Recovery Measure against Disabling Reassembly Attack to DNP3 Communication

Abstract

In the past, the security of industrial control systems was guaranteed by their obscurity. However, as devices of industrial control systems became more varied and interaction between these devices became necessary, effective management systems for such networks emerged. This triggered the need for cyber-physical systems that connect industrial control system networks and external system networks. The standards for the protocols in industrial control systems explain security functions in detail, but many devices still use nonsecure communication because it is difficult to update existing equipment. Given this situation, a number of studies are being conducted to detect attacks against industrial control system protocols, but these studies consider only data payloads without considering the case that industrial control systems' availability is infringed owing to packet reassembly failures. Therefore, with regard to the DNP3 protocol, which is used widely in industrial control systems, this paper describes attacks that can result in packet reassembly failures, proposes a countermeasure, and tests the proposed countermeasure by conducting actual attacks and recoveries. The detection of a data payload should be conducted after ensuring the availability of an industrial control system by using this type of countermeasure.