behaviour. This proposed approach enables advanced linking of different connections and behaviours, developing a clearer picture as to what network activities have been taking place over a prolonged period of time. To demonstrate the capability of this approach, an expert system rule set has been developed to detect the presence of a multi-peered ZeuS botnet, which communicates by making multiple connections with multiple hosts, thus undetectable to standard IDS systems observing 5 tuple flow types in isolation. Finally, as the solution is rule based, this implementation operates in realtime and does not require post-processing and analytics of other research solutions. This paper aims to demonstrate possible applications for next generation firewalls and methods to acquire additional information from network traffic.