legacy compliant data authentication for industrial
play

Legacy-Compliant Data Authentication for Industrial Control System - PowerPoint PPT Presentation

Dec 10, 2022 •216 likes •679 views

Legacy-Compliant Data Authentication for Industrial Control System Traffic John Henry Castellanos, Daniele Antonioli, Nils Ole Tippenhauer and Martn Ochoa Singapore University of Technology and Design 15 th International Conference on Applied

  1. Legacy-Compliant Data Authentication for Industrial Control System Traffic John Henry Castellanos, Daniele Antonioli, Nils Ole Tippenhauer and Martín Ochoa Singapore University of Technology and Design 15 th International Conference on Applied Cryptography and Network Security Japan, Kanazawa, July 11, 2017. ACNS2017 1 1 1

  2. Industrial Control Systems What are ICSs? Automatic control of Industrial Processes: Manufacturing plants Power plants Public transportation infrastructure Utility infrastructure (water treatment, gas/oil, power generation) Source: urvil.wordpress.com ACNS2017 2 2

  3. Industrial Control Systems Industry Evolution Source: http://bcmpublicrelations.com/ ACNS2017 3 3

  4. Industrial Control Systems IT meets OT (Purdue Model) Information Technology: Servers and Client PCs Operational Technology: Servers, PLCs, SCADA, HMI Devices, Actuators and Sensors Integrity Attacks cause Operational Changes Source: https://pgjonline.com/ ACNS2017 4 4

  5. Cyber-security in ICS Motivation: Integrity Attacks Chemical Valve Tank Level Dispenser Controller Monitor Attacker Attacker PLC PLC Control Center ACNS2017 5

  6. Cyber-security in ICS Motivation: Integrity Attacks !! High level Chemical Valve Tank Level Dispenser Controller Monitor Attacker Attacker PLC High level PLC Control Center ACNS2017 6

  7. Cyber-security in ICS Motivation: Integrity Attacks !! High level Chemical Valve Tank Level Dispenser Controller Monitor Attacker Attacker High level PLC PLC Normal level Control Center ACNS2017 7

  8. Cyber-security in ICS Motivation: Integrity Attacks Chemical Valve Tank Level Dispenser Controller Monitor Attacker Attacker Turn off valve Reduce PLC PLC Chemical Control Center ACNS2017 8

  9. Cyber-security in ICS Motivation: Integrity Attacks Chemical Valve Tank Level Dispenser Controller Monitor Attacker Attacker Turn on Increase valve Chemical Turn off PLC valve PLC Reduce Chemical Control Center ACNS2017 9

  10. Cyber-security in ICS Motivation: Integrity Attacks Chemical Valve Tank Level Dispenser Controller Monitor Attacker Attacker PLC PLC Control Center ACNS2017 10 10 10

  11. Countermeasures Authenticity & Integrity checks !! High level High level Tank Level Monitor Control Center ACNS2017 11 11 11

  12. Countermeasures Authenticity & Integrity checks !! High level High level Tank Level Monitor Control Center ACNS2017 12 12 12

  13. Countermeasures Authenticity & Integrity checks !! High level High level Tank Level Monitor Control Center ACNS2017 13 13 13

  14. Countermeasures Authenticity & Integrity checks !! High level High level Tank Level Monitor Control Center ACNS2017 14 14 14

  15. Countermeasures Authenticity & Integrity checks !! High level High level Tank Level Monitor Control Center Attacker ACNS2017 15 15 15

  16. Countermeasures Authenticity & Integrity checks !! High level High level Tank Level Monitor Control Center Attacker ACNS2017 16 16 16

  17. Countermeasures Authenticity & Integrity checks !! High level Tank Level Monitor Control Center High level Attacker ACNS2017 17 17 17

  18. Countermeasures Authenticity & Integrity checks !! High level Tank Level Monitor Control Center Low level Attacker ACNS2017 18 18 18

  19. Countermeasures Authenticity & Integrity checks !! High level Low level Tank Level Monitor Control Center Attacker ACNS2017 19 19 19

  20. Industrial Control Systems IT/OT Requirements Attribute Information Technology Industrial Control Systems Systems (IT) (OT) Component 3 to 5 years 10 to 15 years Lifetime Connectivity Corporate network, IP-based, Control Network, proprietary standard protocols protocols Performance Non-real-time Real-time Requirements Sources: NIST: Guide to Industrial Control Systems Security. 800-82 Rev2 http://www.wbdg.org/ ACNS2017 20 20 20

  21. Data from a real ICS SWaT Testbed Secure Water Treatment (SWaT) is a testbed for research in the area of cyber security. ACNS2017 21 21 21

  22. Data from a real ICS Real-time requirements ACNS2017 22 22 22

  23. Data from a real ICS Understanding ICS Data By selecting CIP services with critical data our proposal avoids additional processing and bandwidth overheads in comparison with signing all CIP traffic. ACNS2017 23 23 23

  24. Data from a real ICS Understanding ICS Data CIP Services (Critical Data): Read_Tag Write_Tag Read_Tag_Fragmented By selecting CIP services with critical data our proposal avoids additional processing and bandwidth overheads in comparison with signing all CIP traffic. ACNS2017 24 24 24

  25. SPA Protocol Selective Packet Authentication Control Center PLC Bridging Non- Bridging Non- Critical Data Critical Data Signing Verifying Critical Data Critical Data Crypto-featured Hardware Crypto-featured Hardware ACNS2017 25 25 25

  26. Comparison with TLS SPA Evaluation As SPA only signs/verifies selected critical packets, it improves the overall hardened communication rate of the system compared with TLS. ACNS2017 26 26 26

  27. ASPA Protocol Aggregated Selective Packet Authentication Control Center PLC Bridging Non- Bridging Non- Critical Data Critical Data Marking & Marking & Bridging Critical Bridging Critical Data Data Signing Verifying Marked Chunk Marked Chunk Crypto-featured Hardware Crypto-featured Hardware ACNS2017 27 27 27

  28. Comparison with TLS ASPA Evaluation Using Aggregated-SPA the system would achieve higher tolerance communication levels processing different percentages of critical data. x-axis represents chunk of packets to be signed. y-axis represents tolerance at communication level reached by the system. ACNS2017 28 28 28

  29. Implementation Real Scenario on SWaT Testbed PLC1 PLC3 TCP/IP Switch Control Center ACNS2017 29 29 29

  30. Implementation Real Scenario on SWaT Testbed Critical Data PLC1 PLC3 TCP/IP Switch Signs Verifies Control Center ACNS2017 30 30 30

  31. Implementation Real Scenario on SWaT Testbed PLC1 Verifies Signs PLC3 TCP/IP Switch Critical Data Control Center ACNS2017 31 31 31

  32. Implementation Real Scenario on SWaT Testbed PLC1 PLC3 TCP/IP Switch Updates Updates stats stats Control Center ACNS2017 32 32 32

  33. Implementation Real Scenario on SWaT Testbed Monitors Monitors System system Performance performance PLC1 PLC3 TCP/IP Switch Control Center ACNS2017 33 33 33

  34. Benchmark Hardware Selection Hardware Processor CPU Memory Controllino ATmega2560 16 MHz 256 KB Microcontroller ARM (VM*) ARM926EJ-S 540 MHz 256 MB Raspberry PI 2 Quad-core ARM 900 MHz 1 GB Cortex-A7 Raspberry PI 3 Quad-core ARM 1200 MHz 1 GB Cortex-A53 PC (VM*) Intel Core i5-5300 U 2300 MHz 2 GB *VM: Virtual Machine ACNS2017 34 34 34

  35. Benchmark Hardware Performance Data Size Controllino ARM Raspberry Raspberry PC (Bytes) PI2 PI3 64 2.2 x 10 4 76 53 15 2 128 3.3 x 10 4 78 58 16 2 256 5.5 x 10 4 84 69 18 3 512 1 x 10 5 117 89 32 4 1K 1.8 x 10 5 171 130 35 6 2K 3.6 x 10 5 252 211 58 10 4K 7 x 10 5 474 374 104 18 ECDSA N/A 1.5 x 10 5 1 x 10 5 3.2 x 10 4 3.1 x 10 3 All data in μs Cryptographic Algorithms: • Symmetric: HMAC-SHA256 • Asymmetric: ECDSA ACNS2017 35 35 35

  36. ASPA Protocol Performance Evaluation (Speed) 10 7 10 6 10 5 10 4 Pk/s Min Pk/s 10 3 required in SWaT 10 2 10 1 60 100 120 20 40 80 ACNS2017 Aggregated Signature (Pks in a chunk) 36 36 36

  37. Conclusions Our protocols are backward compatible, as they transmit • Protocols Features authentication data as payload in legacy industrial protocols. With inexpensive and fast hardware (Raspberry PI), it is • feasible to enhance legacy plants with authentic channels for strong signature algorithms with simple protocols. It is feasible to significantly raise the bar against attackers • of ICS by including authentication based on modern cryptography without compromising efficiency or cost. We plan to compare the real-time constraints of SWaT • with constraints in other ICS Testbeds (Smart Grid). ACNS2017 37 37 37

  38. Thank you Q & A ACNS2017 38 38 38

  39. Backup Slides ACNS2017 39 39 39

  40. Industrial Control Systems IT/OT Requirements Attribute Information Technology Systems (IT) Industrial Control Systems (OT) Purpose Process transaction, provide information Controls and monitor physical processes Role Support people Control machines Architecture Enterprise wide infrastructure and applications Event-driven, real-time, embedded hardware and customized software Component 3 to 5 years 10 to 15 years Lifetime Interfaces GUI, Web browser, terminal and keyboard Electromechanical, sensors, actuators, coded displays Connectivity Corporate network, IP-based, standard protocols Control Network, proprietary protocols Performance Non-real-time Real-time Requirements Major risk impacts Delay of business operations Environmental impacts, loss of life, equipment, or production Sources: NIST: Guide to Industrial Control Systems Security. 800-82 Rev2 http://www.wbdg.org/ ACNS2017 40 40 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Integrating Legacy User Authentication with HIP Jani Hautakorpi (Jani.Hautakorpi@hut.fi) 1 / 11

Integrating Legacy User Authentication with HIP Jani Hautakorpi (Jani.Hautakorpi@hut.fi) 1 / 11

T-110.557 Research Seminar on Telecommunications Software Integrating Legacy User Authentication with HIP Jani Hautakorpi (Jani.Hautakorpi@hut.fi) 1 / 11 Contents HIP base exchange Selected legacy user authentication mechanisms:

241 views • 11 slides
Non Compliant Compliant 1. Non Submission of Data string upload to the IDP by End the portal

Non Compliant Compliant 1. Non Submission of Data string upload to the IDP by End the portal

Non Delegated CFO Forum Presented by National Treasury 07 November 2016 Compliant and When? Non Compliant Compliant 1. Non Submission of Data string upload to the IDP by End the portal by due dates November 2016. and compliant to:

253 views • 7 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Data.dcs: Converting Legacy Data into Linked Data Matthew Rowe Organisations, Information and

Data.dcs: Converting Legacy Data into Linked Data Matthew Rowe Organisations, Information and

Data.dcs: Converting Legacy Data into Linked Data Matthew Rowe Organisations, Information and Knowledge Group University of Sheffield Data.dcs: Converting Legacy Data into Linked Data Outline Problem Legacy data contained within the

450 views • 15 slides
MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in

MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in

MARK 10:1-31 SPIRITUAL LEGACY SPIRITUAL LEGACY Legacy in Marriage v. 1-12 Legacy in Children v. 13-16 Legacy in Eternity v. 17-31 LEGACY IN MARRIAGE 2 Schools of thought 1. Rabbi Sammai- Strict interpretation. Divorce only

775 views • 9 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice Bob (sender) (reciever) Fran (forger) Remark: Authentication

450 views • 31 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Distributed Person Data: Using Semantic Web Compliant Data in Subject Name Headings

Distributed Person Data: Using Semantic Web Compliant Data in Subject Name Headings

Northwestern University Feinberg School of Medicine Distributed Person Data: Using Semantic Web Compliant Data in Subject Name Headings Violeta Ilik Head, Digital Systems & Collection Services Galter Health Sciences Library,

540 views • 28 slides
SABANA Shariah Compliant Industrial REIT FY 2019 and 4Q 2019 Financial Results Presentation

SABANA Shariah Compliant Industrial REIT FY 2019 and 4Q 2019 Financial Results Presentation

SABANA Shariah Compliant Industrial REIT FY 2019 and 4Q 2019 Financial Results Presentation 23 January 2020, Thursday Important Notice Disclaimer This presentation shall be read in conjunction with the financial information of Sabana

685 views • 30 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
SABANA Shariah Compliant Industrial REIT 3Q 2019 Financial Results Presentation 24 October

SABANA Shariah Compliant Industrial REIT 3Q 2019 Financial Results Presentation 24 October

SABANA Shariah Compliant Industrial REIT 3Q 2019 Financial Results Presentation 24 October 2019, Thursday Important Notice Disclaimer This presentation shall be read in conjunction with the financial information of Sabana Shariah

475 views • 28 slides
GxP-Compliant Calibration Learning from the Warning Letters Vaisala in Brief We serve

GxP-Compliant Calibration Learning from the Warning Letters Vaisala in Brief We serve

GxP-Compliant Calibration Learning from the Warning Letters Vaisala in Brief We serve customers in controlled environments in life science, power transmission, and other targeted industrial applications. Over 80 years of expertise

746 views • 57 slides
Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy

Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy

Legacy Yen Tu Live the legacy Deeply rooted in Vietnams history, the Tran dynastys legacy and the spirit of Truc Lam Yen Zen Buddhism, the Legacy Yen Tu is an inspiring journey into the past. It offers travelers a stay filled with storied

688 views • 32 slides
Introduction To: Public Health Information Management System (PHIMS) Knowledge Management

Introduction To: Public Health Information Management System (PHIMS) Knowledge Management

Introduction To: Public Health Information Management System (PHIMS) Knowledge Management Division Kingston, Frontenac and Lennox & Addington Public Health PHIMS PHIMS uses GIS technology to enhance r eal- time situational awareness and

349 views • 22 slides
MapReduce and its use for indexing The Programming Model and Practice Enrique Alfonseca

MapReduce and its use for indexing The Programming Model and Practice Enrique Alfonseca

MapReduce and its use for indexing The Programming Model and Practice Enrique Alfonseca Manager, Natural Language Understanding Google Research Zurich Tutorial Overview MapReduce programming model Brief intro to MapReduce Use of

997 views • 86 slides
FROM ASHES TO GLORY 5 & 12 November 2017 PAKISTAN Christians are targets for murder , bombings

FROM ASHES TO GLORY 5 & 12 November 2017 PAKISTAN Christians are targets for murder , bombings

FROM ASHES TO GLORY 5 & 12 November 2017 PAKISTAN Christians are targets for murder , bombings , abduction of women , rape , forced marriages and eviction from home and country . Unjust and arbitrary blasphemy laws are used to punish Christians

353 views • 7 slides
Encoding transliteration variation through dimensionality reduction Parth Gupta 1 , Paolo Rosso 1

Encoding transliteration variation through dimensionality reduction Parth Gupta 1 , Paolo Rosso 1

Encoding transliteration variation through dimensionality reduction Parth Gupta 1 , Paolo Rosso 1 and Rafael E. Banchs 2 pgupta@dsic.upv.es 1 Natural Language Engineering Lab Technical University of Valencia (UPV), Spain 2 HLT, Institute for

622 views • 33 slides
Schematic representation of the development of microstructure during the equilibrium

Schematic representation of the development of microstructure during the equilibrium

Schematic representation of the development of microstructure during the equilibrium solidification of a 35 wt% Ni-65 wt% Cu alloy At 1300 C (point a) the alloy is in the liquid condition This continues until the solidification path

1.09k views • 94 slides
Learned from the Fukushima Dai-ichi Accident Bill Borchardt Executive Director for Operations

Learned from the Fukushima Dai-ichi Accident Bill Borchardt Executive Director for Operations

Status of the Lessons Learned from the Fukushima Dai-ichi Accident Bill Borchardt Executive Director for Operations April 23, 2013 Agenda Overview Mike Johnson Status Update Mike Johnson Orders Dave Skeen Requests for

345 views • 20 slides
Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

The Caliber of Your Choice Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9 November 2011 Dan Nolan - Sabot 6, Inc. An Energy Security Company 1800 Diagonal Ave Ste 600 - Alexandria, VA 22314

692 views • 51 slides
Worship: A Matter of Life and Death Worship: A Matter of Life and Death Worship: A Matter of

Worship: A Matter of Life and Death Worship: A Matter of Life and Death Worship: A Matter of

Worship: A Matter of Life and Death Worship: A Matter of Life and Death Worship: A Matter of Life and Death Worship: A Matter of Life and Death 1 Come, let us Come, let us Come, let us Come, let us sing for joy to the LORD; let us shout

680 views • 30 slides

More recommend