SUPERVISORY Control and Data Acquisition (SCADA) networks control the distributed assets of many industrial systems. Power generation, water distribution and factory automation are just a few examples that illustrate the critical nature of these networks. SCADA devices are built for reliability, but often lack built-in security features to guard them from cyber-attacks. Consequently, these devices depend on firewalls for protection. Hence, firewalls are integral to SCADA networks control the distributed assets of many industrial systems. Power generation, water distribution and factory automation are just a few examples that illustrate the critical nature of these networks. SCADA devices are built for reliability, but often lack built-in security features to guard them from cyber-attacks. Consequently, these devices depend on firewalls for protection. Hence, firewalls are integral to the safe and reliable operation of SCADA networks. Firewall configuration is an important activity for any modern day business. It is particularly a critical task for the SCADA networks that control power stations, water distribution, factory automation, etc. Lack of automation tools to assist with this critical task has resulted in un-optimized, error prone configurations that expose these networks to cyber-attacks. Automation can make designing firewall configurations more reliable and their deployment increasingly cost-effective. In order to increase the security in firewall we are providing extra automation that would help to detect the packet level conflicts such DoS.

SCADA network security, Zone-Conduit model,firewall autoconfiguration, security policy, SCADA best practices, IP Fragmentation, Port Fragmentation

[1] Dinesha Ranathunga, Mathew Roughan: Case Studies of SCADA Firewall Configurations and the Implications for Best Practices. IEEE Transactions on Network and service manaagement, Dec 2016
[2] ANSI/ISA-62443-1-1. Security for industrial
automation and control systems part 1-1:
Terminology, concepts, and models, 2007.
[3] Y. Bartal, A. Mayer, K. Nissim, and A. Wool.
Firmato: A novel firewall management toolkit. ACM Transactions on Computer Systems (TOCS),
22(4):381–420, 2004.
[4] S. Bellovin and R. Bush. Configuration management
and security. IEEE Journal on Selected Areas in
Communications, 27(3):268–274, 2009.
[5] J.D. Guttman: Filtering postures: local enforcement for global policies. In IEEE Symposium on Security and Privacy, pages 120-129, 1997
[6] Ondrej Rysavy, Jaroslav Rab, Microslav Sveda: Improving security in SCADA systems through firewall policy analysis Federated Conference on Computer Science and Information Systems March 2013
[7] Khaled Salah, Khalid Elbadawi, Raouf Boutaba: Performance Modelling and Analysis of Network Firewalls, IEEE Transactions on Network and Service Management ( Volume: 9, Issue: 1, March 2012 )
[8] Avishal Wool: Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese, IEEE Internet Computing 14(4):58 - 65 • September 2010
[9] S. Bellovin and R. Bush. Configuration management and security. IEEE Journal on Selected Areas in Communications, 27(3):268–274, 2009.
[10] E. Byres. Using ANSI/ISA-99 standards to improve control system security. White paper, Tofino Security, May 2012.
[11] E. Byres, J. Karsch, and J. Carter. NISCC good practice guide on firewall deployment for SCADA and process control networks. National Infrastructure Security Co-Ordination Centre, 2005.
[12] M. Casado, T. Garfinkel, A. Akella, M. J. Freedman, D. Boneh, N. McKeown, and S. Shenker. SANE: A protection architecture for enterprise networks. In Usenix Security, 2006.
[13] W. R. Cheswick, S. M. Bellovin, and A. D. Rubin. Firewalls and Internet security: repelling the wily hacker. Addison-Wesley Longman Publishing Co., Inc., 2003.
[14] Cisco Systems. Cisco ASA 5500 Series Configuration Guide using the CLI. Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706, USA, 2010.
[15] Cisco Systems. Cisco ASA 5585-X adaptive security appliance architecture. White paper, Cisco Systems, May 2014.
[16] R. Jamieson, L. Land, S. Smith, G. Stephens, and D. Winchester. Critical infrastructure information security: Impacts of identity and related crimes. In PACIS, page 78, 2009.
[17] K. Stouffer, J. Falco, and K. Scarfone. Guide to Industrial Control Systems (ICS) security. NIST Special Publication, 800(82):16–16, 2008.
[18] T. Tuglular, F. Cetin, O. Yarimtepe, and G. Gercek. Firewall configuration management using XACML policies. In 13th International Telecommunications Network Strategy and Planning Symposium, Sep, 2008.