Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes

被引:5
|
作者
Katulic, Filip [1 ]
Sumina, Damir [1 ]
Gros, Stjepan [1 ]
Erceg, Igor [1 ]
机构
[1] Univ Zagreb, Fac Elect Engn & Comp, Zagreb 10000, Croatia
关键词
Computer security; Protocols; Cryptography; Codes; Authentication; Ethernet; Critical infrastructure; Control systems; Automation; communication system security; cyber-physical systems; industrial communication;
D O I
10.1109/ACCESS.2023.3275443
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Critical infrastructure (CI), such as energy and water distribution systems, is essential for the stability and well-being of the modern society. Industrial automation and control systems (IACSs) form the backbone of CIs and enable the operation of such systems in a safe and reliable manner. However, with the increasing use of industrial Ethernet communication protocols, such as Modbus-over-TCP (Modbus/TCP), once air-gapped IACSs are becoming vulnerable to potential cybersecurity threats. This paper presents a novel method for enhancing the cybersecurity of Modbus/TCP-based IACSs by implementing an authentication method based on message authentication codes (MACs). To provide partial protection of communication even when communicating with legacy Modbus/TCP peers, we propose a novel supervising device that analyzes exchanged messages and verifies the authenticity of the protected messages. To experimentally verify the protection method, a water-treatment cyber-physical system (CPS) was implemented as a digital twin in a programmable logic controller (PLC). The underlying MAC is the Chaskey-12, lightweight MAC defined in IEC 29192-6. It was implemented in the PLC program using the programming languages defined in IEC 61131-3. As an additional contribution, the presented implementation allows protection of communication between PLCs and other Modbus/TCP peers installed in existing IACSs without hardware or firmware modifications. The results show that the method provides protection against network attacks without significantly affecting performance, also demonstrating the feasibility of such protection in IACSs.
引用
收藏
页码:47007 / 47023
页数:17
相关论文
共 50 条
  • [1] Securing Modbus Transactions Using Hash-Based Message Authentication Codes and Stream Transmission Control Protocol
    Hayes, Garrett
    El-Khatib, Khalil
    [J]. 2013 THIRD INTERNATIONAL CONFERENCE ON COMMUNICATIONS AND INFORMATION TECHNOLOGY (ICCIT), 2013, : 179 - 184
  • [2] Message Authentication and Provenance Verification for Industrial Control Systems
    Esiner, Ertem
    Tefek, Utku
    Mashima, Daisuke
    Chen, Binbin
    Kalbarczyk, Zbigniew
    Nicol, David M.
    [J]. ACM TRANSACTIONS ON CYBER-PHYSICAL SYSTEMS, 2023, 7 (04)
  • [3] Intrusion Detection of Industrial Control System based on Modbus TCP Protocol
    Wang Yusheng
    Fan Kefeng
    Lai Yingxu
    Liu Zenghui
    Zhou Ruikang
    Yao Xiangzhen
    Li Lin
    [J]. 2017 IEEE 13TH INTERNATIONAL SYMPOSIUM ON AUTONOMOUS DECENTRALIZED SYSTEMS (ISADS 2017), 2017, : 156 - 162
  • [4] On protecting industrial automation and control systems against electronic attacks
    Wei, Dong
    Jafari, Mohsen
    Lu, Yan
    [J]. 2007 IEEE INTERNATIONAL CONFERENCE ON AUTOMATION SCIENCE AND ENGINEERING, VOLS 1-3, 2007, : 691 - 696
  • [5] Deep Packet Inspection in Industrial Automation Control System to Mitigate Attacks Exploiting Modbus/TCP Vulnerabilities
    Nyasore, Osborn N.
    Zavarsky, Pavol
    Swar, Bobby
    Naiyeju, Raphael
    Dabra, Shubham
    [J]. 2020 IEEE 6TH INT CONFERENCE ON BIG DATA SECURITY ON CLOUD (BIGDATASECURITY) / 6TH IEEE INT CONFERENCE ON HIGH PERFORMANCE AND SMART COMPUTING, (HPSC) / 5TH IEEE INT CONFERENCE ON INTELLIGENT DATA AND SECURITY (IDS), 2020, : 241 - 245
  • [6] Efficient and Lightweight Data Streaming Authentication in Industrial Control and Automation Systems
    Xu, Jian
    Meng, Qingyu
    Wu, Jun
    Zheng, James Xi
    Zhang, Xuyun
    Sharma, Suraj
    [J]. IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, 2021, 17 (06) : 4279 - 4287
  • [7] Caching-based Multicast Message Authentication in Time-critical Industrial Control Systems
    Tefek, Utku
    Esiner, Ertem
    Mashima, Daisuke
    Chen, Binbin
    Hu, Yih-Chun
    [J]. IEEE CONFERENCE ON COMPUTER COMMUNICATIONS (IEEE INFOCOM 2022), 2022, : 1039 - 1048
  • [8] Internet-Based Control of Industrial Automation Systems
    Rahmani, Behrooz
    [J]. JOURNAL OF INTELLIGENT & ROBOTIC SYSTEMS, 2016, 83 (01) : 71 - 83
  • [9] Internet-Based Control of Industrial Automation Systems
    Behrooz Rahmani
    [J]. Journal of Intelligent & Robotic Systems, 2016, 83 : 71 - 83
  • [10] ON CYBER ATTACKS AND SIGNATURE BASED INTRUSION DETECTION FOR MODBUS BASED INDUSTRIAL CONTROL SYSTEMS
    Gao, Wei
    Morris, Thomas H.
    [J]. JOURNAL OF DIGITAL FORENSICS SECURITY AND LAW, 2014, 9 (01) : 37 - 55