Automated Incident Response for Industrial Control Systems Leveraging Software-defined Networking

Modern technologies and concepts for Industrial Control Systems (ICS) are evolving towards high flexibility of processes and respectively networks. Such dynamic networks are already functioning well, for example in data centres. This is enabled by application of the Software-defined Networking (SDN) paradigm. For this reason, ICS is currently adopting SDN. The concept of having a centralized view of the network and generating packet forwarding rules to control it enables performing automated responses to network events and classified incidents via SDN. This automation can provide timely and, due to the holistic view of the network, accurate incident response actions. However, availability, safety, real-time and redundancy requirements within the ICS domain restrict the application of such an automated approach. At present, SDN-based incident response (SDN-IR) does not take into consideration these requirements. In this work, we identify possible SND-based response actions to ICS incidents and introduce classification of assets and links. Furthermore, we present a concept for SDN-IR where a predefined rule set restricts the response actions based on the asset's classification thereby satisfying ICS specific requirements. Subsequently, we describe and evaluate a prototype implementation of this concept, built with the open-source SDN platform OpenDaylight and the SDN protocol OpenFlow.