Bump-in-the-wire (bump) devices can be used to protect critical endpoints in Industrial Control System (ICS) networks. However, bump devices cannot be used to authenticate incoming broadcast traffic, are complex to manage, and one bump is needed per host. In this work, we propose a virtual bump-like solution called vBump, which allows to insert virtual bumps in front of Ethernet- based legacy ICS devices. The vBumps can be used to limit traffic to whitelisted destinations, inspect all traffic on or above Link- layer like a centralized intrusion detection systems (or monitoring systems), or even police the traffic like a centralized intrusion pre- vention systems. In particular, this also allows the network to apply fine-grained control on traffic between nodes that need to be in the same Link-layer broadcast domain. Compared to traditional bumps, vBumps do not require any changes in physical network topology, and the central server’s global view allows for more informed deci- sion, with less computational constraints. We implement the system in a high-fidelity ICS testbed, and demonstrate its capabilities to support even time-critical protection control traffic in smart grids. Our system can handle traffic rates of 150Mbps with one-way delay of ≈ 1ms.
Workshop on CPS&IoT Security and Privacy (CPSIoTSec)