Legacy-Compliant Data Authentication for Industrial Control System - - PowerPoint PPT Presentation

legacy compliant data authentication for industrial
SMART_READER_LITE
LIVE PREVIEW

Legacy-Compliant Data Authentication for Industrial Control System - - PowerPoint PPT Presentation

Dec 10, 2022 216 likes •680 views

Legacy-Compliant Data Authentication for Industrial Control System Traffic John Henry Castellanos, Daniele Antonioli, Nils Ole Tippenhauer and Martn Ochoa Singapore University of Technology and Design 15 th International Conference on Applied

slide-1
SLIDE 1

1

ACNS2017

1 1

Legacy-Compliant Data Authentication for Industrial Control System Traffic

John Henry Castellanos, Daniele Antonioli, Nils Ole Tippenhauer and Martín Ochoa

Singapore University of Technology and Design 15th International Conference on Applied Cryptography and Network Security Japan, Kanazawa, July 11, 2017.

slide-2
SLIDE 2

2

ACNS2017

2

Source: urvil.wordpress.com

Automatic control of Industrial Processes:

Manufacturing plants Power plants Public transportation infrastructure Utility infrastructure (water treatment, gas/oil, power generation)

Industrial Control Systems

What are ICSs?

slide-3
SLIDE 3

3

ACNS2017

3

Source: http://bcmpublicrelations.com/

Industrial Control Systems

Industry Evolution

slide-4
SLIDE 4

4

ACNS2017

4

Information Technology: Servers and Client PCs

Source: https://pgjonline.com/

Operational Technology: Servers, PLCs, SCADA, HMI Devices, Actuators and Sensors

Integrity Attacks cause Operational Changes

Industrial Control Systems

IT meets OT (Purdue Model)

slide-5
SLIDE 5

5

ACNS2017

Cyber-security in ICS

Motivation: Integrity Attacks

PLC

Control Center Attacker Attacker Tank Level Monitor Valve Controller Chemical Dispenser

PLC

slide-6
SLIDE 6

6

ACNS2017

Cyber-security in ICS

Motivation: Integrity Attacks

PLC

Control Center Attacker Attacker Tank Level Monitor Valve Controller Chemical Dispenser

PLC

High level !! High level

slide-7
SLIDE 7

7

ACNS2017

Cyber-security in ICS

Motivation: Integrity Attacks

PLC

Control Center Attacker Attacker Tank Level Monitor Valve Controller Chemical Dispenser

PLC

High level Normal level !! High level

slide-8
SLIDE 8

8

ACNS2017

Cyber-security in ICS

Motivation: Integrity Attacks

PLC

Control Center Attacker Attacker Tank Level Monitor Valve Controller Chemical Dispenser

PLC

Turn off valve Reduce Chemical

slide-9
SLIDE 9

9

ACNS2017

Cyber-security in ICS

Motivation: Integrity Attacks

PLC

Control Center Attacker Attacker Tank Level Monitor Valve Controller Chemical Dispenser

PLC

Turn on valve Increase Chemical Turn off valve Reduce Chemical

slide-10
SLIDE 10

10 10 10

ACNS2017

Cyber-security in ICS

Motivation: Integrity Attacks

PLC

Control Center Attacker Attacker Tank Level Monitor Valve Controller Chemical Dispenser

PLC

slide-11
SLIDE 11

11 11 11

ACNS2017

Control Center High level !! High level Tank Level Monitor

Countermeasures

Authenticity & Integrity checks

slide-12
SLIDE 12

12 12 12

ACNS2017

Control Center !! High level Tank Level Monitor

Countermeasures

Authenticity & Integrity checks

High level

slide-13
SLIDE 13

13 13 13

ACNS2017

Control Center !! High level Tank Level Monitor

Countermeasures

Authenticity & Integrity checks

High level

slide-14
SLIDE 14

14 14 14

ACNS2017

Control Center !! High level Tank Level Monitor

Countermeasures

Authenticity & Integrity checks

High level

slide-15
SLIDE 15

15 15 15

ACNS2017

Control Center !! High level Tank Level Monitor

Countermeasures

Authenticity & Integrity checks

Attacker High level

slide-16
SLIDE 16

16 16 16

ACNS2017

Control Center !! High level Tank Level Monitor

Countermeasures

Authenticity & Integrity checks

Attacker High level

slide-17
SLIDE 17

17 17 17

ACNS2017

Control Center !! High level Tank Level Monitor

Countermeasures

Authenticity & Integrity checks

Attacker High level

slide-18
SLIDE 18

18 18 18

ACNS2017

Control Center !! High level Tank Level Monitor

Countermeasures

Authenticity & Integrity checks

Attacker Low level

slide-19
SLIDE 19

19 19 19

ACNS2017

Control Center !! High level Tank Level Monitor

Countermeasures

Authenticity & Integrity checks

Attacker Low level

slide-20
SLIDE 20

20

ACNS2017

20 20

Attribute Information Technology Systems (IT) Industrial Control Systems (OT)

Component Lifetime 3 to 5 years 10 to 15 years Connectivity Corporate network, IP-based, standard protocols Control Network, proprietary protocols Performance Requirements Non-real-time Real-time

Sources: NIST: Guide to Industrial Control Systems Security. 800-82 Rev2 http://www.wbdg.org/

Industrial Control Systems

IT/OT Requirements

slide-21
SLIDE 21

21 21 21

ACNS2017

Secure Water Treatment (SWaT) is a testbed for research in the area of cyber security.

Data from a real ICS

SWaT Testbed

slide-22
SLIDE 22

22 22 22

ACNS2017

Data from a real ICS

Real-time requirements

slide-23
SLIDE 23

23 23 23

ACNS2017

Data from a real ICS

Understanding ICS Data

By selecting CIP services with critical data our proposal avoids additional processing and bandwidth overheads in comparison with signing all CIP traffic.

slide-24
SLIDE 24

24 24 24

ACNS2017

Data from a real ICS

Understanding ICS Data

By selecting CIP services with critical data our proposal avoids additional processing and bandwidth overheads in comparison with signing all CIP traffic. CIP Services (Critical Data):

Read_Tag Write_Tag Read_Tag_Fragmented

slide-25
SLIDE 25

25 25 25

ACNS2017

Control Center PLC Crypto-featured Hardware Bridging Non- Critical Data Signing Critical Data Bridging Non- Critical Data Verifying Critical Data Crypto-featured Hardware

SPA Protocol

Selective Packet Authentication

slide-26
SLIDE 26

26 26 26

ACNS2017

As SPA only signs/verifies selected critical packets, it improves the overall hardened communication rate of the system compared with TLS.

Comparison with TLS

SPA Evaluation

slide-27
SLIDE 27

27 27 27

ACNS2017

Control Center PLC Crypto-featured Hardware Bridging Non- Critical Data Marking & Bridging Critical Data Signing Marked Chunk Crypto-featured Hardware Bridging Non- Critical Data Marking & Bridging Critical Data Verifying Marked Chunk

ASPA Protocol

Aggregated Selective Packet Authentication

slide-28
SLIDE 28

28 28 28

ACNS2017

Using Aggregated-SPA the system would achieve higher tolerance communication levels processing different percentages of critical data.

x-axis represents chunk of packets to be signed. y-axis represents tolerance at communication level reached by the system.

Comparison with TLS

ASPA Evaluation

slide-29
SLIDE 29

29 29 29

ACNS2017

Control Center PLC1 TCP/IP Switch PLC3

Implementation

Real Scenario on SWaT Testbed

slide-30
SLIDE 30

30 30 30

ACNS2017

Control Center PLC1 TCP/IP Switch PLC3

Implementation

Real Scenario on SWaT Testbed

Signs Verifies Critical Data

slide-31
SLIDE 31

31 31 31

ACNS2017

Control Center PLC1 TCP/IP Switch PLC3

Implementation

Real Scenario on SWaT Testbed

Signs Verifies Critical Data

slide-32
SLIDE 32

32 32 32

ACNS2017

Control Center PLC1 TCP/IP Switch PLC3

Implementation

Real Scenario on SWaT Testbed

Updates stats Updates stats

slide-33
SLIDE 33

33 33 33

ACNS2017

Control Center PLC1 TCP/IP Switch PLC3

Implementation

Real Scenario on SWaT Testbed

Monitors system performance Monitors System Performance

slide-34
SLIDE 34

34 34 34

ACNS2017 *VM: Virtual Machine

Hardware Processor CPU Memory Controllino ATmega2560 Microcontroller 16 MHz 256 KB ARM (VM*) ARM926EJ-S 540 MHz 256 MB Raspberry PI 2 Quad-core ARM Cortex-A7 900 MHz 1 GB Raspberry PI 3 Quad-core ARM Cortex-A53 1200 MHz 1 GB PC (VM*) Intel Core i5-5300 U 2300 MHz 2 GB

Benchmark

Hardware Selection

slide-35
SLIDE 35

35 35 35

ACNS2017 Data Size (Bytes) Controllino ARM Raspberry PI2 Raspberry PI3 PC 64 2.2 x 104 76 53 15 2 128 3.3 x 104 78 58 16 2 256 5.5 x 104 84 69 18 3 512 1 x 105 117 89 32 4 1K 1.8 x 105 171 130 35 6 2K 3.6 x 105 252 211 58 10 4K 7 x 105 474 374 104 18 ECDSA N/A 1.5 x 105 1 x 105 3.2 x 104 3.1 x 103

All data in μs

Cryptographic Algorithms:

  • Symmetric: HMAC-SHA256
  • Asymmetric: ECDSA

Benchmark

Hardware Performance

slide-36
SLIDE 36

36 36 36

ACNS2017

ASPA Protocol

Performance Evaluation (Speed)

Pk/s Aggregated Signature (Pks in a chunk)

20 40 60 80 100 120 107 106 105 104 103 102 101 Min Pk/s required in SWaT

slide-37
SLIDE 37

37 37 37

ACNS2017

Features Protocols

  • Our protocols are backward compatible, as they transmit

authentication data as payload in legacy industrial protocols.

  • With inexpensive and fast hardware (Raspberry PI), it is

feasible to enhance legacy plants with authentic channels for strong signature algorithms with simple protocols.

  • It is feasible to significantly raise the bar against attackers
  • f ICS by including authentication based on modern

cryptography without compromising efficiency or cost.

  • We plan to compare the real-time constraints of SWaT

with constraints in other ICS Testbeds (Smart Grid).

Conclusions

slide-38
SLIDE 38

38 38 38

ACNS2017

Thank you

Q & A

slide-39
SLIDE 39

39 39 39

ACNS2017

Backup Slides

slide-40
SLIDE 40

40 40 40

ACNS2017 Attribute Information Technology Systems (IT) Industrial Control Systems (OT)

Purpose Process transaction, provide information Controls and monitor physical processes Role Support people Control machines Architecture Enterprise wide infrastructure and applications Event-driven, real-time, embedded hardware and customized software Component Lifetime 3 to 5 years 10 to 15 years Interfaces GUI, Web browser, terminal and keyboard Electromechanical, sensors, actuators, coded displays Connectivity Corporate network, IP-based, standard protocols Control Network, proprietary protocols Performance Requirements Non-real-time Real-time Major risk impacts Delay of business operations Environmental impacts, loss of life, equipment, or production

Sources: NIST: Guide to Industrial Control Systems Security. 800-82 Rev2 http://www.wbdg.org/

Industrial Control Systems

IT/OT Requirements

slide-41
SLIDE 41

41 41 41

ACNS2017

Injecting data into Ethernet IP Protocol

Ethernet Frame

Ethernet Header IP Header

14 Bytes 20 Bytes

TCP/UDP Header

20 Bytes

Encapsulation Header Encapsulation Data CRC

Encapsulation Packet

Command Length

2 Bytes 2 Bytes

Session Handle

4 Bytes

Status Sender Context Options

8 Bytes 4 Bytes 4 Bytes

Encapsulation Header

Item Count

(Usual =2)

Type ID

2 Bytes 2 Bytes

Length

(l1)

2 Bytes

Data

(Connection ID)

l1 Bytes

Type ID

2 Bytes

Length (l2)

2 Bytes

Data

(CIP Data)

l2 Bytes

Address Item Data Item

Encapsulation Data (Common Packet Format)

slide-42
SLIDE 42

42 42 42

ACNS2017

Injecting data into Ethernet IP Protocol

Ethernet Frame

Ethernet Header IP Header

14 Bytes 20 Bytes

TCP/UDP Header

20 Bytes

Encapsulation Header Encapsulation Data CRC

Encapsulation Packet

Command Length

2 Bytes 2 Bytes

Session Handle

4 Bytes

Status Sender Context Options

8 Bytes 4 Bytes 4 Bytes

Encapsulation Header

Item Count

(Usual =2)

Type ID

2 Bytes 2 Bytes

Length

(l1)

2 Bytes

Data

(Connection ID)

l1 Bytes

Type ID

2 Bytes

Length (l2)

2 Bytes

Data

(CIP Data)

l2 Bytes

Address Item Data Item

Type ID

2 Bytes

Length

(l3)

2 Bytes

Data

(Signature)

l3 Bytes

Signature Item

Encapsulation Data (Common Packet Format)

3 X

slide-43
SLIDE 43

43 43 43

ACNS2017

Authentication Protocols

Implementation:

Real Scenario on SWaT Testbed

  • SCADA’s

supervisory reads PLC variables

  • f

signing-verification process.

  • Statistics about integrity checks might

be summarize.

  • In case of integrity violations happen

an alarm will trigger.

slide-44
SLIDE 44

44 44 44

ACNS2017

A Raspberry PI is directly connected between the hardened PLC and its closest

  • switch. It bridges

communication between the PLC and the rest of the system.

Implementation

Real Scenario on SWaT Testbed

slide-45
SLIDE 45

45 45 45

ACNS2017

Different tags were configured at PLC program to store statistics about signing/verification process. It allows to monitor the process and debug it.

Implementation

Real Scenario on SWaT Testbed