Abstract：Industrial control systems (ICSs) are cyber-physical systems (CPSs) which supervise and control physical processes in critical infrastructure industries such as electric power, water treatment, oil & natural gas exploration, transportation, and chemical industry. Based on the observation of ICS'stable and persistent communication data flow control patterns, a concept and a methodology of ICS scenario fingerprinting were proposed which analyze industrial control protocol interactive behavior to represent ICS system-level normal behavior characteristics. ICS scenario fingerprint can identify unique ICS installation, while being used as a more generalized method to establish ICS systems'behavior benchmark and further being used to identify ICS systems'abnormal behavior. Experiments were made to validate the proposed viewpoint, which use real equipment for ICS cyber domain and use simulation for ICS physical domain. Experimental results demonstrate that ICS scenario fingerprinting technique provides ICS security research with a promising method.
 Stouffer K, Falco J, Scarfone K. Guide to Industrial Control Systems (ICS) Security, NIST: special publication 800-82 [R]. 2011.
 彭勇, 江常青, 谢丰, 等. 工业控制系统信息安全研究进展 [J]. 清华大学学报: 自然科学版, 2012, 52(10): 1396-1408. PENG Yong, JIANG Changqing, XIE Feng, et al. Industrial control system cybersecurity research [J]. Journal of Tsinghua University: Sci & Technol, 2012, 52(10): 1396-1408. (in Chinese).
 Falliere N, Murchu L O, Chien E. W32.Stuxnet dossier, Symantec white paper [R]. 2010.
 Bencsáth B, Pék G, Buttyán L, et al. Duqu: A Stuxnet-like malware found in the wild[R/OL]. (2011-10). http://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf.
 sKyWIper Analysis Team. sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks[R/OL]. (2012-05). http://www.crysys.hu/skywiper/skywiper.pdf.
 Caselli M, Hadiosmanovi D, Zambon E, et al. On the feasibility of device fingerprinting in industrial control systems [C]//8th International Workshop on Critical Information Infrastructures Security, CRITIS. 2013: 155-166.
 Cheminod M, Durante L, Valenzano A. Review of security issues in industrial networks [J]. IEEE Transactions on Industrial Informatics, 2013, 9(1): 277-293.
 Barbosa R R R, Sadre R, Pras A. A first look into SCADA network traffic [C]//Proceedings of 2012 IEEE Network Operations and Management Symposium, NOMS. 2012.
 Pleijsier E. Towards anomaly detection in SCADA networks using connection patterns [C]//18th Twente Student Conference on IT. 2013.
 Crotti M, Dusi M, Gringoli F, et al. Traffic classification through simple statistical fingerprinting [J]. SIGCOMM Comput Commun Rev, 2007, 37(1): 5-16.
 Garitano I, Siaterlis C, Genge B, et al. A method to construct network traffic models for process control systems [C]//Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies and Factory Automation, ETFA. 2012.
 Cheung S, Dutertre B, Fong M, et al. Using model-based intrusion detection for SCADA networks [C]//SCADA Security Scientific Symposium. 2007.
 Goldenberg N, Wool A. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems [J]. International Journal of Critical Infrastructure Protection, 2013, 6(2): 63-75.
 Morris T, Vaughn R, Dandass Y. A Retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems [C]//Proceedings of the 2012 45th Hawaii International Conference on System Sciences. 2012.
 Barbosa R R R, Sadre R, Pras A. Flow whitelisting in SCADA networks [J]. International Journal of Critical Infrastructure Protection, 2013, 6(3-4): 150-158.
 ANSI/ISA-99.01.01-2007. Security for industrial automation and control systems: Terminology, concepts and models [R]. 2007.
 IEC/TS 62443-1. Industrial communication networks- Network and system security-Part 1-1: Terminology, concepts and models [R]. 2009.