Use of an SDN Switch in Support of NIST ICS Security Recommendations and Least Privilege Networking

Proceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop Pub Date : 2019-12-10 DOI:10.1145/3372318.3372321

Varsha Venugopal, J. Alves-Foss, Sandeep Gogineni Ravindrababu

{"title":"Use of an SDN Switch in Support of NIST ICS Security Recommendations and Least Privilege Networking","authors":"Varsha Venugopal, J. Alves-Foss, Sandeep Gogineni Ravindrababu","doi":"10.1145/3372318.3372321","DOIUrl":null,"url":null,"abstract":"If an attacker is able to successfully subvert a device within a network, that often gives them easier access to spread the intrusion to other devices in the network. Common guidance, such as that provided in NIST SP 800-82, recommends network separation and segregation to enforce least privilege within a network, to act as a mitigation against such attacks. This paper evaluates the use of SDN network switches to implement least privilege networking within an industrial control system, and maps SDN switch capabilities to NIST 800-82 recommendations and the corresponding NIST 800-53 security controls. This paper also reports on experiments conducted with two SDN switches to validate the effectiveness of the switches in support of these mappings. Our findings indicate that with appropriate planning, several aspects of least privilege networking, and several of the NIST controls can be implemented with an SDN switch. However, poor configurations can still result in insecure systems.","PeriodicalId":287941,"journal":{"name":"Proceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop","volume":"106 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3372318.3372321","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

If an attacker is able to successfully subvert a device within a network, that often gives them easier access to spread the intrusion to other devices in the network. Common guidance, such as that provided in NIST SP 800-82, recommends network separation and segregation to enforce least privilege within a network, to act as a mitigation against such attacks. This paper evaluates the use of SDN network switches to implement least privilege networking within an industrial control system, and maps SDN switch capabilities to NIST 800-82 recommendations and the corresponding NIST 800-53 security controls. This paper also reports on experiments conducted with two SDN switches to validate the effectiveness of the switches in support of these mappings. Our findings indicate that with appropriate planning, several aspects of least privilege networking, and several of the NIST controls can be implemented with an SDN switch. However, poor configurations can still result in insecure systems.

查看原文本刊更多论文

使用SDN交换机支持NIST ICS安全建议和最小特权网络

如果攻击者能够成功地破坏网络中的一个设备，这通常使他们更容易访问，将入侵传播到网络中的其他设备。通用指南(例如NIST SP 800-82中提供的指南)建议将网络分离和隔离，以在网络中强制执行最小特权，从而缓解此类攻击。本文评估了SDN网络交换机在工业控制系统中实现最小特权网络的使用，并将SDN交换机功能映射到NIST 800-82建议和相应的NIST 800-53安全控制。本文还报道了用两台SDN交换机进行的实验，以验证交换机支持这些映射的有效性。我们的研究结果表明，通过适当的规划，最少特权网络的几个方面以及NIST的几个控制可以通过SDN交换机实现。然而，糟糕的配置仍然会导致不安全的系统。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop

自引率

0.00%

发文量