Passive Fingerprinting of SCADA in Critical Infrastructure Network without Deep Packet Inspection
This addresses security monitoring for critical infrastructure by enabling passive fingerprinting without relying on specific products or protocol details, though it is incremental as it builds on existing fingerprinting concepts.
The paper tackles the problem of identifying SCADA systems in critical infrastructure networks without deep packet inspection, achieving high F-scores close to 1 in real-world evaluations.
We present the first technique of passive fingerprinting for Supervisory Control And Data Acquisition (SCADA) networks without Deep Packet Inspection (DPI) and experience on real environment. Unlike existing work, our method does not rely on the functions of a specific product or DPI of the SCADA protocol. Our inference method, which is based on the intrinsic characteristics of SCADA, first identifies the network port used for the SCADA protocol, then consecutively infers the field devices and master server. We evaluated the effectiveness of our method using two network traces collected from a real environment for a month and a half, three days from different CI respectively. This confirmed the ability of our method to capture most of the SCADA with high F-score nearly 1, except for HMIs connected to master server, and demonstrated the practical applicability of the method.