F-Pro: a Fast and Flexible Provenance-Aware Message Authentication Scheme for Smart Grid

Successful attacks against smart grid systems often exploited the insufficiency of checking mechanisms — e.g., commands are largely executed without checking whether they are issued by the legitimate source and whether they are transmitted through the right network path and hence undergone all necessary mediations and scrutinizes. While adding such enhanced security checking into smart grid systems will significantly raise the bar for attackers, there are two key challenges: 1) the need for real-time, and 2) the need for flexibility — i.e., the scheme needs to be applicable to different deployment settings/communication models and counter various types of attacks. In this work, we design and implement F-Pro, a transparent, bump-in-the-wire solution for fast and flexible message authentication scheme that addresses both challenges. Specifically, by using a lightweight hash-chaining-based scheme that supports provenance verification, F-Pro achieves less than 2 milliseconds end-to-end proving and verifying delay for a single or 2-hop communication in a variety of smart grid communication models, when implemented on a low-cost BeagleBoard-X15 platform.

[1]  John Viega,et al.  Network security using OpenSSL - cryptography for secure communications , 2002 .

[2]  Arnar Birgisson,et al.  Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud , 2014, NDSS.

[3]  Sean W. Smith,et al.  Aggregated path authentication for efficient BGP security , 2005, CCS '05.

[4]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[5]  Rafail Ostrovsky,et al.  Sequential Aggregate Signatures and Multisignatures Without Random Oracles , 2006, EUROCRYPT.

[6]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[7]  Paul T. Groth,et al.  The provenance of electronic data , 2008, CACM.

[8]  Andrew K. Wright,et al.  Low-Latency Cryptographic Protection for SCADA Communications , 2004, ACNS.

[9]  F. Cleveland,et al.  IEC TC57 Security Standards for the Power System's Information Infrastructure - Beyond Simple Encryption , 2006, 2005/2006 IEEE/PES Transmission and Distribution Conference and Exhibition.

[10]  Binbin Chen,et al.  On Practical Threat Scenario Testing in an Electric Power ICS Testbed , 2018, CPSS@AsiaCCS.

[11]  Frank Hohlbaum,et al.  Cyber Security Practical considerations for implementing IEC 62351 , 2010 .

[12]  Wei-Peng Chen,et al.  Enhancing Demand Response signal verification in automated Demand Response systems , 2014, ISGT 2014.

[13]  Nils Ole Tippenhauer,et al.  Legacy-Compliant Data Authentication for Industrial Control System Traffic , 2017, ACNS.

[14]  D. Boneh,et al.  A Survey of Two Signature Aggregation Techniques , 2003 .

[15]  Sean W. Smith,et al.  YASIR: A Low-Latency, High-Integrity Security Retrofit for Legacy SCADA Systems , 2008, SEC.

[16]  Binbin Chen,et al.  Artificial Command Delaying for Secure Substation Remote Control: Design and Implementation , 2019, IEEE Transactions on Smart Grid.

[17]  Markus Jakobsson,et al.  Efficient Constructions for One-Way Hash Chains , 2005, ACNS.