This repository contains the source files, testbed configurations, and evaluation results for the paper: P4ICS: P4 In-Network Security for Industrial Control Systems Networks.
P4ICS is a framework that shifts security functions for Industrial Control Systems (ICS) from endpoints into P4-programmable switches, providing confidentiality, integrity, and replay protection for protocols such as Modbus, DNP3, EtherNet/IP, and MQTT. In the testbed pipeline, confidentiality and integrity are implemented in switch externs with AES-CBC and HMAC-SHA256.
-
Dockerfile/ Contains container definitions for running industrial protocol clients and servers on the Kathara testbed.
-
modbus_tep_case_study/ Files and results for the Modbus case study presented in the paper (based on the Tennessee Eastman Process).
-
protocols/ Implementations of ICS client and server applications for:
- EtherNet/IP
- BACnet
- DNP3
- IEC 61850 (libiec61580)
- Profinet
-
results/ Scripts and raw data used to generate the graphs and tables included in the paper.
-
sota/ Code and comparison experiments with the state-of-the-art AES P4 implementation:
Chen, Xiaoqi. Implementing AES Encryption on Programmable Switches via Scrambled Lookup Tables. ACM SIGCOMM SPIN 2020 Workshop on Secure Programmable Network Infrastructure, ACM, 2020.
-
testbed/ A Kathara-based virtual lab to reproduce the P4ICS pipeline outside the physical testbed. Includes:
- Modbus and MQTT support
- P4 source files (folders
s1/ands2/) - Network topology for Kathara
To run the testbed, you need the following software installed on your machine:
-
Docker Used to build and run the containers of protocol clients and servers.
-
Kathara Network emulation platform used to reproduce the P4ICS pipeline and deploy the virtual lab.
Make sure both Docker and Kathara are properly installed and configured before starting the testbed.
-
Clone the repository:
git clone https://github.com/<your-org>/P4ICS.git cd P4ICS/testbed
-
Start the Kathara lab:
kathara lstart
-
Modbus Client
- Inside the
modbusclientterminal you can run the Modbus client interface:The client supports read, write, RTT testing, and different encryption modes.python3 modbus_client.py [options]
- Alternatively, you can run the TLS-enabled client:
python3 tls_client.py
- Inside the
-
MQTT Client
- Inside the
mqttclientterminal you can connect to the broker using plaintext:python3 mqtt_client.py
- Or connect over TLS:
python3 mqtt_client_tls.py
- Inside the
The modbus_client.py provides a CLI with the following options:
- Write to a register
python3 modbus_client.py --write
- Read from a register
python3 modbus_client.py --read
- Write and then read (RW)
python3 modbus_client.py --rw
- Connect to the server only (repeat 5 times)
python3 modbus_client.py --connect --connect-times 5
- RTT test (write) with AES-128 key
python3 modbus_client.py --test-rtt-write 128
- RTT test (read) without encryption
python3 modbus_client.py --test-rtt-read no-encryption
- Continuous read test with AES-256 key
python3 modbus_client.py --test-read 256
- Continuous write test with AES-192 key
python3 modbus_client.py --test-write 192
no-encryption | 128 | 160 | 192 | 224 | 256
These correspond to AES key sizes in bits, used in the P4ICS security pipeline. For secure modes, the switch externs use AES-CBC encryption and HMAC-SHA256 authentication bound to packet context.
- Experimental results include:
- Round-trip time (RTT) comparison between plaintext, TLS, and P4ICS
- CPU, memory, and power overhead on embedded devices (RevPi, Raspberry Pi 5)
- Comparison with state-of-the-art in-network AES implementations
- Modbus monitoring case study over the Tennessee Eastman Process
Scripts to reproduce the plots from the paper are available in the results/ folder.
If you use this repository, please cite our paper:
@article{p4ics,
title = {P4ICS: P4 In-Network Security for Industrial Control Systems Networks},
author = {},
journal = {Preprint submitted to Computer Networks},
year = {2025}
}This project is licensed under the terms of the LICENSE file.