Authentication Protocol for ICS without Encryption
- Florida International University (United States)
- Savannah River National Laboratory - SRNL (United States)
Industrial control systems (ICS) describes the different types of control systems and associated instrumentation, which includes the devices, systems, networks, and controls used to operate and/or automate industrial processes. Depending on the industry, each ICS functions differently and are built to electronically manage tasks efficiently. Historically, industrial plants have included networking, and changes have been made over time without consideration for security. Many ICS devices currently have inadequate security features. Adding encryption in ICS is undesirable because many of the new detection method involves deep packet inspection. Therefore, we propose to develop a method of providing authentication between devices without encrypting the data. This testbed design will allow rapid development and experimentation with Cyber Physical Systems. Modbus connects to a supervisory computer with a Remote Terminal Unit (RTU) in Supervisory Control and Data Acquisition (SCADA) systems. Our project seeks to enhance security in the ICS environment by adding device authentication to the lower levels of the plant floor. This approach was selected as it allows verification of the sender of data from level 1/level 0 devices up to supervisory systems. This addition is desirable as it adds enhanced verification to the integrity of system data without obscuring (via encryption) the data being transmitted across the network. This is important because many ICS systems are real time critical (decryption adds to latency) and many other good security options require deep packet inspection (which encryption completely defeats). To accomplish this, a proof of concept of adding an authentication scheme was designed and will be tested with a common ICS protocol. The setup includes a single serial cable connecting the serial ports on two devices, a Master and a Minion. Authentication will occur in the following methods: - Data layer involving Transport Layer Security/Secure Socket Layer (TLS/SSL); - TCP/IP route implementation; - Key exchange algorithm; - Raspberry Pi programming for authentication. A portion of the setup includes adding Raspberry Pi into the system as the device is handling the authentication for the network traffic. Modbus is the chosen ICS protocol. It is used to transmit signals from instrumentation and control devices back to a main controller or data gathering system. Typically, the device identity is assumed but not verified. For verifying device identity, we constructed a digital signature architecture with TLS. A novel adaptation of this is to use only the digital signature that is provided and not the encryption capability. This allows ICS traffic to flow unobscured while still providing verification for the integrity of the data. Verification of this process will involve adding additional I/O level network devices with spoofed IP addresses and detecting the authenticated versus unauthenticated traffic. Our TLS implementation will have encryption disabled but should still allow for digital signing of data. This will enable our system to distinguish between real end devices and spoofed end devices. This experiment is presently building the test setup. It is focusing on a small setting to identify authenticated and unauthenticated devices on the network. This should allow for scaling to a larger network size after the initial proof of concept. One concern with this scheme is a certificate deployment has a large scale key management. Network size will thus increase the key management task for security. In addition, we believe that further research should be done on exploring the use of this method to defeat man-in-the-middle attacks.
- Research Organization:
- WM Symposia, Inc., PO Box 27646, 85285-7646 Tempe, AZ (United States)
- OSTI ID:
- 23005528
- Report Number(s):
- INIS-US-21-WM-P5; TRN: US21V1464045862
- Resource Relation:
- Conference: WM2019: 45. Annual Waste Management Conference, Phoenix, AZ (United States), 3-7 Mar 2019; Other Information: Country of input: France; available online at: https://www.xcdsystem.com/wmsym/2019/index.html
- Country of Publication:
- United States
- Language:
- English
Similar Records
R AND D 100 EARLYBIRD AWARD ENTRY
ModuleOT: A Hardware Security Module for Operational Technology: Preprint