Feasibility of critical infrastructure protection using network functions for programmable and decoupled ICS policy enforcement over WAN

Abstract

Industrial control systems (ICS) represent a major component of our critical infrastructure. With the increasing need for more control and monitoring of such systems, ICS have seen an increase in connectivity to wide area networks (WAN) exposing aging equipment to rapidly evolving cybersecurity threats. Furthermore, the ICS data requires a reliability measure from the networks for critical functions for infrastructure monitoring and control. Especially when remote plant sites are involved such as pipelines, energy distribution networks, and transportation, WAN transport impairments most often provide a best effort delivery with no strict reliability guarantees. Network functions can provide a vendor agnostic, programmable critical infrastructure protection with a single maintenance, policy determination, and reliability assurance surface. A network function (NF) can be utilized for policy enforcement over the communication between remote entities and the main control office. This paper presents the research on transparent integration with existing ICS without disrupting communications, resulting in minimal downtime while decoupling the fast paced evolution of defensive security measures from the upgrade cycle of expensive long term hardware. We report our measurements on the resource requirements and overhead in the network for successful NF insertion under a wide variety of network impairments (network packet delay, reordering, and loss). Our paired NF implementation provides a policy enforcement platform extensible to cover myriad cybersecurity-related communication goals, including packet signing for verification, encryption for data privacy, packet filtering and data diode operation (i.e. protecting against eavesdropping, packet injection, and denial-of-service). Furthermore, bundling communication specifications into packet flows allows for tunability in applying policies as coarse- or fine-grained as the needs of the operator. We report on network function resource requirements in the form of required queue depth and network utilization overhead.