Passive Fingerprinting of SCADA in Critical Infrastructure Network without Deep Packet Inspection

Abstract: We present the first technique of passive fingerprinting for Supervisory Control And Data Acquisition (SCADA) networks without Deep Packet Inspection (DPI) and experience on real environment. Unlike existing work, our method does not rely on the functions of a specific product or DPI of the SCADA protocol. Our inference method, which is based on the intrinsic characteristics of SCADA, first identifies the network port used for the SCADA protocol, then consecutively infers the field devices and master server. We evaluated the effectiveness of our method using two network traces collected from a real environment for a month and a half, three days from different CI respectively. This confirmed the ability of our method to capture most of the SCADA with high F-score nearly 1, except for HMIs connected to master server, and demonstrated the practical applicability of the method.