Analysis of In-order Packet Delivery Network Policy Enforcement Function
Industrial Control System (ICS) networks face novel challenges in risk management, feature agility, and deployment flexibility. Essential hardware control systems may have a lifetime of decades while the need for business features and the network security landscape evolve on a daily basis. Even the mix of common protocols for network connectivity is likely to undergo significant market disruption over the 50+ year lifetime of a large industrial complex. Given this reality, the University of Houston Networking Lab  has embarked upon an effort, facilitated by the Department of Energy CREDC program, to decouple the long development cycles of hardened industrial equipment from the ever-changing realities of both the local and wide-area networks they must use to transport
essential sensor data and control messages. We are developing a specification for a Network Function (NF) with the express purpose of defining a standard behavior for per-flow policy enforcement, allowing operators to specify varying policies (or combinations of policies) for packet flows being transmitted between two trusted and/or reliable enclaves via an untrusted or unreliable segment. These policies allow features – like packet signatures, sequence numbers, local timestamping, etc – to be added without hardware downtime or vendor firmware availability. For example, devices incapable of running complex network state machines for protocols such as TCP can nonetheless be relied on to provide reliable data delivery given the application of appropriate policy. Similarly sensors and control mechanisms designed decades ago can benefit from modern HMAC  signatures to guarantee data integrity, without ever having to be upgraded or replaced. While our objective is a specification that will be handed over to existing ICS vendors – and not a performant NF implementation – we need to be able to quantify both the utility of given policies and also their resource requirements such that vendors can make reasonable business decisions about which policies to support and what hardware will be required to do so. The experiment outlined in this paper is one example of how we are breaking up the specification evaluation into discrete pieces (as partially exposed in Figure 1) and using the flexibility and efficiency of GENI  to provide reproducible methods, data and analytics for each draft policy in a wide variety of configurable network conditions.
This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.
- The following copyright notice applies to all of the above items that appear in IEEE publications: "Personal use of this material is permitted. However, permission to reprint/publish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from IEEE."
- The following copyright notice applies to all of the above items that appear in ACM publications: "© ACM, effective the year of publication shown in the bibliographic information. This file is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in the journal or proceedings indicated in the bibliographic data for each item."
- The following copyright notice applies to all of the above items that appear in IFAC publications: "Document is being reproduced under permission of the Copyright Holder. Use or reproduction of the Document is for informational or personal use only."