Automated Detection of Configured SDN Security Policies for ICS Networks

The deployment of a security on a network infrastructure requires the specification and enforcement of security policies that specify the allowed communication between devices on that network. However, there is a distinction between security policies and the technologies that implement those policies. There is also often a distinction between intended policy and deployed or configured policy. Therefore there is a need to confirm compliance between policy and reality in a network. This is especially true in industrial control systems where there is a lot of network infrastructure and special purpose devices which can not be scanned or analyzed using traditional cybersecurity tools. This work discusses the first steps of a project that automatically detects the security policy as implemented in the control rules of an SDN switch, deployed in an industrial control system network.