Security for Industrial Communication Systems

Modern industrial communication networks are increasingly based on open protocols and platforms that are also used in the office IT and Internet environment. This reuse facilitates development and deployment of highly connected systems, but also makes the communication system vulnerable to electronic attacks. This paper gives an overview of IT security issues in industrial automation systems which are based on open communication systems. First, security objectives, electronic attack methods, and the available countermeasures for general IT systems are described. General security objectives and best practices are listed. Particularly for the TCP/IP protocol suite, a wide range of cryptography-based secure communication protocols is available. The paper describes their principles and scope of application. Next, we focus on industrial communication systems, which have a number of security-relevant characteristics distinct from the office IT systems. Confidentiality of transmitted data may not be required; however, data and user authentication, as well as access control are crucial for the mission critical and safety critical operation of the automation system. As a result, modern industrial automation systems, if they include security measures at all, emphasize various forms of access control. The paper describes the status of relevant specifications and implementations for a number of standardized automation protocols. Finally, we illustrate the application of security concepts and tools by brief case studies describing security issues in the configuration and operation of substations, plants, or for remote access.

[1]  Larry J. Blunk,et al.  PPP Extensible Authentication Protocol (EAP) , 1998, RFC.

[2]  Christian Schwaiger,et al.  Smart card based security for fieldbus systems , 2003, EFTA 2003. 2003 IEEE Conference on Emerging Technologies and Factory Automation. Proceedings (Cat. No.03TH8696).

[3]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[4]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[5]  Christof Paar,et al.  Cryptography in Embedded Systems : An Overview , 2003 .

[6]  Dacfey Dzung,et al.  Network Security for Substation Automation Systems , 2001, SAFECOMP.

[7]  Jeffrey B. Roberts,et al.  Attack and Defend Tools for Remotely Accessible Control and Protection Equipment in Electric Power Systems , 2002 .

[8]  Peter Palensky,et al.  Security considerations for FAN-Internet connections , 2000, 2000 IEEE International Workshop on Factory Communication Systems. Proceedings (Cat. No.00TH8531).

[9]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[10]  V. Gupta,et al.  Securing the wireless internet , 2001, IEEE Commun. Mag..

[11]  Elizabeth D. Zwicky,et al.  Building internet firewalls , 1995 .

[12]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[13]  A.R. Modarressi,et al.  Signaling System No.7: a tutorial , 1990, IEEE Communications Magazine.

[14]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[15]  Arnold Robbins UNIX in a nutshell , 2005 .

[16]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[17]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[18]  William Stallings,et al.  SNMPv3: A security enhancement for SNMP , 1998, IEEE Communications Surveys & Tutorials.

[19]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[20]  Deborah A. Frincke,et al.  CONCERNS ABOUT INTRUSIONS INTO REMOTELY ACCESSIBLE SUBSTATION CONTROLLERS AND SCADA SYSTEMS , 2000 .

[21]  Thomas P. von Hoff,et al.  HTTP digest authentication in embedded automation systems , 2003, EFTA 2003. 2003 IEEE Conference on Emerging Technologies and Factory Automation. Proceedings (Cat. No.03TH8696).

[22]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[23]  Joseph A. Falco,et al.  IT Security for Industrial Control Systems , 2002 .

[24]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[25]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[26]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[27]  William Allen Simpson,et al.  PPP Challenge Handshake Authentication Protocol (CHAP) , 1996, RFC.

[28]  M. Naedele Security log time synchronization for high-availability systems , 2003, IEEE International Conference on Industrial Informatics, 2003. INDIN 2003. Proceedings..

[29]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[30]  Jaap C. Haartsen,et al.  The Bluetooth radio system , 2000, IEEE Personal Communications.

[31]  William Stallings,et al.  Network Security Essentials: Applications and Standards , 1999 .

[32]  William A. Arbaugh,et al.  Security problems in 802.11-based networks , 2003, CACM.

[33]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[34]  David L. Mills,et al.  Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI , 1996, RFC.

[35]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[36]  Jeffrey D. Case,et al.  Simple Network Management Protocol (SNMP) , 1989, RFC.

[37]  Christian S. Collberg,et al.  Sandmark--A Tool for Software Protection Research , 2003, IEEE Secur. Priv..

[38]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[39]  Winn Schwartau,et al.  Time Based Security , 1999 .

[40]  Thilo Sauter,et al.  Implications of power-line communication on distributed data acquisition and control system , 2003, EFTA 2003. 2003 IEEE Conference on Emerging Technologies and Factory Automation. Proceedings (Cat. No.03TH8696).

[41]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[42]  Kevin Driscoll,et al.  Making Home Automation Communications Secure , 2001, Computer.

[43]  Philip R. Zimmermann,et al.  The official PGP user's guide , 1996 .

[44]  G. Jiang Multiple vulnerabilities in SNMP , 2002 .

[45]  Philip Koopman,et al.  Embedded System Security , 2004, Computer.

[46]  Mark English,et al.  Safety implications of industrial uses of internet technology , 2002 .

[47]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[48]  Dirk Fox,et al.  Digital Signature Standard (DSS) , 2001, Datenschutz und Datensicherheit.

[49]  Thomas Hardjono,et al.  Multicast and Group Security , 2003 .

[50]  M. Naedele,et al.  Human-Assisted Intrusion Detection for Process Control Systems , 2004 .

[51]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[52]  D. M. Goldschlag,et al.  Security issues in networks with Internet access , 1997 .

[53]  Yanick Pouffary,et al.  ISO Transport Service on top of TCP (ITOT) , 1997, RFC.

[54]  Elias Levy Crossover: Online Pests Plaguing the Offline World , 2003, IEEE Secur. Priv..

[55]  Grady Booch,et al.  Essential COM , 1998 .

[56]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[57]  Ferdinand J. Dafelmair Improvements in Process Control Dependability through Internet Security Technology , 2000, SAFECOMP.

[58]  Bernard Aboba,et al.  IPsec-Network Address Translation (NAT) Compatibility Requirements , 2004, RFC.

[59]  Keith Brown,et al.  Programming Windows Security , 2000 .

[60]  E. Byres,et al.  The Myths and Facts behind Cyber Security Risks for Industrial Control Systems , 2004 .

[61]  Wenbo Mao,et al.  Modern Cryptography: Theory and Practice , 2003 .

[62]  J.A. Stankovic,et al.  Denial of Service in Sensor Networks , 2002, Computer.

[63]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 2000, RFC.

[64]  Bernardo Wagner,et al.  Domain and type enforcement for real-time operating systems , 2003, EFTA 2003. 2003 IEEE Conference on Emerging Technologies and Factory Automation. Proceedings (Cat. No.03TH8696).

[65]  FrazerKen Building secure software , 2002 .

[66]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[67]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[68]  Russ Housley,et al.  Security flaws in 802.11 data link protocols , 2003, CACM.

[69]  John Viega,et al.  Security is Harder than You Think , 2004, ACM Queue.

[70]  E.J. Byres Designing secure networks for process control , 1999, Conference Record of 1999 Annual Pulp and Paper Industry Technical Conference (Cat. No.99CH36338).

[71]  A. Kara Secure remote access from office to home , 2001 .

[72]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[73]  Martin Naedele IT Security for Automation Systems - Motivations and Mechanisms , 2002, PEARL.

[74]  Martin Naedele Standards for XML and Web Services Security , 2003, Computer.

[75]  Cheryl L. Beaver,et al.  Key Management for SCADA , 2002 .

[76]  William Allen Simpson,et al.  The Point-to-Point Protocol (PPP) , 1993, RFC.