Challenges and prospects of communication security in real-time ethernet automation systems

Müller, Thomas; Walz, Andreas; Kiefer, Manuel; Doran, Hans Dermot; Sikora, Axel

doi:10.1109/wfcs.2018.8402338

Cited by 15 publications

(6 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bidirectional communications using the client/server model may use TLS between application slices deployed onto multiple devices. However, secure multicast communication is challenging in ICS when using Datagram TLS or IPSECbased virtual private networks [9]. Other challenges of applying TLS may include performance tradeoffs, channel multiplexing, constrained components, time synchronization.…”

Section: Related Workmentioning

confidence: 99%

“…Selective protection of "data of interest" helps in better system performance while ensuring adequate security. In such cases, a blanket approach like TLS may induce latency overheads [9].…”

Section: Related Workmentioning

confidence: 99%

“…Third, traditional methods may require more resources than are available on resource-constrained PLCs. Subsequently, maintaining a balance between the demands of communication security in ICS becomes a key challenge [9]. Hence, for an ICS application developer, the only available option to protect against such attacks is to include communication security mechanisms manually into the application.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Secure Links: Secure-by-Design Communications in IEC 61499 Industrial Control Applications

Tanveer

Sinha

Kuo

2021

IEEE Trans. Ind. Inf.

View full text Add to dashboard Cite

Increasing automation and external connectivity in industrial control systems (ICS) demand a greater emphasis on software-level communication security. In this article, we propose a secure-by-design development method for building ICS applications, where requirements from security standards like ISA/IEC 62443 are fulfilled by design-time abstractions called secure links. Proposed as an extension to the IEC 61499 development standard, secure links incorporate both light-weight and traditional security mechanisms into applications with negligible effort. Applications containing secure links can be automatically compiled into fully IEC 61499-compliant software. Experimental results show secure links significantly reduce design and code complexity and improve application maintainability and requirements traceability.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Secure Links: Secure-by-Design Communications in IEC 61499 Industrial Control Applications

Tanveer

Sinha

Kuo

2021

IEEE Trans. Ind. Inf.

View full text Add to dashboard Cite

show abstract

“…This is not only very time consuming but also may not be of highest priority since in most use cases the transmitted data may not be confidential. b) Implementation Principles: Almost all existing security solutions are designed and implemented for the use in standard office IT environment and therefore quite certainly not suitable for the usage in operation technology (OT) networks without adaption [10]. Nevertheless, solutions to protect PROFINET communication should build upon wellestablished and widespread standards.…”

Section: B Requirements Specificationmentioning

confidence: 99%

PROFINET Real-Time Protection Layer: Performance Analysis of Cryptographic and Protocol Processing Overhead

Müller¹,

Doran²

2018

2018 IEEE 23rd International Conference on Emerging Technologies and Factory Automation (ETFA)

Self Cite

View full text Add to dashboard Cite

Recent times have seen an increasing demand for access to process-data from the field level through to the Internet. This vertical integration of industrial control systems into the IT infrastructure exhibits major drawbacks in the context of security. Such systems now suffer exposure to cyber security attacks well-known from the IT environment. Successful attacks on industrial control systems can lead to downtimes, malfunction of production machinery, cause financial damage and may present a hazard for human life and health. Current automation communication systems generally lack a comprehensive security concept. PROFINET is a widespread Industrial Ethernet standard, fulfilling general communication requirements on automation systems as well as explicit real-time requirements. We elaborate the challenges of protecting the realtime component of PROFINET. We specify the requirements and a concept for ensuring integrity and authenticity using a keyed-hash message authentication code (HMAC) in combination with the cryptographic hash algorithm SHA-3. With a proof of concept implementation of a PROFINET RT protection layer, the performance overhead for generation and transmission of this HMAC and other required data fields, e.g. to prevent replay attacks, could be analyzed. Based on these data the limitations of security technology on real-time systems were explored as was the optimization potential of hardware acceleration.

show abstract

“…A body of work on optimizing PROFINET IRT for fast cycle times [6] states typical system boundaries of such applications: 8 to 256 Bytes payload and 250 µs cycle time with a 50:50 real-time to non-real-time traffic duty cycle. The challenges on finding suitable solutions for protecting PROFINET and general real-time Ethernet automation systems as well as corresponding requirements were investigated in [7], In Section II we elaborate the performance overhead produced by additional protocol fields for protecting PROFINET real-time traffic as well as a brief theoretical background on proposed cryptographic building blocks. Section III describes the ongoing work of the prototypal implementation of a security switch.…”

Section: Introductionmentioning

confidence: 99%

Protecting PROFINET cyclic real-time traffic: A performance evaluation and verification platform

Müller¹,

Doran²

2018

2018 14th IEEE International Workshop on Factory Communication Systems (WFCS)

Self Cite

View full text Add to dashboard Cite

Abstract-PROFINET is a widely adopted, real-time capable Industrial Ethernet standard, that as other automation system technologies, is subject to an increasing level of vertical integration into company's existing IT infrastructure. This integration exposes automation systems to well-known cyber attacks, which leads to a growing need for suitable security solutions. The challenge in protecting PROFINET automation systems is ensuring the suitability of solutions for use with minimal PROFINET cycle times of 250 µs needed to fulfill high-speed motion control market expectations. We develop a prototype of a transparent security switch, designed to apply protection mechanisms on-the-fly. We use this platform to test an initial implementation of a protection system, present preliminary results and further work.

show abstract

Challenges and prospects of communication security in real-time ethernet automation systems

Cited by 15 publications

References 11 publications

Secure Links: Secure-by-Design Communications in IEC 61499 Industrial Control Applications

Secure Links: Secure-by-Design Communications in IEC 61499 Industrial Control Applications

PROFINET Real-Time Protection Layer: Performance Analysis of Cryptographic and Protocol Processing Overhead

Protecting PROFINET cyclic real-time traffic: A performance evaluation and verification platform

Contact Info

Product

Resources

About