skip to main content
10.1145/2732198.2732201acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Identifying the Missing Aspects of the ANSI/ISA Best Practices for Security Policy

Published: 14 April 2015 Publication History

Abstract

Firewall configuration is a critical activity for the Supervisory Control and Data Acquisition (SCADA) networks that control power stations, water distribution, factory automation, etc. The American National Standards Institute (ANSI) provides specifications for the best practices in developing high-level security policy [1]. However, firewalls continue to be configured manually, a common but error prone process. Automation can make designing firewall configurations more reliable and their deployment increasingly cost-effective. ANSI best practices lack specification in several key aspects needed to allow a firewall to be automatically configured. In this paper we discuss the missing aspects of the existing best practice specifications and propose solutions. We then apply our corrected best practice specifications to real SCADA firewall configurations and evaluate their usefulness for high-level automated specification of firewalls.

References

[1]
Y. Bartal, A. Mayer, K. Nissim, and A. Wool. Firmato: A novel firewall management toolkit. ACM Transactions on Computer Systems (TOCS), 22(4):381--420, 2004.
[2]
S. Bellovin and R. Bush. Configuration management and security. IEEE Journal on Selected Areas in Communications, 27(3):268--274, 2009.
[3]
E. Byres. Using ANSI/ISA-99 standards to improve control system security. White paper, Tofino Security, May 2012.
[4]
E. Byres, J. Karsch, and J. Carter. NISCC good practice guide on firewall deployment for SCADA and process control networks. National Infrastructure Security Co-Ordination Centre, 2005.
[5]
W. R. Cheswick, S. M. Bellovin, and A. D. Rubin. Firewalls and Internet security: Repelling the wily hacker. Addison-Wesley Longman Publishing Co., Inc., 2003.
[6]
Cisco Systems. Cisco ASA 5500 Series Configuration Guide using the CLI. Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706, USA, 2010.
[7]
Cisco Systems. Cisco ASA 5585-X adaptive security appliance architecture. White paper, Cisco Systems, May 2014.
[8]
J. Garcia-Alfaro, F. Cuppens, N. Cuppens-Boulahia, and S. Preda. MIRAGE: A management tool for the analysis and deployment of network security policies. In Data Privacy Management and Autonomous Spontaneous Security, pages 203--215. Springer, 2011.
[9]
ISA. ANSI/ISA-62443-1-1 security for industrial automation and control systems part 1-1: Terminology, concepts, and models, 2007.
[10]
R. Jamieson, L. Land, S. Smith, G. Stephens, and D. Winchester. Critical infrastructure information security: Impacts of identity and related crimes. In PACIS, page 78, 2009.
[11]
A. Mayer, A. Wool, and E. Ziskind. Fang: A firewall analysis engine. In IEEE Symposium on Security and Privacy, pages 177--187, 2000.
[12]
T. Nelson, C. Barratt, D. J. Dougherty, K. Fisler, and S. Krishnamurthi. The Margrave tool for firewall analysis. In LISA, 2010.
[13]
K. Stouffer, J. Falco, and K. Scarfone. Guide to Industrial Control Systems (ICS) security. NIST Special Publication, 800(82):16--16, 2008.
[14]
T. Tuglular, F. Cetin, O. Yarimtepe, and G. Gercek. Firewall configuration management using XACML policies. In 13th International Telecommunications Network Strategy and Planning Symposium, Sep, 2008.
[15]
A. Wool. Architecting the Lumeta firewall analyzer. In USENIX Security Symposium, pages 85--97, 2001.
[16]
A. Wool. A quantitative study of firewall configuration errors. Computer, IEEE, 37(6):62--67, 2004.
[17]
A. Wool. Trends in firewall configuration errors: Measuring the holes in Swiss cheese. Internet Computing, IEEE, 14(4):58--65, 2010.
[18]
G. G. Xie, J. Zhan, D. A. Maltz, H. Zhang, A. Greenberg, G. Hjalmtysson, and J. Rexford. On static reachability analysis of IP networks. In IEEE INFOCOM, volume 3, pages 2170--2183, 2005.
[19]
H. Yan, D. A. Maltz, T. E. Ng, H. Gogineni, H. Zhang, and Z. Cai. Tesseract: A 4D network control plane. NSDI, 7:27--27, 2007.
[20]
yEd. yEd graph editor manual, http://yed.yworks.com/support/manual/index.html.
[21]
L. Yuan, H. Chen, J. Mai, C.-N. Chuah, Z. Su, and P. Mohapatra. FIREMAN: A toolkit for firewall modeling and analysis. In IEEE Symposium on Security and Privacy, pages 15--213, 2006.

Cited By

View all
  • (2016)Case Studies of SCADA Firewall Configurations and the Implications for Best PracticesIEEE Transactions on Network and Service Management10.1109/TNSM.2016.259724513:4(871-884)Online publication date: 1-Dec-2016
  • (2016)Malachite: Firewall policy comparison2016 IEEE Symposium on Computers and Communication (ISCC)10.1109/ISCC.2016.7543759(310-317)Online publication date: Jun-2016
  • (2016)Towards Standardising Firewall ReportingSecurity of Industrial Control Systems and Cyber Physical Systems10.1007/978-3-319-40385-4_9(127-143)Online publication date: 18-Jun-2016

Index Terms

  1. Identifying the Missing Aspects of the ANSI/ISA Best Practices for Security Policy

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CPSS '15: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security
    April 2015
    116 pages
    ISBN:9781450334488
    DOI:10.1145/2732198
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 14 April 2015

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. firewall auto-configuration
    2. scada network security
    3. security policy
    4. zone-conduit model

    Qualifiers

    • Research-article

    Funding Sources

    • Australian Government
    • CQR Consulting
    • Australian Research Council

    Conference

    ASIA CCS '15
    Sponsor:
    ASIA CCS '15: 10th ACM Symposium on Information, Computer and Communications Security
    April 14 - March 14, 2015
    Singapore, Republic of Singapore

    Acceptance Rates

    CPSS '15 Paper Acceptance Rate 9 of 26 submissions, 35%;
    Overall Acceptance Rate 43 of 135 submissions, 32%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)1
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 15 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2016)Case Studies of SCADA Firewall Configurations and the Implications for Best PracticesIEEE Transactions on Network and Service Management10.1109/TNSM.2016.259724513:4(871-884)Online publication date: 1-Dec-2016
    • (2016)Malachite: Firewall policy comparison2016 IEEE Symposium on Computers and Communication (ISCC)10.1109/ISCC.2016.7543759(310-317)Online publication date: Jun-2016
    • (2016)Towards Standardising Firewall ReportingSecurity of Industrial Control Systems and Cyber Physical Systems10.1007/978-3-319-40385-4_9(127-143)Online publication date: 18-Jun-2016

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media