| Title | ICS/SCADA Device Recognition: A Hybrid Communication-Patterns and Passive-Fingerprinting Approach |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Al Ghazo, Alaa T., Kumar, Ratnesh |
| Conference Name | 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM) |
| Keywords | compositionality, computerised monitoring, Cyber-physical systems, Databases, defense augmentation, Device recognition, Documentation, Human Behavior, hybrid communication-patterns, ICS/SCADA device recognition, industrial control, industrial control system, industrial control systems, Internet of Things, legacy ICS/SCADA systems, mobile computing, network data fingerprinting, Object recognition, passive-fingerprinting, production engineering computing, Protocols, pubcrawl, python, Resiliency, SCADA fingerprinting, SCADA systems, SCADA Systems Security, security, security of data, security vulnerabilities, software maintenance, supervisory control and data acquisition systems, TCPIP |
| Abstract | The Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems are the backbones for monitoring and supervising factories, power grids, water distribution systems, nuclear plants, and other critical infrastructures. These systems are installed by third party contractors, maintained by site engineers, and operate for a long time. This makes tracing the documentation of the systems' changes and updates challenging since some of their components' information (type, manufacturer, model, etc.) may not be up-to-date, leading to possibly unaccounted security vulnerabilities in the systems. Device recognition is useful first step in vulnerability identification and defense augmentation, but due to the lack of full traceability in case of legacy ICS/SCADA systems, the typical device recognition based on document inspection is not applicable. In this paper, we propose a hybrid approach involving the mix of communication-patterns and passive-fingerprinting to identify the unknown devices' types, manufacturers, and models. The algorithm uses the ICS/SCADA devices's communication-patterns to recognize the control hierarchy levels of the devices. In conjunction, certain distinguishable features in the communication-packets are used to recognize the device manufacturer, and model. We have implemented this hybrid approach in Python, and tested on traffic data from a water treatment SCADA testbed in Singapore (iTrust). |
| Citation Key | al_ghazo_icsscada_2019 |
ICS/SCADA Device Recognition: A Hybrid Communication-Patterns and Passive-Fingerprinting Approach