TCP veto: A novel network attack and its Application to SCADA protocols

TCP veto is a detection-resistant variation of the TCP connection hijacking attack. While not limited to SCADA protocols, Modbus TCP, the Ethernet Industrial Protocol (EtherNet/IP), and the Distributed Network Protocol (DNP3) each meet the necessary assumptions of the attack. Experimental results reveal that the integrity of messages transmitted using each of the three SCADA protocols are vulnerable to TCP veto. Additionally, TCP veto produces up to 600 times less network traffic during its attack than connection hijacking. This work underscores the vulnerability of current SCADA protocols that communicate over TCP/IP to network attack. A method to definitively identify TCP veto requires a detection system to perform deep packet inspection on every TCP packet of a monitored connection. Methods for mitigating the attack through message authentication include implementing DNP3 with Secure Authentication, tcpcrypt, or Internet Protocol Security (IPsec).