IDEAS home Printed from https://ideas.repec.org/a/gam/jftint/v13y2021i10p258-d651932.html
   My bibliography  Save this article

An SDN-Enabled Architecture for IT/OT Converged Networks: A Proposal and Qualitative Analysis under DDoS Attacks

Author

Listed:
  • Luca Foschini

    (Department of Computer Engineering, University of Bologna, via Risorgimento 2, 40136 Bologna, Italy)

  • Valentina Mignardi

    (Department of Computer Engineering, University of Bologna, via Risorgimento 2, 40136 Bologna, Italy)

  • Rebecca Montanari

    (Department of Computer Engineering, University of Bologna, via Risorgimento 2, 40136 Bologna, Italy)

  • Domenico Scotece

    (Department of Computer Engineering, University of Bologna, via Risorgimento 2, 40136 Bologna, Italy)

Abstract

Real-time business practices require huge amounts of data directly from the production assets. This new thirst for accurate and timely data has forced the convergence of the traditionally business-focused information technology (IT) environment with the production-focused operational technology (OT). Recently, software-defined network (SDN) methodologies have benefitted OT networks with enhanced situational awareness, centralized configuration, deny-by-default forwarding rules, and increased performance. What makes SDNs so innovative is the separation between the control plane and the data plane, centralizing the command in the controllers. However, due to their young age, the use of SDNs in the industry context has not yet matured comprehensive SDN-based architectures for IT/OT networks, which are also resistant to security attacks such as denial-of-service ones, which may occur in SDN-based industrial IoT (IIoT) networks. One main motivation is that the lack of comprehensive SDN-based architectures for IT/OT networks making it difficult to effectively simulate, analyze, and identify proper detection and mitigation strategies for DoS attacks in IT/OT networks. No consolidated security solutions are available that provide DoS detection and mitigation strategies in IT/OT networks. Along this direction, this paper’s contributions are twofold. On the one hand, this paper proposes a convergent IT/OT SDN-based architecture applied in a real implementation of an IT/OT support infrastructure called SIRDAM4.0 within the context of the SBDIOI40 project. On the other hand, this paper proposes a qualitative analysis on how this architecture works under DoS attacks, focusing on what the specific problems and vulnerabilities are. In particular, we simulated several distributed denial-of-service (DDoS) attack scenarios within the context of the proposed architecture to show the minimum effort needed by the attacker to hack the network, and our obtained experimental results show how it is possible to compromise the network, thus considerably worsening the performance and, in general, the functioning of the network. Finally, we conclude our analysis with a brief description on the importance of employing machine learning approaches for attack detection and for mitigation techniques.

Suggested Citation

  • Luca Foschini & Valentina Mignardi & Rebecca Montanari & Domenico Scotece, 2021. "An SDN-Enabled Architecture for IT/OT Converged Networks: A Proposal and Qualitative Analysis under DDoS Attacks," Future Internet, MDPI, vol. 13(10), pages 1-19, October.
    • Handle: RePEc:gam:jftint:v:13:y:2021:i:10:p:258-:d:651932
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/1999-5903/13/10/258/pdf
    Download Restriction: no
    File URL: https://www.mdpi.com/1999-5903/13/10/258/
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Barbosa, Rafael Ramos Regis & Sadre, Ramin & Pras, Aiko, 2013. "Flow whitelisting in SCADA networks," International Journal of Critical Infrastructure Protection, Elsevier, vol. 6(3), pages 150-158.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Monzer, Mohamad-Houssein & Beydoun, Kamal & Ghaith, Alaa & Flaus, Jean-Marie, 2022. "Model-based IDS design for ICSs," Reliability Engineering and System Safety, Elsevier, vol. 225(C).
    2. Fatima Salahdine & Naima Kaabouch, 2019. "Social Engineering Attacks: A Survey," Future Internet, MDPI, vol. 11(4), pages 1-17, April.
    3. Genge, Béla & Graur, Flavius & Haller, Piroska, 2015. "Experimental assessment of network design approaches for protecting industrial control systems," International Journal of Critical Infrastructure Protection, Elsevier, vol. 11(C), pages 24-38.
    4. Haller, Piroska & Genge, Béla & Duka, Adrian-Vasile, 2019. "On the practical integration of anomaly detection techniques in industrial control applications," International Journal of Critical Infrastructure Protection, Elsevier, vol. 24(C), pages 48-68.
    5. Jarmakiewicz, Jacek & Parobczak, Krzysztof & Maślanka, Krzysztof, 2017. "Cybersecurity protection for power grid control infrastructures," International Journal of Critical Infrastructure Protection, Elsevier, vol. 18(C), pages 20-33.
    6. Etxezarreta, Xabier & Garitano, Iñaki & Iturbe, Mikel & Zurutuza, Urko, 2023. "Software-Defined Networking approaches for intrusion response in Industrial Control Systems: A survey," International Journal of Critical Infrastructure Protection, Elsevier, vol. 42(C).
    7. Wang, Wu & Harrou, Fouzi & Bouyeddou, Benamar & Senouci, Sidi-Mohammed & Sun, Ying, 2022. "Cyber-attacks detection in industrial systems using artificial intelligence-driven methods," International Journal of Critical Infrastructure Protection, Elsevier, vol. 38(C).

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jftint:v:13:y:2021:i:10:p:258-:d:651932. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.