On the Feasibility of Device Fingerprinting in Industrial Control Systems

Caselli, Marco; Hadžiosmanović, Dina; Zambon, Emmanuele; Kargl, Frank

doi:10.1007/978-3-319-03964-0_14

Cited by 21 publications

(17 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…With regard to fingerprinting information technology systems, Caselli et al [5] observe that the most widely adopted fingerprinting technique uses a 67-bit signature from TCP/IP protocol headers to identify an operating system on a machine in a standard network. Caselli and colleagues also describe the challenges involved in fingerprinting industrial control devices.…”

Section: Related Workmentioning

confidence: 99%

“…Caselli et al [5] have noted that industrial control system characteristics make device fingerprinting more challenging compared with conventional information technology networks due to device heterogeneity, proprietary protocols, device computational power and long-standing TCP sessions. On the other hand, from the system perspective, industrial control systems -unlike conventional information technology networks -tend to have stable and persistent control flow communications patterns, including characteristics such as long lifecycles, static topologies, periodic behavior and a limited number of applications and protocols [1,16].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Industrial Control System Fingerprinting and Anomaly Detection

Peng

Xiang

Gao

et al. 2015

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Industrial Control System Fingerprinting and Anomaly Detection

Peng

Xiang

Gao

et al. 2015

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

“…Guideword Deviation / Potential threat add a user adds a valve to the group Valve modify a user modifies the name of a valve (topology) 1 delete a user deletes a valve from the group add no Tanks modify a user modifies the capacity of tank (e.g., the presumed capacity of tank is increased by double) (operational parameters) 2 delete no add a user adds action type to the allowed actions (e.g., a user adds "inserting setpoint" and/or "changing pump status" to the list of allowed operator actions on a pump) Pumps modify no (access settings) 3 delete a user deletes action type from allowed actions (e.g., a user deletes "inserting setpoint" and/or "changing pump status" from operator actions on a pump) example, depending on the context (i.e., the specific software control implementation), some combinations of keywords and guidewords do not apply (e.g., acidity parameters cannot be deleted) or are not considered as severe (e.g., add tank). To this end, the focus group selected 35 user actions that represent a potential threat.…”

Section: Keywordmentioning

confidence: 99%

“…While both plants use equipment from the same (well-known) vendor, they deploy different software versions. 2 We have access to (i) 3 day long packet trace from plant A and (ii) 14 day long packet trace from plant B. Both traces contain the complete network traffic captured from the mirroring port of the switches that connect the different PLCs and the ICS servers.…”

Section: Environments and Data Setsmentioning

confidence: 99%

“…Other efforts focus on analyzing security threats in ICS. For example, some authors analyze protocol vulnerabilities [11,21,122], explore the lack of compliance to protocol specifications in different PLCs [29,107] and the feasibility of device fingerprinting [2]. To address security threats some efforts exploit communication patterns for anomalydetection [109,67] However, the effects that one can find at the flow-level remain limited; detecting semantic process changes requires inspection of the application layer.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation