Software Enabled Security Architecture for Counteracting Attacks in Control Systems

TL;DR

This paper presents a software-defined networking and network function virtualization based security architecture designed to protect industrial control systems from specific cyber attacks, ensuring safety and operational continuity.

Contribution

It introduces a novel SDN/NFV-enabled security framework and a Control System Security Application tailored for ICS, addressing vulnerabilities from legacy devices and denial of service attacks.

Findings

Prototype implementation demonstrates effective attack mitigation.

Enhanced security for legacy ICS components.

Improved resilience against denial of service attacks.

Abstract

Increasingly Industrial Control Systems (ICS) systems are being connected to the Internet to minimise the operational costs and provide additional flexibility. These control systems such as the ones used in power grids, manufacturing and utilities operate continually and have long lifespans measured in decades rather than years as in the case of IT systems. Such industrial control systems require uninterrupted and safe operation. However, they can be vulnerable to a variety of attacks, as successful attacks on critical control infrastructures could have devastating consequences to the safety of human lives as well as a nation's security and prosperity. Furthermore, there can be a range of attacks that can target ICS and it is not easy to secure these systems against all known attacks let alone unknown ones. In this paper, we propose a software enabled security architecture using Software Defined Networking (SDN) and Network Function Virtualisation (NFV) that can enhance the capability to secure industrial control systems. We have designed such an SDN/NFV enabled security architecture and developed a Control System Security Application (CSSA) in SDN Controller for enhancing security in ICS against certain specific attacks namely denial of service attacks, from unpatched vulnerable control system components and securing the communication flows from the legacy devices that do not support any security functionality. In this paper, we discuss the prototype implementation of the proposed architecture and the results obtained from our analysis.