Network Analysis of Reconnaissance and Intrusion of an Industrial Control System

Abstract : This report describes the results of an experiment assessing 5 security configurations in order to increase the amount of security for an industrial control system (ICS). The first objective was to evaluate how network topology affects the information learned by an attacker to conduct passive reconnaissance of an ICS. The second objective was to identify useful methods to detect network intrusion. The testbed experiment demonstrated that network segregation and technical controls can reduce the attack surface of an ICS network. The experiment also revealed that whitelisting techniques can detect an attacker since ICS network hosts rarely change. In addition, we describe general methods for characterizing baseline Modbus traffic that could be used for detecting anomalous ICS traffic from an attacker.