Abstract
Integration of IT and OT blurs the concept of “network perimeter”. This will result in increasing the attack surface in industrial control system (ICS). Zero trust architecture (ZTA) has become a new and alternative network security model to protect an enterprise network. The software-defined perimeter (SDP) is an instance that implemented the concept of ZTA. In this paper, a security framework SDPICS for ICS based on SDP is firstly proposed. In contrast with of security policy based on the perimeter defense security model, SDPICS will not grant implicit trust to any user or device based on their location in the network. In addition, the existing ICS simulation platforms don’t support the idea of SDP. This paper extends the network simulation tool Mininet to design a new ICS simulation platform MiniICS that can support our security framework SDPICS. The simulation modules for ICS and SDP components are implemented in MiniICS. Finally, our security framework SDPICS is tested by performing these popular attacks such as DDoS and etc. in MiniICS. The experimental results show the reliability and availability of the novel security framework SDPICS.
REFERENCES
Masset, B. and Taburiaux, O., Simulating Industrial Control Systems Using Mininet, Ecole Polytechnique de Louvain, 2018. http://hdl.handle.net/2078.1/thesis:14706.
Stevens, C., Assembling cybersecurity: The politics and materiality of technical malware reports and the case of Stuxnet, Contemp. Secur. Policy, 2020, vol. 41, no. 1, pp. 129–152. https://doi.org/10.1080/13523260.2019.1675258
Kang, Ch., He, L., Han, Z., and Xia, Ye, Cyber Security Risk Analysis and Protection Structure Design for Power Distribution IoT, 2nd Int. Conf. on Smart Power & Internet Energy Systems (SPIES), Bangkok, 2020, IEEE, 2020, pp. 339–344. https://doi.org/10.1109/SPIES48661.2020.9242961
Geiger, M., Bauer, J., Masuch, M., and Franke, J., An analysis of Black Energy 3, Crashoverride, and Trisis, three malware approaches targeting operation technology systems, 25th IEEE Int. Conf. on Emerging Technologies and Factory Automation (ETFA), Vienna, 2020, IEEE, 2020, pp. 1537–1543. https://doi.org/10.1109/ETFA46521.2020.9212128
Rose, S., Borchert, O., Mitchell, S., and Connelly, S., Zero trust architecture, National Institute of Standards and Technology, 2019. https://doi.org/10.6028/NIST.SP.800-207
Garbis, J. and Koilpollai, J., Software defined perimeter architecture guide, SDP Working Group, 2019.
Juanita, K., Jason, G., Michael, R., and Nya, M., Anti-DDoS: Software-defined perimeter as a DDoS prevention mechanism, Cloud Security Alliance, 2019.
Moubayed, A., Refaey, A., and Shami, A., Software-defined perimeter (SDP): State of the art secure solution for modern networks, IEEE Network, 2019, vol. 33, no. 5, pp. 226–233. https://doi.org/10.1109/MNET.2019.1800324
De Oliveira, R.L.S., Schweitzer, C.M., Shinoda, A.A., and Prete, L.R., Using Mininet for emulation and prototyping software-defined networks, 2014 IEEE Colombian Conf. on Communications and Computing (COLCOM), Bogota, Colombia, 2014, IEEE, 2014, pp. 1–6. https://doi.org/10.1109/ColComCon.2014.6860404
Garbis, J., Thapliyal, P., Flores, B., and Islam, J., Software defined perimeter for infrastructure as a service, Cloud Security Alliance, 2016.
Koilpillai, J., Software defined perimeter (SDP) a primer for CIOs, Waverley Labs LLC, 2017.
Geng, Ya., Wang, Yi, Liu, W., Wei, Q., Liu, K., and Wu, H., A survey of industrial control system testbeds, IOP Conf. Ser.: Mater. Sci. Eng., 2019, vol. 569, no. 4, p. 042030. https://doi.org/10.1088/1757-899X/569/4/042030
Hale, J., Habib, A., Raval, R., Irvin, R., and Hawrylak, P.J., A cyber-physical system testbed for security experimentation, Cyber Security of Industrial Control Systems in the Future Internet Environment, Stojanović, M.D. and Boštjančič Rakas, S.V., Eds., IGI Global, 2020, pp. 175–209. https://doi.org/10.4018/978-1-7998-2910-2.ch009
Mathur, A.P. and Tippenhauer, N.O., SWaT: A water treatment testbed for research and training on ICS security, 2016 Int. Workshop on Cyber-Physical Systems for Smart Water Networks (CySWater), Vienna, 2016, IEEE, 2016, pp. 31–36. https://doi.org/10.1109/CySWater.2016.7469060
Ghaeini, H.R. and Tippenhauer, N.O., HAMIDS: Hierarchical monitoring intrusion detection system for industrial control systems, Proc. 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy, Vienna, 2016, New York: Association for Computing Machinery, 2016, pp. 103–111. https://doi.org/10.1145/2994487.2994492
Tesfahun, A. and Bhaskari, D.L., A SCADA testbed for investigating cyber security vulnerabilities in critical infrastructures, Autom. Control Comput. Sci., 2016, vol. 50, no. 1, pp. 54–62. https://doi.org/10.3103/S0146411616010090
Kolcu, B., FCTaaS: Federated cybersecurity testbed as a service, Master Thesis, University of Arizona, 2020.
Author information
Authors and Affiliations
Corresponding authors
Ethics declarations
The authors declare that they have no conflicts of interest.
About this article
Cite this article
Xian Guo, Xue, Y., Feng, T. et al. Simulation Implementation and Verification of a Security Framework for ICS Based on SPD. Aut. Control Comp. Sci. 57, 37–47 (2023). https://doi.org/10.3103/S0146411623010042
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.3103/S0146411623010042