Experimental assessment of network design approaches for protecting industrial control systems

This paper surveys and provides experimental results related to network design techniques focused on enhancing the security of industrial control systems. It analyzes defense-in-depth strategies, network segmentation, network firewall configurations and the role of intrusion prevention systems, intrusion detection systems and anomaly detection systems. The paper also studies the applicability of emerging technologies in the area of IP networks, including software-defined networking, network functions virtualization and next generation firewalls in securing industrial control systems. The main contribution of this paper is the experimental assessment of existing and future network design approaches in the presence of real malware (e.g., Stuxnet) and synthetic attacks (e.g., denial-of-service attacks). The experimental results confirm the importance of defense-in-depth strategies and also highlight the embryonic state of software-defined networking security, which requires profound transformation and validation in order to be embraced by the industrial control system community.