TY - GEN
T1 - VBump
T2 - 2nd Workshop on CPS and IoT Security and Privacy, CPSIoTSec 2021, in conjunction with ACM Conference on Computer and Communications Security, CCS 2021
AU - Tippenhauer, Nils Ole
AU - Chen, Binbin
AU - Mashima, Daisuke
AU - Nicol, David M.
N1 - This research is supported in part by the National Research Foundation, Prime Minister’s Office, Singapore under its Campus for Research Excellence and Technological Enterprise (CREATE) programme, and in part by the SUTD Start-up Research Grant (SRG Award No: SRG ISTD 2020 157).
PY - 2021/11/15
Y1 - 2021/11/15
N2 - Bump-in-the-wire (bump) devices can be used to protect critical endpoints in Industrial Control System (ICS) networks. However, bump devices cannot be used to authenticate incoming broadcast traffic, are complex to manage, and one bump is needed per host. In this work, we propose a virtual bump-like solution called vBump, which allows to insert virtual bumps in front of Ethernet-based legacy ICS devices. The vBumps can be used to limit traffic to whitelisted destinations, inspect all traffic on or above Link-layer like a centralized intrusion detection systems (or monitoring systems), or even police the traffic like a centralized intrusion prevention systems. In particular, this also allows the network to apply fine-grained control on traffic between nodes that need to be in the same Link-layer broadcast domain. Compared to traditional bumps, vBumps do not require any changes in physical network topology, and the central server's global view allows for more informed decision, with less computational constraints. We implement the system in a high-fidelity ICS testbed, and demonstrate its capabilities to support even time-critical protection control traffic in smart grids. Our system can handle traffic rates of 150Mbps with one-way delay of ∼1ms.
AB - Bump-in-the-wire (bump) devices can be used to protect critical endpoints in Industrial Control System (ICS) networks. However, bump devices cannot be used to authenticate incoming broadcast traffic, are complex to manage, and one bump is needed per host. In this work, we propose a virtual bump-like solution called vBump, which allows to insert virtual bumps in front of Ethernet-based legacy ICS devices. The vBumps can be used to limit traffic to whitelisted destinations, inspect all traffic on or above Link-layer like a centralized intrusion detection systems (or monitoring systems), or even police the traffic like a centralized intrusion prevention systems. In particular, this also allows the network to apply fine-grained control on traffic between nodes that need to be in the same Link-layer broadcast domain. Compared to traditional bumps, vBumps do not require any changes in physical network topology, and the central server's global view allows for more informed decision, with less computational constraints. We implement the system in a high-fidelity ICS testbed, and demonstrate its capabilities to support even time-critical protection control traffic in smart grids. Our system can handle traffic rates of 150Mbps with one-way delay of ∼1ms.
KW - ics security
KW - industrial control system
KW - traffic filtering
KW - vlan
UR - https://www.scopus.com/pages/publications/85120913213
UR - https://www.scopus.com/pages/publications/85120913213#tab=citedBy
U2 - 10.1145/3462633.3483983
DO - 10.1145/3462633.3483983
M3 - Conference contribution
AN - SCOPUS:85120913213
T3 - CPSIoTSec 2021 - Proceedings of the 2nd Workshop on CPS and IoT Security and Privacy, co-located with CCS 2021
SP - 3
EP - 14
BT - CPSIoTSec 2021 - Proceedings of the 2nd Workshop on CPS and IoT Security and Privacy, co-located with CCS 2021
PB - Association for Computing Machinery
Y2 - 15 November 2021
ER -