Titre

Towards a new generation of industrial firewalls: Operational-process aware filtering

Auteur(s)

HACHANA Safaa1, CUPPENS Frédéric1,2, CUPPENS-BOULAHIA Nora2

Type de document

Communication dans une conférence avec acte

Source

PST 2016 : 14th annual conference on Privacy, Security and Trust, 12-14 december 2016, Auckland, New Zealand, 2017, pp. 615-622

Année

2017

Résumé

Formerly protected by isolation, the operational technology (OT) networks have become connected to the information technology (IT) networks. This integration have exposed OT networks to a myriad of known and new threats. Due to the criticality of many of the industrial platforms monitored by OT networks, providing guidelines for security good practices, alongside with tools for security enforcement have become a strategic priority. In particular, several security editors are proposing dedicated firewalls for OT networks. To date, the trend has been towards extending IT firewalls to detect and filter industrial communication protocols. In this paper, we show through experimental study that security solutions borrowed from IT only partially fit OT requirements. Indeed, the OT networks have very different properties. We propose a new approach that pushes the stateful filtering to the operational level for a fine and tailored access control for SCADA networks. We show how to model operational-process-aware rules using the context paradigm in the OrBAC model. Besides, we discuss practical issues regarding the enforcement of such rules in the next generation of industrial firewalls.

Labos

1 : LUSSI(TB) - Dépt. Logique des Usages, Sciences Sociales et de l'Information (Institut Mines-Télécom-Télécom Bretagne-UBL)
2 : Lab-STICC(TB) - Laboratoire en sciences et technologies de l'information, de la communication et de la connaissance (UMR CNRS 6285 - Télécom Bretagne - Université de Bretagne Occidentale - Université de Bretagne Sud - ENSTA Bretagne - Ecole Nationale d'ingénieurs de Brest)

Référence

17404

retour à la liste des publications
  • Institut Carnot Télécom & Société numérique
  • Université Bretagne Loire
  • Institut Mines-Télécom