Industrial Control Systems (ICS) refer to the networked equipment and software used to control and monitor industrial systems. Such systems are key elements in a range of critical infrastructure sectors and other industries including electrical, water, wastewater, oil and natural gas, chemical, manufacturing and transport. These systems may be localized, as in the case of a manufacturing facility, or highly distributed, as in the case of an oil or gas pipeline or electrical grid.
Industrial control systems are composed of specialized components and applications such as Programmable Logic Controllers (PLCs), Distributed Control Systems (DCSs), and Supervisory Control and Data Acquisition (SCADA) systems. PLCs are solid state electronic devices that form the core of industrial control networks. DCSs are fully automated systems that control the operation of processes within an industrial facility, and are sometimes called Process Control Systems (PCS) (Stouffer et. al.). Industrial Control and SCADA networks control critical infrastructure such as power plants, nuclear facilities, water supply/treatment systems and transportation systems. These systems are increasingly becoming the target of sophisticated and unsophisticated cyber attacks by cyber threat actors of different kinds, with successful attacks having the potential to cause widespread damage, cost and injury/loss of life.
It should be noted that the term SCADA is often used to describe Industrial Control System (ICS) networks. This is somewhat of a misnomer, as SCADA systems themselves make up one component of the larger ICS networks, but the term is broadly used to denote such networks—a convention we shall follow in the presenting description.
Situational awareness tools are widely used in diverse sectors such as, for example, military command and control, ship navigation and power plant operations. In general, such tools combine disparate data and analytics with visual maps (either geographic or otherwise) to allow decision-makers to quickly process complex and dynamic data and make critical decisions. More recently, situational awareness tools have been developed and utilized in the Information Technology (IT) industry to distill large amounts of data from different security and network sensors, allowing security and network operators to make decisions to defend the IT network against security threats. As industrial control networks continue to witness greater connectivity to the outside world, the need for SCADA Cyber Situational Awareness tools (SCADA CSAT) becomes greater. The larger and more connected the SCADA network, the more critical it becomes to have a SCADA CSAT tool.
FIG. 1 illustrates an example of a SCADA network. SCADA networks differ from traditional corporate networks in a number of ways. These differences present a number of challenges in the quest to defend the network against cyber threats—malicious, criminal or otherwise. First of all, a number of specialized protocols have been developed, often for historical reasons, which are used exclusively within SCADA networks. Some of the more popular protocols include Modbus, DNP3, Profinet, EtherNet/IP (not to be confused with either the Ethernet or IP protocols). These protocols, some of which are quite old, have not necessarily been designed with security in mind. Secondly, as they are niche protocols, popular network security tools such as signature-based IDS (Intrusion Detection Systems) like Snort or Suricata, have limited support for many of these protocols.
Traffic characteristics of SCADA networks also differ drastically from traditional corporate IT networks. The majority of traffic in SCADA networks is generated by devices controlling or monitoring the physical environment and master control and monitoring systems. Such communications are often based on timers and occur at regular intervals, and between the same hosts within the network. Thus the pattern of communications is relatively deterministic and periodic in nature. This is quite different compared to traffic on an IT network which is generated by human beings and which can be quite noisy and non-deterministic in nature.
Historically, proprietary technologies were utilized for SCADA and ICS networks. This proprietary nature greatly assisted in their security—a factor sometimes referred to as “security by obscurity”. The standardization of various elements of ICS networks over the last few years coupled with the trend of connecting these systems to WAN (Wide Area Networks), Enterprise Networks and the Internet, has opened up access to such networks. This opening up of ICS networks has led to a number of security issues. This is partly because the specialized protocols at the heart of ICS devices such as PLCs (Programmable Logic Controllers) were not designed with security in mind, leaving them susceptible to cyber security threats. In addition, the network architectures and security tools of SCADA networks have not received the same attention from a security perspective as IT networks which were earlier subjects of malicious cyber threats (Galloway et. al.). Finally, SCADA software such as HMI (Human Machine Interface) are used to control physical industrial processes via PLCs. HMI software is often run on Windows platforms which are susceptible to many security threats.
While SCADA networks are in many ways like IT networks, they also present a number of distinctive characteristics which means that traditional IT security products and solutions cannot be used as-is on a SCADA network. As such, specialized cyber security tools are required for such networks. Systems and methods are required to successfully discover the network topology for SCADA systems and provide security operators with situational awareness capabilities to defend against cyber threats.
Traditional approaches to device discovery scan an entire network to find live IP addresses. This is done by sending a packet or set of packets to each possible IP address in a network range and waiting to receive a response (e.g. sending ping messages). This approach takes a long time to complete discovery of devices. For example, some networks utilize a large address space but live devices may only be found on a small section of the network. (e.g. a large company may use the 47.0.0.0/8 address space which could hold 16 million IP addresses, but at a maximum only use 2% of the address space. Sending pings too frequently would cause overload of traffic on the network (e.g. sending a ping every millisecond would generate 1000 packets per second which is far too heavy weight to be acceptable for IT networks). As such network management solutions may send a ping packet every 10 ms which translates to 100 packets per second. Scanning the full address range would take 160,000 seconds (44 hours). Approaches such as this are the norm in deployed network discovery and network topology mapping solutions.
Typically, existing approaches to discover the network mapping and network topology for a SCADA network use the following general method:                1. Identify the IP address range for the network to be discovered;        2. Send ping packets to every IP address in the range to discover live devices which respond;        3. Identify devices that respond as eligible devices;        4. Determine which devices respond to SNMP queries;        5. Interrogate the devices using SNMP to determine whether they are routers, switches or end-systems; and        6. Based on SNMP Management Information Base (MIB) information, begin determining the connectivity map (ie topology of the network).        
These approaches have several drawbacks. The discovery time is slow for large networks due to having to search through too many IP addresses, most of which may not correspond to actual devices. Further, there may be a number of silent or inactive devices in the network that won't be discovered by these methods, making a full discovery impossible. Therefore, there is a need for improvement. It would be beneficial to cyber security and other network application to achieve a fast network topology discovery and an accurate discovery of devices in the network.