Message Authentication and Provenance Verification for Industrial Control Systems

IF 2 Q3 COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS ACM Transactions on Cyber-Physical Systems Pub Date : 2023-07-06 DOI:10.1145/3607194
Ertem Esiner, Utku Tefek, D. Mashima, Binbin Chen, Z. Kalbarczyk, D. Nicol
{"title":"Message Authentication and Provenance Verification for Industrial Control Systems","authors":"Ertem Esiner, Utku Tefek, D. Mashima, Binbin Chen, Z. Kalbarczyk, D. Nicol","doi":"10.1145/3607194","DOIUrl":null,"url":null,"abstract":"Successful attacks against industrial control systems (ICS) often exploit insufficient checking mechanisms. While firewalls, intrusion detection systems, and similar appliances introduce essential checks, their efficacy depends on the attackers’ ability to bypass such middleboxes. We propose a provenance solution to enable the verification of end-to-end message delivery path and the actions performed on a message. Fast and flexible provenance verification (F2-Pro) provides cryptographically verifiable evidence that a message has originated from a legitimate source and gone through the necessary checks before reaching its destination. F2-Pro relies on lightweight cryptographic primitives and flexibly supports various communication settings and protocols encountered in ICS thanks to its transparent, bump-in-the-wire design. We provide formal definitions and cryptographically prove F2-Pro ’s security. For human interaction with ICS via a field service device, F2-Pro features a multi-factor authentication mechanism that starts the provenance chain from a human user issuing commands. We compatibility tested F2-Pro on a smart power grid testbed and reported a sub-millisecond latency overhead per communication hop using a modest ARM Cortex-A15 processor.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":"1 1","pages":""},"PeriodicalIF":2.0000,"publicationDate":"2023-07-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Cyber-Physical Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3607194","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS","Score":null,"Total":0}
引用次数: 1

Abstract

Successful attacks against industrial control systems (ICS) often exploit insufficient checking mechanisms. While firewalls, intrusion detection systems, and similar appliances introduce essential checks, their efficacy depends on the attackers’ ability to bypass such middleboxes. We propose a provenance solution to enable the verification of end-to-end message delivery path and the actions performed on a message. Fast and flexible provenance verification (F2-Pro) provides cryptographically verifiable evidence that a message has originated from a legitimate source and gone through the necessary checks before reaching its destination. F2-Pro relies on lightweight cryptographic primitives and flexibly supports various communication settings and protocols encountered in ICS thanks to its transparent, bump-in-the-wire design. We provide formal definitions and cryptographically prove F2-Pro ’s security. For human interaction with ICS via a field service device, F2-Pro features a multi-factor authentication mechanism that starts the provenance chain from a human user issuing commands. We compatibility tested F2-Pro on a smart power grid testbed and reported a sub-millisecond latency overhead per communication hop using a modest ARM Cortex-A15 processor.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
工业控制系统的消息认证和来源验证
针对工业控制系统(ICS)的成功攻击通常利用不足的检查机制。虽然防火墙、入侵检测系统和类似设备引入了必要的检查,但它们的有效性取决于攻击者绕过此类中间盒的能力。我们提出了一种出处解决方案,以实现对端到端消息传递路径和对消息执行的操作的验证。快速灵活的出处验证(F2 Pro)提供了可加密验证的证据,证明消息来源合法,并在到达目的地之前经过了必要的检查。F2 Pro依赖于轻量级的加密原语,并灵活地支持ICS中遇到的各种通信设置和协议,这得益于其透明的、内嵌式的设计。我们提供了形式化的定义,并以密码方式证明了F2 Pro的安全性。对于通过现场服务设备与ICS进行的人机交互,F2 Pro具有多因素身份验证机制,该机制从发出命令的人类用户开始启动来源链。我们在智能电网测试台上对F2 Pro进行了兼容性测试,并报告了使用适度的ARM Cortex-A15处理器的每个通信跳的亚毫秒延迟开销。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
ACM Transactions on Cyber-Physical Systems
ACM Transactions on Cyber-Physical Systems COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS-
CiteScore
5.70
自引率
4.30%
发文量
40
期刊最新文献
On Cyber-Physical Fault Resilience in Data Communication: A Case From A LoRaWAN Network Systems Design DistressNet-NG: A Resilient Data Storage and Sharing Framework for Mobile Edge Computing in Cyber-Physical Systems A Blockchain Architecture to Increase the Resilience of Industrial Control Systems from the Effects of a Ransomware Attack: A Proposal and Initial Results A Combinatorial Optimization Analysis Method for Detecting Malicious Industrial Internet Attack Behaviors Statistical Verification using Surrogate Models and Conformal Inference and a Comparison with Risk-aware Verification
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1