SCADAWall: A CPI-enabled firewall model for SCADA security

Abstract

Many firewalls have been extending their security capabilities to support Supervisory Control and Data Acquisition (SCADA) systems or to protect the operations within industrial process control. A SCADA firewall usually needs to inspect deeper into the payload to understand exactly what detailed industrial applications are being executed. However, security features in traditional SCADA firewalls have drawbacks in two main aspects. First, a traditional Deep Packet Inspection (DPI) enabled SCADA firewall only partially inspects the content of payload. Specially-crafted packets carrying malicious payload can exploit this drawback to bypass the firewall’s inspection. Second, existing SCADA firewalls have poor capability for protecting proprietary industrial protocols. In this paper, we propose a new SCADA firewall model called SCADAWall. This model is powered by our Comprehensive Packet Inspection (CPI) technology. SCADAWall also includes a new Proprietary Industrial Protocols Extension Algorithm (PIPEA) to extend capabilities to proprietary industrial protocol protection, and an Out-of-Sequence Detection Algorithm (OSDA) to detect abnormality within industrial operations. We have compared our security features with two commercial SCADA firewalls. Our experiment also shows that SCADAWall can effectively mitigate those drawbacks without sacrificing SCADA system’s low latency requirement.