Performance evaluation of an IT security layer in real-time communication

Runde, Markus; Tebbe, Christopher; Niemann, Karl-Heinz

doi:10.1109/etfa.2013.6648104

Cited by 11 publications

(4 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A shared understanding has emerged, that network segmentation for physical separation (so-called demilitarized zones DMZ) are not sufficient to mitigate all attack vectors. Another widespread industrial protocol besides PROFINET is Ethernet/IP, an open standard managed by ODVA 5 . In their security approach, integrity and confidentiality is addressed with the use of TLS and (D)TLS respectively while endpoint authentication can be realized with either pre-shared keys (PSK) or certificates (X.509v3) [3].…”

Section: Analyzing the Automation Systems Marketmentioning

confidence: 99%

“…In fact, various automation field busses such as Ethernet/IP [3] and OPC UA TSN [4] have considered or even adopted security technology from the IT world. As part of the German research project "Sichere Produktion mit verteilten Automatisierungssystemen (SEC PRO )", the performance of security mechanisms as encryption and message authentication in real-time communication was evaluated [5], [6] as well as concepts for platform integrity, key distribution and a public key infrastructure were proposed [7], [8]. As in the SEC PRO study, PROFINET serves as representative technology in the field of real-time automation systems for our work, although the findings are valid for general real-time Ethernet based field bus technologies.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Challenges and prospects of communication security in real-time ethernet automation systems

Müller

Walz

Kiefer

et al. 2018

2018 14th IEEE International Workshop on Factory Communication Systems (WFCS)

View full text Add to dashboard Cite

Real-Time Ethernet has become the major communication technology for modern automation and industrial control systems. On the one hand, this trend increases the need for an automation-friendly security solution, as such networks can no longer be considered sufficiently isolated. On the other hand, it shows that, despite diverging requirements, the domain of Operational Technology (OT) can derive advantage from highvolume technology of the Information Technology (IT) domain. Based on these two sides of the same coin, we study the challenges and prospects of approaches to communication security in realtime Ethernet automation systems. In order to capitalize the expertise aggregated in decades of research and development, we put a special focus on the reuse of well-established security technology from the IT domain. We argue that enhancing such technology to become automation-friendly is likely to result in more robust and secure designs than greenfield designs. Because of its widespread deployment and the (to this date) nonexistence of a consistent securiy architecture, we use PROFINET as a showcase of our considerations. Security requirements for this technology are defined and different well-known solutions are examined according their suitability for PROFINET. Based on these findings, we elaborate the necessary adaptions for the deployment on PROFINET.

show abstract

Section: Analyzing the Automation Systems Marketmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Challenges and prospects of communication security in real-time ethernet automation systems

Müller

Walz

Kiefer

et al. 2018

2018 14th IEEE International Workshop on Factory Communication Systems (WFCS)

View full text Add to dashboard Cite

show abstract

“…instead of adaptions on protocol level, measures as physical network segmentation as well as management processes for training and awareness-raising of employees are described. Focusing on protocol security, the performance of different components of an IT security layer for PROFINET as symmetric and asymmetric encryption and block cipher-as well as hash-based message authentication mechanisms was investigated in [3]. In a related publication, the performance of different message authentication code techniques was analyzed more detailed and compared to theoretical estimations [4].…”

Section: Introductionmentioning

confidence: 99%

PROFINET Real-Time Protection Layer: Performance Analysis of Cryptographic and Protocol Processing Overhead

Müller¹,

Doran²

2018

2018 IEEE 23rd International Conference on Emerging Technologies and Factory Automation (ETFA)

View full text Add to dashboard Cite

Recent times have seen an increasing demand for access to process-data from the field level through to the Internet. This vertical integration of industrial control systems into the IT infrastructure exhibits major drawbacks in the context of security. Such systems now suffer exposure to cyber security attacks well-known from the IT environment. Successful attacks on industrial control systems can lead to downtimes, malfunction of production machinery, cause financial damage and may present a hazard for human life and health. Current automation communication systems generally lack a comprehensive security concept. PROFINET is a widespread Industrial Ethernet standard, fulfilling general communication requirements on automation systems as well as explicit real-time requirements. We elaborate the challenges of protecting the realtime component of PROFINET. We specify the requirements and a concept for ensuring integrity and authenticity using a keyed-hash message authentication code (HMAC) in combination with the cryptographic hash algorithm SHA-3. With a proof of concept implementation of a PROFINET RT protection layer, the performance overhead for generation and transmission of this HMAC and other required data fields, e.g. to prevent replay attacks, could be analyzed. Based on these data the limitations of security technology on real-time systems were explored as was the optimization potential of hardware acceleration.

show abstract

“…Besides concepts for platform integrity, key distribution and a public key infrastructure [1], [2], the performance of symmetric and asymmetric cryptographic algorithms for confidentiality (encryption) as well as of hash-and block cipher based message authentication codes [3], [4] was evaluated. These results, collected in a final report [5], were rated according to a working assumption of a PROFINET systems with a configured cycle time of 1 ms.…”

Section: Introductionmentioning

confidence: 99%

Protecting PROFINET cyclic real-time traffic: A performance evaluation and verification platform

Müller¹,

Doran²

2018

2018 14th IEEE International Workshop on Factory Communication Systems (WFCS)

View full text Add to dashboard Cite

Abstract-PROFINET is a widely adopted, real-time capable Industrial Ethernet standard, that as other automation system technologies, is subject to an increasing level of vertical integration into company's existing IT infrastructure. This integration exposes automation systems to well-known cyber attacks, which leads to a growing need for suitable security solutions. The challenge in protecting PROFINET automation systems is ensuring the suitability of solutions for use with minimal PROFINET cycle times of 250 µs needed to fulfill high-speed motion control market expectations. We develop a prototype of a transparent security switch, designed to apply protection mechanisms on-the-fly. We use this platform to test an initial implementation of a protection system, present preliminary results and further work.

show abstract

Performance evaluation of an IT security layer in real-time communication

Cited by 11 publications

References 1 publication

Challenges and prospects of communication security in real-time ethernet automation systems

Challenges and prospects of communication security in real-time ethernet automation systems

PROFINET Real-Time Protection Layer: Performance Analysis of Cryptographic and Protocol Processing Overhead

Protecting PROFINET cyclic real-time traffic: A performance evaluation and verification platform

Contact Info

Product

Resources

About