research-article

Use of an SDN Switch in Support of NIST ICS Security Recommendations and Least Privilege Networking

Authors:

Varsha Venugopal,

Jim Alves-Foss,

Sandeep Gogineni RavindrababuAuthors Info & Claims

ICSS: Proceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop

Pages 11 - 20

https://doi.org/10.1145/3372318.3372321

Published: 10 December 2019 Publication History

Get Access

Abstract

If an attacker is able to successfully subvert a device within a network, that often gives them easier access to spread the intrusion to other devices in the network. Common guidance, such as that provided in NIST SP 800-82, recommends network separation and segregation to enforce least privilege within a network, to act as a mitigation against such attacks. This paper evaluates the use of SDN network switches to implement least privilege networking within an industrial control system, and maps SDN switch capabilities to NIST 800-82 recommendations and the corresponding NIST 800-53 security controls. This paper also reports on experiments conducted with two SDN switches to validate the effectiveness of the switches in support of these mappings. Our findings indicate that with appropriate planning, several aspects of least privilege networking, and several of the NIST controls can be implemented with an SDN switch. However, poor configurations can still result in insecure systems.

References

[1]

Cisco. 2019. Cisco Catalyst 2950 Series Switches. https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2950-series-switches/prod_qas09186a008009258e.html

Google Scholar

[2]

Joint Task Force Transformation Initiative. 2013. NIST Special Publication 800-53r4 Security and Privacy Copntrols for Federal Information Processing Systems. Technical Report. National Institute of Standards & Technology, Gaithersburg, MD, United States. http://dx.doi.org/10.6028/NIST.SP.800-53r4.

Crossref

Google Scholar

[3]

M. H. Khairi, S. H. Ariffin, N. A. Latiff, A. S. Abdullah, and M. K. Hassan. 2018. A Review of Anomaly Detection Techniques and Distributed Denial of Service (DDoS) on Software Defined Network (SDN). ENGINEERING TECHNOLOGY & APPLIED SCIENCE RESEARCH 8, 2 (2018), 2724--2730.

Crossref

Google Scholar

[4]

D. Kreutz, F. Ramos, and P. Verissimo. 2013. Towards secure and dependable software-defined networks. In ASM SIGCOMM Workshop on Hot topics in software defined networking. 55--60.

Google Scholar

[5]

Schweitzer Engineering Laboratories. 2019. SEL-2740S Software-Defined Network Switch. https://selinc.com/products/2740S/

Google Scholar

[6]

PICA8. 2019. PICA8 P-3297 Datasheet. https://www.pica8.com/wp-content/uploads/pica8-datasheet-48x1gbe-p3297.pdf

Google Scholar

[7]

P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu. 2012. A security enforcement kernel for OpenFlow networks. In ACM SIGCOMM Workshop on Hot topics in software defined networks. 121--126.

Google Scholar

[8]

V. K. Reddy and D. Sreenivasulu. 2016. Software-defined networking with DDOS attacks in cloud computing. International Journal of innovative Technologies (IJIT) 4, 19 (2016), 3779--3783.

Google Scholar

[9]

Ron Ross, Patrick Viscuso, Gary Guissanie, Kelley Dempsey, and Mark Riddle. 2016. NIST Special Publication 800-817r1 Protecting Controlled unclassified Information in Nonfederal Systems and Organizations. Technical Report. National Institute of Standards & Technology, Gaithersburg, MD, United States. http://dx.doi.org/10.6028/NIST.SP.800-171r1.

Crossref

Google Scholar

[10]

S. Shin, V. Yegneswaran, P. Porras, and G. Gu. 2013. Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In ACM SIGSAC conference on Computer & Communications Security. 413--424.

Google Scholar

[11]

Keith Stouffer, Victoria Pillitteri, Lightman Suzaane, Marshall Abrams, and Adam Hahn. 2015. NIST Special Publication 800-82r2 Guide to Industrial Control Systems (ICS) Security. Technical Report. National Institute of Standards & Technology, Gaithersburg, MD, United States. http://dx.doi.org/10.6028/NIST.SP.800-82r2.

Crossref

Google Scholar

[12]

Industrial Control Systems Cyber Emergency Response Team. 2016. Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. Technical Report. US-CERT. https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf.

Google Scholar

[13]

The Open Networking Foundation. 2012. OpenFlow Switch Specification. https://www.opennetworking.org/images/stories/downloads/specification/openflow- spec-v1.3.0.pdf.

Google Scholar

Cited By

View all

Kayan HNunes MRana OBurnap PPerera C(2022)Cybersecurity of Industrial Cyber-Physical Systems: A ReviewACM Computing Surveys10.1145/351041054:11s(1-35)Online publication date: 9-Sep-2022
https://dl.acm.org/doi/10.1145/3510410
Ravindrababu SAlves-Foss J(2020)Automated Detection of Configured SDN Security Policies for ICS NetworksSixth Annual Industrial Control System Security (ICSS) Workshop10.1145/3442144.3442148(31-38)Online publication date: 8-Dec-2020
https://dl.acm.org/doi/10.1145/3442144.3442148

Use of an SDN Switch in Support of NIST ICS Security Recommendations and Least Privilege Networking
1. Security and privacy
  1. Security services

Recommendations

Automated Detection of Configured SDN Security Policies for ICS Networks
ICSS 2020: Sixth Annual Industrial Control System Security (ICSS) Workshop

The deployment of a security on a network infrastructure requires the specification and enforcement of security policies that specify the allowed communication between devices on that network. However, there is a distinction between security policies ...
NIST SP 800-125A Security Recommendations for Hypervisor Deployment Draft: NIST SP 800-125A 14 Sept 2017 2nd Draft
Auto-Configuration of SDN Switches in SDN/Non-SDN Hybrid Network
AINTEC '15: Proceedings of the 11th Asian Internet Engineering Conference

This paper proposes an auto-configuration mechanism for a newly attached SDN (Software-defined Networking) switch and intermediate switches in an SDN/non-SDN hybrid network. Automation of initial configuration of SDN switches brings the benefit of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ICSS: Proceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop

December 2019

72 pages

ISBN:9781450377195

DOI:10.1145/3372318

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICSS

ICSS: Fifth Annual Industrial Control System Security Workshop

December 10, 2019

PR, San Juan, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
198
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 29 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Kayan HNunes MRana OBurnap PPerera C(2022)Cybersecurity of Industrial Cyber-Physical Systems: A ReviewACM Computing Surveys10.1145/351041054:11s(1-35)Online publication date: 9-Sep-2022
https://dl.acm.org/doi/10.1145/3510410
Ravindrababu SAlves-Foss J(2020)Automated Detection of Configured SDN Security Policies for ICS NetworksSixth Annual Industrial Control System Security (ICSS) Workshop10.1145/3442144.3442148(31-38)Online publication date: 8-Dec-2020
https://dl.acm.org/doi/10.1145/3442144.3442148

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Recommendations

Automated Detection of Configured SDN Security Policies for ICS Networks

NIST SP 800-125A Security Recommendations for Hypervisor Deployment Draft: NIST SP 800-125A 14 Sept 2017 2nd Draft

Auto-Configuration of SDN Switches in SDN/Non-SDN Hybrid Network

Comments

Information

Published In

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations