Accession Number:

AD1016413

Title:

Network Analysis of Reconnaissance and Intrusion of an Industrial Control System

Descriptive Note:

Technical Report,01 Jul 2014,30 Jun 2016

Corporate Author:

Computational and Information Sciences Directorate, US Army Research Laboratory Adelphi United States

Personal Author(s):

• Sullivan,Daniel T
• Colbert,Edward J

Report Date:

2016-09-01

Pagination or Media Count:

66.0

Abstract:

This report describes the results of an experiment assessing 5 security configurations in order to increase the amount of security for an industrial control system ICS. The first objective was to evaluate how network topology affects the information learned by an attacker to conduct passive reconnaissance of an ICS. The second objective was to identify useful methods to detect network intrusion. The testbed experiment demonstrated that network segregation and technical controls can reduce the attack surface of an ICS network. The experiment also revealed that whitelisting techniques can detect an attacker since ICS network hosts rarely change. In addition, we describe general methods for characterizing baseline Modbus traffic that could be used for detecting anomalous ICS traffic from an attacker.

Descriptors:

• web browsers
• computer network security
• network protocols
• control systems
• data acquisition
• network topology
• local area networks
• operating systems (computers)
• intrusion detection (computers)

Subject Categories:

Distribution Statement:

APPROVED FOR PUBLIC RELEASE