Scalable Approach to Enhancing ICS Resilience by Network Diversity

Network diversity has been widely recognized as an effective defense strategy to mitigate the spread of malware. Optimally diversifying network resources can improve the resilience of a network against malware propagation. This work proposes a scalable method to compute such an optimal deployment, in the context of upgrading a legacy Industrial Control System with modern IT infrastructure. Our approach can tolerate various constraints when searching for optimal diversification, such as outdated products and strict configuration policies. We explicitly measure the vulnerability similarity of products based on the CVE/NVD, to estimate the infection rate of malware between products. A Stuxnet-inspired case demonstrates our optimal diversification in practice, particularly when constrained by various requirements. We then measure the improved resilience of the diversified network in terms of a well-defined diversity metric and Mean-time-to-compromise (MTTC), to verify the effectiveness of our approach. Finally, we show the competitive scalability of our approach in finding optimal solutions within a couple of seconds to minutes for networks of large scales (up to 10,000 hosts) and high densities (up to 240,000 edges).