Network Analysis of Reconnaissance and Intrusion of an Industrial Control System

Report No. ARL-TR-7775
Authors: Daniel T Sullivan and Edward J Colbert
Date/Pages: September 2016; 66 pages
Abstract: This report describes the results of an experiment assessing 5 security configurations in order to increase the amount of security for an industrial control system (ICS). The first objective was to evaluate how network topology affects the information learned by an attacker to conduct passive reconnaissance of an ICS. The second objective was to identify useful methods to detect network intrusion. The testbed experiment demonstrated that network segregation and technical controls can reduce the attack surface of an ICS network. The experiment also revealed that whitelisting techniques can detect an attacker since ICS network hosts rarely change. In addition, we describe general methods for characterizing baseline Modbus traffic that could be used for detecting anomalous ICS traffic from an attacker.
Distribution: Approved for public release
  Download Report ( 2.531 MBytes )
If you are visually impaired or need a physical copy of this report, please visit and contact DTIC.

Last Update / Reviewed: September 1, 2016