Loading [MathJax]/extensions/MathMenu.js
Case Studies of SCADA Firewall Configurations and the Implications for Best Practices | IEEE Journals & Magazine | IEEE Xplore

Case Studies of SCADA Firewall Configurations and the Implications for Best Practices


Abstract:

Firewall configuration is an important activity for any modern day business. It is particularly a critical task for the supervisory control and data acquisition (SCADA) n...Show More

Abstract:

Firewall configuration is an important activity for any modern day business. It is particularly a critical task for the supervisory control and data acquisition (SCADA) networks that control power stations, water distribution, factory automation, etc. Lack of automation tools to assist with this critical task has resulted in unoptimised, error prone configurations that expose these networks to cyber attacks. Automation can make designing firewall configurations more reliable and their deployment increasingly cost-effective. Best practices have been proposed by the industry for developing high-level security policy (e.g., ANSI/ISA 62443-1-1). But these best practices lack specification in several key aspects needed to allow a firewall to be automatically configured. For instance, the standards are vague on how firewall management policies should be captured at a high-level using its specifications. In this paper, we uncover these missing pieces and propose extensions. We apply our extended best-practice specification to real-world firewall case studies to achieve multiple objectives: 1) to evaluate the usefulness of the refined best-practice in the automated specification of firewalls and 2) to illustrate that even in simple cases, SCADA networks are often insecure due to their misconfigured firewalls.
Published in: IEEE Transactions on Network and Service Management ( Volume: 13, Issue: 4, December 2016)
Page(s): 871 - 884
Date of Publication: 02 August 2016

ISSN Information:

Funding Agency:

Author image of Dinesha Ranathunga
University of Adelaide, Adelaide, SA, Australia
Dinesha Ranathunga received the bachelor’s degree in computer systems engineering from the University of Adelaide, Australia, in 2003, where he is currently pursuing the Ph.D. degree in applied mathematics with the School of Mathematical Sciences. His research interests include SCADA network security, firewall autoconfiguration, policy-based network management, and software defined networking.
Dinesha Ranathunga received the bachelor’s degree in computer systems engineering from the University of Adelaide, Australia, in 2003, where he is currently pursuing the Ph.D. degree in applied mathematics with the School of Mathematical Sciences. His research interests include SCADA network security, firewall autoconfiguration, policy-based network management, and software defined networking.View more
Author image of Matthew Roughan
University of Adelaide, Adelaide, SA, Australia
Matthew Roughan received the Ph.D. degree in applied mathematics from the University of Adelaide in 1994. He has worked for the Co-Operative Research Centre for Sensor Signal and Information Processing, in conjunction with DSTO, at the Software Engineering Research Centre, RMIT, and the University of Melbourne, in conjunction with Ericsson, and at AT&T Shannon Research Labs, USA. He is with the School of Mathematical Scie...Show More
Matthew Roughan received the Ph.D. degree in applied mathematics from the University of Adelaide in 1994. He has worked for the Co-Operative Research Centre for Sensor Signal and Information Processing, in conjunction with DSTO, at the Software Engineering Research Centre, RMIT, and the University of Melbourne, in conjunction with Ericsson, and at AT&T Shannon Research Labs, USA. He is with the School of Mathematical Scie...View more
Author image of Hung Nguyen
University of Adelaide, Adelaide, SA, Australia
Hung Nguyen received the Ph.D. degree in computer and communication sciences from the Swiss Federal Institute of Technology, Lausanne, Switzerland. He joined the Teletraffic Research Centre, University of Adelaide in 2012. His research interests include software defined networking, 5G, network measurements, tomography, and privacy preserving techniques. He has published over 40 refereed papers on the above areas.
Hung Nguyen received the Ph.D. degree in computer and communication sciences from the Swiss Federal Institute of Technology, Lausanne, Switzerland. He joined the Teletraffic Research Centre, University of Adelaide in 2012. His research interests include software defined networking, 5G, network measurements, tomography, and privacy preserving techniques. He has published over 40 refereed papers on the above areas.View more
Author image of Phil Kernick
CQR Consulting, Unley, Australia
Phil Kernick received the B.Eng. (Elec.) degree from the University of South Australia in 1988 and the B.Sc. (Hons.) degree from Flinders University in 1996. He is the Co-Founder of CQR Consulting, the largest independent information security consultancy in Australia. He has presented at all major SCADA security conferences in Australia. His research interest is in SCADA security.
Phil Kernick received the B.Eng. (Elec.) degree from the University of South Australia in 1988 and the B.Sc. (Hons.) degree from Flinders University in 1996. He is the Co-Founder of CQR Consulting, the largest independent information security consultancy in Australia. He has presented at all major SCADA security conferences in Australia. His research interest is in SCADA security.View more
Author image of Nickolas Falkner
University of Adelaide, Adelaide, SA, Australia
Nickolas Falkner received the Ph.D. degree in discovery and classification of information in large systems from the University of Adelaide, where he is a Senior Lecturer with the School of Computer Science. His research interests include automated network configuration, applications of cryptography, and data stream management. He is also active in educational research, with a focus on increasing student participation, ret...Show More
Nickolas Falkner received the Ph.D. degree in discovery and classification of information in large systems from the University of Adelaide, where he is a Senior Lecturer with the School of Computer Science. His research interests include automated network configuration, applications of cryptography, and data stream management. He is also active in educational research, with a focus on increasing student participation, ret...View more

Author image of Dinesha Ranathunga
University of Adelaide, Adelaide, SA, Australia
Dinesha Ranathunga received the bachelor’s degree in computer systems engineering from the University of Adelaide, Australia, in 2003, where he is currently pursuing the Ph.D. degree in applied mathematics with the School of Mathematical Sciences. His research interests include SCADA network security, firewall autoconfiguration, policy-based network management, and software defined networking.
Dinesha Ranathunga received the bachelor’s degree in computer systems engineering from the University of Adelaide, Australia, in 2003, where he is currently pursuing the Ph.D. degree in applied mathematics with the School of Mathematical Sciences. His research interests include SCADA network security, firewall autoconfiguration, policy-based network management, and software defined networking.View more
Author image of Matthew Roughan
University of Adelaide, Adelaide, SA, Australia
Matthew Roughan received the Ph.D. degree in applied mathematics from the University of Adelaide in 1994. He has worked for the Co-Operative Research Centre for Sensor Signal and Information Processing, in conjunction with DSTO, at the Software Engineering Research Centre, RMIT, and the University of Melbourne, in conjunction with Ericsson, and at AT&T Shannon Research Labs, USA. He is with the School of Mathematical Sciences, University of Adelaide, SA. His research interests range from stochastic modeling to measurement and management of networks like the Internet. He has authored over a 100 refereed publications, half a dozen patents, and has managed over a million dollars worth of projects. He and his coauthors were a recipient of the 2013 Sigmetrics Test of Time Award, and his work has been featured in New Scientist and other popular press.
Matthew Roughan received the Ph.D. degree in applied mathematics from the University of Adelaide in 1994. He has worked for the Co-Operative Research Centre for Sensor Signal and Information Processing, in conjunction with DSTO, at the Software Engineering Research Centre, RMIT, and the University of Melbourne, in conjunction with Ericsson, and at AT&T Shannon Research Labs, USA. He is with the School of Mathematical Sciences, University of Adelaide, SA. His research interests range from stochastic modeling to measurement and management of networks like the Internet. He has authored over a 100 refereed publications, half a dozen patents, and has managed over a million dollars worth of projects. He and his coauthors were a recipient of the 2013 Sigmetrics Test of Time Award, and his work has been featured in New Scientist and other popular press.View more
Author image of Hung Nguyen
University of Adelaide, Adelaide, SA, Australia
Hung Nguyen received the Ph.D. degree in computer and communication sciences from the Swiss Federal Institute of Technology, Lausanne, Switzerland. He joined the Teletraffic Research Centre, University of Adelaide in 2012. His research interests include software defined networking, 5G, network measurements, tomography, and privacy preserving techniques. He has published over 40 refereed papers on the above areas.
Hung Nguyen received the Ph.D. degree in computer and communication sciences from the Swiss Federal Institute of Technology, Lausanne, Switzerland. He joined the Teletraffic Research Centre, University of Adelaide in 2012. His research interests include software defined networking, 5G, network measurements, tomography, and privacy preserving techniques. He has published over 40 refereed papers on the above areas.View more
Author image of Phil Kernick
CQR Consulting, Unley, Australia
Phil Kernick received the B.Eng. (Elec.) degree from the University of South Australia in 1988 and the B.Sc. (Hons.) degree from Flinders University in 1996. He is the Co-Founder of CQR Consulting, the largest independent information security consultancy in Australia. He has presented at all major SCADA security conferences in Australia. His research interest is in SCADA security.
Phil Kernick received the B.Eng. (Elec.) degree from the University of South Australia in 1988 and the B.Sc. (Hons.) degree from Flinders University in 1996. He is the Co-Founder of CQR Consulting, the largest independent information security consultancy in Australia. He has presented at all major SCADA security conferences in Australia. His research interest is in SCADA security.View more
Author image of Nickolas Falkner
University of Adelaide, Adelaide, SA, Australia
Nickolas Falkner received the Ph.D. degree in discovery and classification of information in large systems from the University of Adelaide, where he is a Senior Lecturer with the School of Computer Science. His research interests include automated network configuration, applications of cryptography, and data stream management. He is also active in educational research, with a focus on increasing student participation, retention, and enthusiasm.
Nickolas Falkner received the Ph.D. degree in discovery and classification of information in large systems from the University of Adelaide, where he is a Senior Lecturer with the School of Computer Science. His research interests include automated network configuration, applications of cryptography, and data stream management. He is also active in educational research, with a focus on increasing student participation, retention, and enthusiasm.View more

Contact IEEE to Subscribe

References

References is not available for this document.