A scheme for lightweight SCADA packet authentication

Development and deployment of cyber security measures for legacy SCADA systems usually encounter challenges of limited computation resources in the field devices for supporting the designed cryptography processing. This paper presents a scheme with which the field device performs message authentication and integrity check only on selected critical packets such that it protects the system operation while avoiding high computation workload, and applies the scheme to a transportation SCADA system. The proposed scheme takes into account of the SCADA computation power limitation and real time requirements, and the extreme difficulty of making any changes to hardware or software in the legacy system. AES-CCM and symmetric key methods are applied for providing message authentication and integrity, and a bump-in-the-wire (BITW) implementation approach is adopted to avoid the changes to the legacy system. This lightweight packet authentication scheme is implemented and demonstrated over a testbed of a metro transportation SCADA system. Experiments show the effects of the scheme in blocking malicious packet attack and the comparison with a firewall approach.