Security Enhancements for Distributed Control Systems
Security enhancements for distributed control systems (DCSs) must be sensitive to operational issues, especially availability. This paper presents three security enhancements for DCSs that satisfy this requirement: end-to-end security for DCS protocol communications, role-based authorization to control access to devices and prevent unauthorized changes to operational parameters, and reduced operating system kernels for enhanced device security. The security enhancements have been implemented on a laboratory-scale testbed utilizing the DNP3 protocol, which is widely used in electrical power distribution systems. The test results show that the performance penalty for implementing the security enhancements is modest, and that the implemented mechanisms do not interfere with plant operations.
Keywords: DNP3, secure communication, role-based authorization, RTU security
KeywordsAccess Control Access Control Model Distribute Control System Industrial Control System Inside Threat
- J. Abshier, Ten principles for securing control systems, Control, vol. 18(10), pp. 77-81, 2005.Google Scholar
- J. Abshier and J. Weiss, Securing control systems: What you need to know, Control, vol. 17(2), pp. 43-48, 2004.Google Scholar
- J. Alves-Foss, C. Taylor and P. Oman, A multi-layered approach to secu- rity in high assurance systems, Proceedings of the Thirty-Seventh Annual Hawaii International Conference on System Sciences, 2004.Google Scholar
- American Gas Association, Cryptographic Protection of SCADA Com- munications; Part 1: Background, Policies and Test Plan, AGA Report No. 12 (Part 1), Draft 5, Washington, DC (www.gtiservices. org/security/ AGA12Draft5r3. pdf), 2005.
- American Gas Association, Cryptographic Protection of SCADA Com- munications; Part 2: Retrofit Link Encryption for Asynchronous Serial Communications, AGA Report No. 12 (Part 2), Draft, Washington, DC (www.gtiservices. org/security/aga-12p2-draft-0512. pdf 2005.
- C. Bowen III, T. Buennemeyer and R. Thomas, Next generation SCADA security: Best practices and client puzzles, Proceedings of the Sixth Annual IEEE Systems, Man and Cybernetics Information Assurance Workshop, pp. 426-427, 2005.Google Scholar
- E. Byres and J. Lowe, The myths and facts behind cyber security risks for industrial control systems, presented at the VDE Congress, 2004.Google Scholar
- W. Clinton, Presidential Decision Directive 63, The White House, Wash- ington, DC (www.), 1998.
- A. Creery and E. Byres, Industrial cyber security for power system and SCADA networks, Proceedings of the Fifty-Second Annual Petroleum and Chemical Industry Conference, pp. 303-309, 2005.Google Scholar
- J. Fernandez and A. Fernandez, SCADA systems: Vulnerabilities and remediation, Journal of Computing Sciences in Colleges, vol. 20(4), pp. 160-168, 2005.Google Scholar
- J. Graham and S. Patel, Correctness proofs for SCADA communications protocols, Proceedings of the Ninth World Multi-Conference on Systemics, Cybernetics and Informatics, pp. 392-397, 2005.Google Scholar
- W. Harrison, N. Hanebutte, P. Oman and J. Alves-Foss, The MILS architecture for a secure global information grid, CrossTalk: The Journal of Defense Software Engineering, vol. 18(10), pp. 20-24, 2005.Google Scholar
- Instrumentation Systems and Automation Society, Security Technologies for Manufacturing and Control Systems (ANSI/ISA-TR99. 00. 01-2004), Research Triangle Park, North Carolina, 2004.Google Scholar
- Instrumentation Systems and Automation Society, Integrating Electronic Security into the Manufacturing and Control Systems Environment (ANSI/ISA-TR99. 00. 02-2004), Research Triangle Park, North Carolina, 2004.Google Scholar
- J. Liedtke, On micro-kernel construction, Proceedings of the Fifteenth ACM Symposium on Operating Systems Principles, pp. 237-250, 1995.Google Scholar
- LynuxWorks (www.lynuxworks.com).
- M. Naedele and O. Biderbost, Human-assisted intrusion detection for process control systems, Proceedings of the Second International Conference on Applied Cryptography and Network Security, 2004.Google Scholar
- National Communications System, Supervisory Control and Data Acquisition (SCADA) Systems, Technical Bulletin 04-1, Arlington, Virginia, 2004.Google Scholar
- Office of Energy Assurance, 21 Steps to Improve Cyber Security of SCADA Networks, U. S. Department of Energy, Washington, DC, 2002.Google Scholar
- P. Oman, E. Schweitzer and D. Frincke, Concerns about intrusions into remotely accessible substation controllers and SCADA systems, Proceed-ings of the Twenty-Seventh Annual Western Protective Relay Conference, 2000.Google Scholar
- P. Oman, E. Schweitzer and J. Roberts, Safeguarding IEDs, substations and SCADA systems against electronic intrusions, Proceedings of the Western Power Delivery Automation Conference, 2001.Google Scholar
- S. Patel, Secure Internet-Based Communication Protocol for SCADA Net-works, Ph. D. Dissertation, Department of Computer Engineering and Computer Science, University of Louisville, Louisville, Kentucky, 2006.Google Scholar
- President’s Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructures, Report Number 040-000-00699-1, United States Government Printing Office, Washington, DC, 1997.Google Scholar
- A. Risely, J. Roberts and P. LaDow, Electronic security of real-time protection and SCADA communications, Proceedings of the Fifth Annual Western Power Delivery Automation Conference, 2003.Google Scholar
- W. Rush and A. Shah, Impact of Information Security Systems on RealTime Process Control, Final Report, NIST Project SB1341-02-C-081, Gas Technology Institute, Des Plaines, Illinois (www.isd.mel.nist.gov/projects/ processcontrol/testbed/GTI Final April2005.pdf), 2005.
- K. Stouffer, J. Falco and K. Kent, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security - Initial Public Draft, National Institute of Standards and Technology, Gaithersburg, Maryland, 2006.Google Scholar
- A. Wright, Proposal on secure authentication and authorization for re- mote access to SCADA field equipment, presented at the Instrumentation Systems and Automation (ISA) Society EXPO, 2005.Google Scholar
- A. Wright, J. Kinast and J. McCarty, Low-latency cryptographic pro- tection for SCADA communications, in Applied Cryptography and Net- work Security (LNCS 3089), M. Jakobsson, M. Yung and J. Zhou (Eds. ), Springer, Berlin-Heidelberg, Germany, pp. 263-277, 2004.Google Scholar