Discipline: Computer Sciences and Information Management
Subcategory: Computer Science & Information Systems
Tarrell Fletcher - Bowie State University
Co-Author(s): Haydar Teymourlouei and Guy Alain Amoussou, Bowie State University, Bowie, MD
Methodology: Before approaching the infrastructure to implement a security solution, we believe you must understand the network architecture and the vulnerabilities of the systems themselves. Now security can never be absolute unless you unplug all devices from the network, but with enough observations and configuration, attacks can be mitigated greatly. After researching these topics, we have then defined a set of functional requirements that the system we are creating will be able to do. System: Sanitation Box – The name of our solution is ‘Sanitation Box’, because it will be acting as a proxy which will be placed between a Human Machine Interface and control system device in order to provide authentication of commands as well as network monitoring. The system will be running CentOS, a version of Linux commonly used in Enterprise networks because of security.
FR.1: Control Connections – Controlling connections is the first step our box must perform to be sure an authentic network device is communicating with the critical infrastructure network. Because a Linux system can also be used a firewall, it is best to leverage the power of IP Tables in order to control connections. IP tables is a rule based firewall system and is normally preinstalled on a Unix operating system which is controlling the incoming and outgoing packets. By default, the IP tables is running without any rules, we can create, add, edit rules into it . Mac address filtering and IP source address filter rules should be implemented for more granular control over connections.
FR.2: Start Program – The second step is to grab the incoming communication from the validated communication to initiate the script to control the process. Linux has a built in process called inetd, but we will be installing the more secure version which is xinetd. The xinetd daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. xinetd can also be used to grant or deny access to particular hosts, provide service access at specific times, limit the rate of incoming connections, limit the load created by connections, and more. Xinetd runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, xinetd starts up the appropriate server for that service . By creating a new entry in the configuration files for the xinetd service we can send all input destined for port 502 (MODBUS application protocol), to a new port to have the data sanitized before being sent out.
Funder Acknowledgement(s): I would like to thank the Bowie State University Education Innovation Initiative - EI2 and Summer Undergraduate Research Institute - SURI program for giving me the opportunity to partake in this research project. Also appreciation for my mentors Guy Alain Amoussou and Haydar Teymourlouei.
Faculty Advisor: Haydar Teymourlouei, Guy Alain-Amoussou, firstname.lastname@example.org
Role: Understanding and explaining the common vulnerabilities with industrial control systems. As well as creating the list of functional requirements that leads to the development of a solution.