Flow whitelisting in SCADA networks

Rafael Ramos Regis Barbosa, Ramin Sadre, Aiko Pras

Research output: Contribution to journalJournal articleResearchpeer-review

49 Citations (Scopus)
1176 Downloads (Pure)


Supervisory control and data acquisition (SCADA) networks are commonly deployed in large industrial facilities. Modern SCADA networks are becoming more vulnerable to cyber attacks due to the common use of standard communications protocols and increased interconnections with corporate networks and the Internet. This paper describes an approach for improving the security of SCADA networks using flow whitelisting. A flow whitelist describes legitimate traffic based on four properties of network packets: client address, server address, server-side port and transport protocol. The proposed approach incorporates a learning phase in which a flow whitelist is learned by capturing network traffic over a period of time and aggregating it into flows. After the learning phase is complete, any non-whitelisted connection observed generates an alarm. The evaluation of the approach focuses on two important whitelist characteristics: size and stability. The applicability of the approach is demonstrated using real-world traffic traces captured at two water treatment plants and at an electric-gas utility.
Original languageEnglish
JournalInternational Journal of Critical Infrastructure Protection
Issue number3-4
Pages (from-to)150-158
Number of pages9
Publication statusPublished - 2013


  • SCADA systems
  • Intrusion detection
  • Network flow whitelisting

Fingerprint Dive into the research topics of 'Flow whitelisting in SCADA networks'. Together they form a unique fingerprint.

Cite this