Passive Fingerprinting of SCADA in Critical Infrastructure Network without Deep Packet Inspection

TL;DR

This paper introduces a novel passive fingerprinting technique for SCADA networks that does not require Deep Packet Inspection, accurately identifying network components in real environments using intrinsic protocol characteristics.

Contribution

The paper presents the first DPI-free passive fingerprinting method for SCADA networks that effectively identifies protocol ports, field devices, and master servers in real-world settings.

Findings

High F-score nearly 1 in real environment tests

Effective identification of SCADA components without DPI

Practical applicability demonstrated in critical infrastructure networks

Abstract

We present the first technique of passive fingerprinting for Supervisory Control And Data Acquisition (SCADA) networks without Deep Packet Inspection (DPI) and experience on real environment. Unlike existing work, our method does not rely on the functions of a specific product or DPI of the SCADA protocol. Our inference method, which is based on the intrinsic characteristics of SCADA, first identifies the network port used for the SCADA protocol, then consecutively infers the field devices and master server. We evaluated the effectiveness of our method using two network traces collected from a real environment for a month and a half, three days from different CI respectively. This confirmed the ability of our method to capture most of the SCADA with high F-score nearly 1, except for HMIs connected to master server, and demonstrated the practical applicability of the method.