A low-delay SDN-based countermeasure to eavesdropping attacks in industrial control systems

摘要

Industrial Control Systems (ICS) and their networking infrastructure have been the target of an increasing number of cyber-attacks over the past years. In 2015, researchers proposed to employ SDN techniques to improve the security of ICS networks. To avoid that all packets are forwarded along the same path in such a network, their multipath routing strategy alternates between several paths from a source host to the destination host, such that an eavesdropper cannot capture the entire communication. We show that a basic multipath routing strategy can lead to delay peaks in the ICS network which are, considering the real-time nature of the network traffic in an ICS, highly undesired. We propose the priority multipath routing strategy which avoids such delays. Our approach makes use of rule priorities in OpenFlow to ensure that there is always a matching forwarding rule in a switch. We also propose to consider the path selection process as solving a convex flow problem. We validate our approach by simulation experiments. Our results show that our approach significantly reduces the number of table misses and effectively eliminates delay peaks and that selected paths compromise well between their disjointness and their cost.