IT Security Protection at Field Level of Industrial Automation Systems

ias.uni.stuttgart.de

IT Security Protection at Field Level of Industrial Automation Systems

Universität Stuttgart

Institute of Industrial Automation and Software Engineering

Prof. Dr.-Ing. Dr. h. c. P. Göhner

IT Security Protection at Field Level

of Industrial Automation Systems

Felix Gutbrodt

International Conference on Embedded Systems and

Applications 2007 (ESA '07)

Las Vegas

27. June 2007


Introduction

Motivation

Attack against the field level of a chemical plant

Attacker

Attacker

Field bus

Open Valve 3

Field Device (Valve)

Pipeline

IT Security Protection at Field Level is imperative

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 2


Contents


IT Security at Field Level


Protection Concept for the Field Level


Realization of the Concept


Summary

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 3


IT Security at Field Level

The Field Level of Industrial Automation Systems

Classification of field level in automation pyramid

• Lowest hierarchy level

• Connection to technical process

Tasks of the field level

• Acquisition and manipulation of

process signals

• Measurement and control within sub-processes

Technical Process

System elements of the field level

Field devices

Field buses

Main constraints of the field level

• Ressource limitation

• Real-time requirements

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 4


IT Security at Field Level

Attacks against the Field Level (1)

Attack against field level IT security

• Purposeful, not legitimate interaction with field level IT systems

Interaction requires access to field level

• Access from higher layers

• Access by physical connection to field level

Attack from

higher layers

Field Level

Attack with

physical connection

to field level

Here: Protection against attacks with physical connection to field level

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 5


IT Security at Field Level

Attacks against the Field Level (2)

Attacks against field buses

• Eavesdropping

• Manipulation of content integrity

• Creation of own messages

• Manipulation of temporal integrity


Attacks against field devices

• Manipulation of functionality

Example: Manipulation of content

integrity

Execution of the attack

• Connection to CAN field bus

• Manipulation of content integrity

of messages

Field level vulnerable

Protection required

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 6


Contents


IT Security at Field Level


Protection Concept for the Field Level


Realization of the Concept


Summary

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 7


Protection Concept for the Field Level

Protection of the Field Level (1)

Protection functionalities

against

• Manipulation of

communication

• Manipulation of

functionality

Protection of

functional

integrity

Protection of

temporal

integrity

Deployment of protection functionalities to field devices

Protection of

confidentiality

Protection of

content integrity

Protection of

authorization

Protection

functionalities

Field device

Realization of protection functionality that is applicable on field devices?

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 8


Protection Concept for the Field Level

Decoupling of Protection Functionalities

Heterogenous technologies at field level

• Different vulnerabilities

Not always all protection functionalities required

Protection of

confidentiality

Protection of content

integrity

Protection of

functional

integrity

Protection of

temporal

integrity

Protection of

authorization

Selection and deployment of required protection functionalities only

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 9


Protection Concept for the Field Level

Reduction of Diversity of Protective Mechanisms

Protective Mechanism: Realize protection functionalities

At development time: Agreement on one / few protective mechanisms

Protection of

confidentiality

Protection of content

integrity

Protection of

functional

integrity

Protection of

temporal

integrity

Protection of

authorization

Protective

mechanisms

No negotiations about protective mechanisms required

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 10


Protection Concept for the Field Level

Modularization of Protective Mechanisms

Implicit use of comparable operations in different, monolithic protective mechanisms

Protection of

confidentiality

5

4

3

2

1

1

1

2

Protection of content

integrity

Classes of Protective Mechanisms

5 Surveillance / voting

4

Temporal marks

Protection of

functional

integrity

Protection

of temporal

integrity

2

4

3

1

3

1

2

Protection of

authorization

3

2

1

Identifier / credentials

Cryptographic hash functions

Encryption

Multiple use of comparable operations

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 11


Protection Concept for the Field Level

Multiple Use of Protective Mechanisms

Avoidance of multiple implementation of protective mechanisms

• Singular implementation of protective mechanisms

• Suitable interconnection of protective mechanisms

Protection of

confidentiality

Protection of content

integrity

Protection of

functional

integrity

5

4

1

2

Classes of Protective Mechanisms

5 Surveillance / voting

Protection

of temporal

integrity

3

2

1

2

4

3

1

3

1

1

2

Protection of

authorization

4

3

2

1

Temporal marks

Identifier / credentials

Cryptographic hash functions

Encryption

The same protection functionality available while implementing less mechanisms

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 12


Protection Concept for the Field Level

Selection of Protective Mechanisms

Protective mechanisms are based upon other protective mechanisms

Layer architecture

Protection of

confidentiality

Protection of content

integrity

Protection of

functional

integrity

Surveillance / voting

Temporal marks

Identifier / credentials

Cryptographic hash functions

Protection

of temporal

integrity

Protection of

authorization

Encryption

Determination of required protective mechanisms depending on desired protection

functionality

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 13


Contents


IT Security at Field Level


Protection Concept for the Field Level


Realization of the Concept


Summary

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 14


Realization of the Concept

Construction of the Layers

Abstraction of concrete protective mechanisms

Class of Protective

Mechanism

Protection Layer 3: Identifier / credentials

e.g. MAC

Protection Layer 2: Cryptographic hash functions

e.g. MD5

Concrete Protective

Mechanism

Protection Layer 1: Encryption

e.g. AES

Arbitrary protective mechanisms usable


Selection criteria for protective mechanisms

• Resource consumption

• Time determinacy

Protection strength

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 15


Realization of the Concept

Software Architecture

Protection

Functionality

Class of

Protective Mechanism

Protective Mechanism

(Examples)

Device

Functionality

Surveillance /

voting

Code Verifier

Temporal Integrity Temporal marks Time Stamp

Authorization

Identifier /

credentials

DSA

Content Integrity

Cryptographic

hash functions

SHA-1

Confidentiality Encryption AES

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 16


Gliederung


IT Security at Field Level


Protection Concept for the Field Level


Realization of the Concept


Summary

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 17


Summary

Summary

Protection concept for the field level of industrial automation systems

• Effective

• Manipulation proof

Highly adaptable

Real-time capable

Low resource consumption

• Example (compiled for

Renesas M16C/62P)

RBAC: 1 kB (ROM)

0.4 ms

MD5:

AES:

3 kB (ROM)

3.3 ms

5 kB (ROM)

5.8 ms

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 18


Questions

Thank you for your interest!

E-Mail: felix.gutbrodt@ias.uni-stuttgart.de

www.ias.uni-stuttgart.de

(c) 2007 IAS, Universität Stuttgart, Felix Gutbrodt 19

More magazines by this user
Similar magazines