ANDVI: Automated Network Device and Vulnerability Identification in SCADA/ICS by Passive Monitoring

Supervisory control and data acquisition (SCADA) and industrial control systems (ICSs) are designed to operate for extended periods of time and can withstand extreme conditions. However, operators, engineers, and offices change over time, which can lead to outdated documentation and references. This can make it difficult to identify system components and their vulnerabilities, which can pose a security risk. In this article, we present an automated passive method for identifying system components based on network traffic structure and network message characteristics. The proposed approach considers both TCP/IP and Modbus, the two primary communication protocols in SCADA, to identify devices. The algorithm was implemented in Python and evaluated using water treatment SCADA data collected from the iTrust facility. Once the system devices have been identified, the algorithm queries the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) databases to identify each device's known vulnerabilities. Using our research on automated attack graph generation and visualization (A2G2V) and strongly connected component induced min label cut (SCCiMLC), we can map device vulnerabilities to system-level attack graphs and identify the bare minimum of device vulnerabilities to mitigate in order to secure the entire system. The proposed technique has been demonstrated to be beneficial in identifying system components in SCADA and ICS systems to increase their security.