Abstract
The recent advances in technology had an exceptional impact on the performance optimization and the provisioning of more flexible Industrial Control Systems (ICS). Nevertheless, most ICS communication protocols, as they are currently and widely implemented, are extremely vulnerable to various cyber attacks. This paper proposes a lightweight application-oriented data authentication scheme applicable to existing ICS infrastructures by adopting the characteristics and computational advantages of hash functions and hash chains. Extensive experimental results on a Phoenix Contact industrial controller, which runs the control logic of a real ICS implemented in a Romanian gas transportation network, demonstrate the effectiveness of the proposed scheme and its immediate applicability to existing installations.
Zusammenfassung
Die aktuellen technologischen Fortschritte haben einen außerordentlich starken Einfluss auf die Bereitstellung und Leistungsoptimierung noch flexiblerer industrieller Steuerungssysteme (ICS). Jedoch sind die meisten derzeit implementiert ICS-Kommunikationsprotokollen extrem anfällig für verschiedene Cyber-Angriffe. In diesem Beitrag wird ein einfaches anwendungsorientiertes Datenauthentifizierungsschema vorgeschlagen, das mit Übernahme der Eigenschaften und rechentechnischen Vorteile von Hash-Funktionen und Hash-Ketten auf vorhandene ICS-Infrastukturen anwendbar ist. Umfangreiche experimentelle Ergebnisse mit einer Industriesteuerung von Phoenix Contact, welche die Steuerlogik eines realen ICS in einem rumänischen Gastransportnetzwerk ausführt, zeigen die Wirksamkeit des vorgeschlagenen Ansatzes und seine unmittelbare Anwendbarkeit auf bestehende Anlagen.
Funding statement: This work was supported by a grant of the Romanian National Authority for Scientific Research and Innovation, CNCS/CCCDI-UEFISCDI, project number PN-III-P2-2.1-BG-2016-0013, within PNCDI III.
About the authors
Béla Genge is an Associate Professor of Computer Science and a Marie Curie Fellow at Petru Maior University of Tirgu-Mures, Mures, Romania. His research interests include critical infrastructure protection, secure and resilient design of critical control systems, and network security.
Piroska Haller is an Associate Professor of Computer Science at Petru Maior University of Tirgu-Mures, Mures, Romania. Her research interests include industrial control system security and distributed systems.
Adrian-Vasile Duka is an Assistant Professor of Engineering at Petru Maior University of Tirgu-Mures, Mures, Romania. His research interests include control systems engineering and cyber-physical system protection.
Hunor Sándor is a Ph.D. student in Computer Science at the Technical University of Cluj-Napoca, Cluj-Napoca, Romania; and a Researcher in the Department of Computer Science at Petru Maior University of Tirgu-Mures, Mures, Romania. His research interests include reconfigurable networked systems, linear optimization techniques, software-defined networks, and network function virtualization.
References
1. E. Schweigert, “SCADA Security Basics: Why are PLCs so Insecure?” Tofino Security, 2012, https://www.tofinosecurity.com/blog/scada-security-basics-why-are-plcs-so-insecure.Search in Google Scholar
2. M. E. Luallen, “Results of the SANS SCADA Security Survey,” SANS Institute InfoSec Reading Room, 2013, https://www.sans.org/reading-room/whitepapers/analyst/results-scada-security-survey-35135.Search in Google Scholar
3. T. Chen and S. Abu-Nimeh, “Lessons from Stuxnet,” Computer, vol. 44, no. 4, pp. 91–93, april 2011.10.1109/MC.2011.115Search in Google Scholar
4. CrySiS Lab, “sKyWIper (a. k. a. Flame a. k. a. Flamer): A complex malware for targeted attacks,” May 2012.Search in Google Scholar
5. A. Cherepanov, “BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry,” 2016.Search in Google Scholar
6. K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams, and A. Hahn, “NIST special publication 800-82 guide to industrial control systems (ICS) security – revision 2 final public draft,” National Institute of Standards and Technology, 2015.10.6028/NIST.SP.800-82r2Search in Google Scholar
7. International Electrotechnical Commission, “IEC62351 security standard, parts 1–8,” http://www.iec.ch/smartgrid/standards/, 2016, [Online; accessed January 2018].Search in Google Scholar
8. R. Schlegel, S. Obermeier and J. Schneider, “A security evaluation of IEC 62351,” Journal of Information Security and Applications, vol. 34, no. Part 2, pp. 197–204, 2017.10.1016/j.jisa.2016.05.007Search in Google Scholar
9. M. Hadley, K. Huston, and T. Edgar, “AGA-12, Part 2 Performance Test Results,” US Department of Energy, Office of Electricity Delivery and Energy Reliability, 2007.Search in Google Scholar
10. OPC Foundation, “OPC Unified Architecture – The universal communication platform for standardised information models,” 2014.Search in Google Scholar
11. U. Premarathne, A. Abuadbba, A. Alabdulatif, I. Khalil, Z. Tari, A. Zomaya and R. Buyya, “Hybrid cryptographic access control for cloud-based ehr systems,” IEEE Cloud Computing, vol. 3, no. 4, pp. 58–64, July 2016.10.1109/MCC.2016.76Search in Google Scholar
12. V. H. Nguyen, Q. T. Tran and Y. Besanger, “SCADA as a service approach for interoperability of micro-grid platforms,” Sustainable Energy, Grids and Networks, vol. 8, pp. 26–36, 2016.10.1016/j.segan.2016.08.001Search in Google Scholar
13. P. Church, H. Mueller, C. Ryan, S. V. Gogouvitis, A. Goscinski, H. Haitof and Z. Tari, SCADA Systems in the Cloud. Cham: Springer International Publishing, 2017, pp. 691–718.10.1007/978-3-319-49340-4_20Search in Google Scholar
14. K. Sha, N. Alatrash and Z. Wang, “A secure and efficient framework to read isolated smart grid devices,” IEEE Transactions on Smart Grid, vol. 8, no. 6, pp. 2519–2531, Nov 2017.10.1109/TSG.2016.2526045Search in Google Scholar
15. R. Amoah, S. Camtepe and E. Foo, “Securing DNP3 broadcast communications in SCADA systems,” IEEE Transactions on Industrial Informatics, vol. 12, no. 4, pp. 1474–1485, Aug 2016.10.1109/TII.2016.2587883Search in Google Scholar
16. I. Nai Fovino, A. Carcano, M. Masera and A. Trombetta, Design and Implementation of a Secure Modbus Protocol. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp. 83–96.10.1007/978-3-642-04798-5_6Search in Google Scholar
17. A. Shahzad, M. Lee, Y. K. Lee, S. Kim, N. Xiong, J. Choi and Y. Cho, “Real time Modbus transmissions and cryptography security designs and enhancements of protocol sensitive information,” Symmetry, vol. 7, no. 3, pp. 1176–1210, 2015.10.3390/sym7031176Search in Google Scholar
18. F. Hohlbaum, M. Braendle, and F. Alvare, “Practical considerations for implementing IEC 62351,” ABB Group, Presented at the PAC World Conference, 2010.Search in Google Scholar
19. V. Kounev, D. Tipper, A. A. Yavuz, B. M. Grainger and G. F. Reed, “A secure communication architecture for distributed microgrid control,” IEEE Transactions on Smart Grid, vol. 6, no. 5, pp. 2484–2492, 2015.10.1109/TSG.2015.2424160Search in Google Scholar
20. D. Choi, S. Lee, D. Won and S. Kim, “Efficient secure group communications for scada,” IEEE Transactions on Power Delivery, vol. 25, no. 2, pp. 714–722, April 2010.10.1109/TPWRD.2009.2036181Search in Google Scholar
21. X. Long, D. Tipper and Y. Qian, “A key management architecture and protocols for secure smart grid communications,” Security and Communication Networks, vol. 9, no. 16, pp. 3602–3617, 2016, sec.1564.10.1002/sec.1564Search in Google Scholar
22. L. Lamport, “Constructing digital signatures from one-way function,” Technical Report SRI-CSL-98, SRI International Computer Lab, 1979.Search in Google Scholar
23. Q. Wang, H. Khurana, Y. Huang and K. Nahrstedt, “Time valid one-time signature for time-critical multicast data authentication,” in IEEE INFOCOM 2009, April 2009, pp. 1233–1241.10.1109/INFCOM.2009.5062037Search in Google Scholar
24. Q. Li and G. Cao, “Multicast authentication in the smart grid with one-time signature,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 686–696, Dec 2011.10.1109/TSG.2011.2138172Search in Google Scholar
25. Y. W. Law, M. Palaniswami, G. Kounga and A. Lo, “Wake: Key management scheme for wide-area measurement systems in smart grid,” IEEE Communications Magazine, vol. 51, no. 1, pp. 34–41, 2013.10.1109/MCOM.2013.6400436Search in Google Scholar
26. H. Cao, P. Zhu, X. Lu and A. Gurtov, “A layered encryption mechanism for networked critical infrastructures,” IEEE Network, vol. 27, no. 1, pp. 12–18, January 2013.10.1109/MNET.2013.6423186Search in Google Scholar
27. PLCopen Technical Committee 1, TC1, “IEC 61131-3 Programming Languages,” 2013.Search in Google Scholar
28. X. Li, X. Liang, R. Lu, X. Shen, X. Lin and H. Zhu, “Securing smart grid: cyber attacks, countermeasures, and challenges,” IEEE Communications Magazine, vol. 50, no. 8, pp. 38–45, August 2012.10.1109/MCOM.2012.6257525Search in Google Scholar
29. M. Dworkin, “Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, NIST Special Publication 800-38B,” National Institute of Standards and Technology, Tech. Rep., October 2016.10.6028/NIST.SP.800-38bSearch in Google Scholar
30. R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks and L. Wingers, “The simon and speck families of lightweight block ciphers,” Cryptology ePrint Archive, Report 2013/404, 2013.Search in Google Scholar
31. R. Beaulieu, S. Treatman-Clark, D. Shors, B. Weeks, J. Smith and L. Wingers, “The simon and speck lightweight block ciphers,” in 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), June 2015, pp. 1–6.10.1145/2744769.2747946Search in Google Scholar
32. C. Liu and J. Layland, “Scheduling algorithms for multiprogramming in a hard-real-time environment,” Journal of the Association for Computing Machinery, vol. 20, no. 1, pp. 46–61, 1973.10.1016/B978-155860702-6/50016-8Search in Google Scholar
33. E. Barker, “Recommendation for key management,” NIST Special Publication 800-57 Part 1, Revision 4, january 2016.10.6028/NIST.SP.800-57pt1r4Search in Google Scholar
© 2019 Walter de Gruyter GmbH, Berlin/Boston
