Design and Optimization of Security Monitoring and Controlling Protocol in Industrial Control Systems

doi:10.3969/j.issn.1671-1122.2019.02.008

Abstract

Abstract:

The security threats to industrial monitoring and controlling protocols mainly include integrity, freshness and confidentiality. In contrast, existing industrial monitoring and controlling protocols usually place the first priority on the availability of transmitted data. The study on the security of protocols mainly focuses on the improvement of the confidentiality of the protocols but lack consideration for integrity. Aiming at issues above, the paper uses message authentication code technology to enhance the integrity of monitoring messages and uses a combination of random numbers and the Diffie-Hellman key exchange algorithm to generate the session symmetric key, to avoid the man-in-the-middle attack in the process of Diffie-Hellman key exchange. For the characteristics of the operating environment of special industrial control systems such as limited resources, the paper optimizes the designed protocol on the premise of ensuring the integrity, in order to improve the runtime efficiency of the protocol. Through the analysis of security and performance, the protocol scheme can effectively solve security problems such as source and target authentication, monitoring message integrity authentication, and resistance to reply attacks, etc.

Key words: industrial control system, monitoring and controlling protocol, integrity authentication, message authentication code, key agreement

CLC Number:

TP309

Ruiying CHEN, Zemao CHEN, Hao WANG. Design and Optimization of Security Monitoring and Controlling Protocol in Industrial Control Systems[J]. Netinfo Security, 2019, 19(2): 60-69.

Figures/Tables 4

References 19

[1]	WANG Xiaoshan, YANG An, SHI Zhiqiang, et al.New Trend of Information Security in Industrial Control Systems[J]. Netinfo Security, 2015, 15(1): 6-11.
	王小山,杨安,石志强,等. 工业控制系统信息安全新趋势[J]. 信息网络安全,2015,15(1):6-11.
[2]	CHEN Xing, JIA Zhuosheng.Industrial Control Network Information Security Threats and Vulnerability Analysis and Research[J]. Computer Science, 2012, 39(s2): 188-190.
	陈星,贾卓生. 工业控制网络的信息安全威胁与脆弱性分析与研究[J]. 计算机科学,2012,39(s2):188-190.
[3]	SHI Xi, CHEN Zhen, WANG Dongsheng, et al.A Research of the Key Technology of the Aggregative Security Gateway of Internet of Things[J]. Netinfo Security, 2012, 12(6): 85-89.
	石希,陈震,汪东升,等. 物联网汇聚安全网关关键技术研究[J]. 信息网络安全,2012,12(6):85-89.
[4]	HOU Weiyan, FEI Minrui.PROFIBUS Protocol Analysis and System Application[M]. Beijing: Tsinghua University Press, 2006.
	侯维岩,费敏锐. PROFIBUS协议分析和系统应用[M]. 北京:清华大学出版社,2006.
[5]	XU Shanshan.Research of Lightweight Data Security Transmission for Industrial Control System[D]. Hangzhou: Zhejiang University, 2016.
	徐珊珊. 工业控制系统轻量级数据安全传输的研究[D]. 杭州:浙江大学,2016.
[6]	CHEN L, CHENG Z, SMART N P.Identity-based Key Agreement Protocols from Pairings[J]. International Journal of Information Security, 2007, 6(4): 213-241.
[7]	FAN Wenbin.Analysis of Security Protection on Industrial Control Protocol[J]. Electronic Science & Technology, 2015, 2(3): 334-337.
	范文斌. 工业控制协议安全防护分析[J]. 电子科学技术,2015,2(3):334-337.
[8]	CARLSEN U.Cryptographic Protocol Flaws: Know Your Enemy[C]//IEEE. The Computer Security Foundations Workshop VII, June 14-16, 1994, Franconia, NH, USA. New Jersey: IEEE, 1994: 192-200.
[9]	ZHANG Xiaomei, WU Fusheng, PENG Changgen.Random Key Agreement Protocol for Provable Security[J]. Modern Electronics Technique, 2017, 40(13): 87-90.
	张小梅,吴福生,彭长根. 可证明安全的随机密钥协商协议[J]. 现代电子技术,2017,40(13):87-90.
[10]	ZHANG Shaolan.Design and Security Analysis on Several Cryptograpy Hash Functions[D]. Beijing: Beijing University of Posts and Telecommunications, 2011.
	张绍兰. 几类密码Hash函数的设计和安全性分析[D]. 北京:北京邮电大学,2011.
[11]	XU Jin, WEN Qiaoyan, WANG Dayin.A New Message Authentication Code Based on Hash Function and Block Cipher[J]. Chinese Journal of Computers, 2015, 38(4): 793-803.
	徐津,温巧燕,王大印. 一种基于Hash函数和分组密码的消息认证码[J]. 计算机学报,2015,38(4):793-803.
[12]	LU Anping, YANG Jimin, LI Feng, et al.A Comparative Study of Several Lightweight Encryption Algorithms[J]. Modern Electronics Technique, 2014(12): 37-41.
	路安平,杨济民,李锋,等. 几种轻量级加密算法的比较研究[J]. 现代电子技术,2014(12):37-41.
[13]	ZHOU Yanwei, YANG Bo, ZHANG Wenzheng.An Improved Two-party Authenticated Certificateless Key Agreement Protocol[J]. Chinese Journal of Computers, 2017, 40(5): 1181-1191.
	周彦伟,杨波,张文政. 一种改进的无证书两方认证密钥协商协议[J]. 计算机学报,2017,40(5):1181-1191.
[14]	LI Yue, LI Wei, CAO Yanqin, et al.Performance Analysis on Several Lightweight Block Cipher Algorithms[J]. Computer Applications and Software, 2016, 33(10): 317-320.
	李悦,李玮,曹艳琴,等. 几种轻量级分组密码算法的性能分析[J]. 计算机应用与软件,2016,33(10):317-320.
[15]	WANG Ya, WEI Guoheng.A Research Summary on Lightweight Cryptographic Algorithms for RFID[J]. Computer Applications and Software, 2017, 34(1): 9-14.
	汪亚,魏国珩. 适用于RFID的轻量级密码算法研究综述[J]. 计算机应用与软件,2017,34(1):9-14.
[16]	YANG Wei, WAN Wunan, CHEN Yun, et al.Review on Lightweight Cryptography Suitable for Constrained Devices[J]. Journal of Computer Applications, 2014, 34(7): 1871-1877.
	杨威,万武南,陈运,等. 适用于受限设备的轻量级密码综述[J]. 计算机应用,2014,34(7):1871-1877.
[17]	BOGDANOV A, KNUDSEN L R, LEANDER G, et al.Present: An Ultra-lightweigtht Block Cipher[C]//Springer. 9th International Workshop on Cryptographic Hardware and Embedded Systems, September 10-13, 2007, Vienna, Austria. Heidelberg: Springer, 2007: 450-466.
[18]	ZHANG Bo, ZHAO Ting, XU Xingkun, et al.Industrial Control System Security Analysis and Communication Protocol Enhancement Design[J]. Electric Power, 2015, 48(8): 150-154.
	张波,赵婷,徐兴坤,等. 工业控制系统安全性分析及通信协议增强设计[J]. 中国电力,2015,48(8):150-154.
[19]	FU Ge, ZHOU Nianrong, WEN Hong.The Study of Security Issues for the Industrial Control System Communication Protocols in Smart Grid[J]. Information Security and Technology, 2014, 5(1): 36-38.
	傅戈,周年荣,文红. 智能电网工业系统通信控制协议的安全研究[J]. 信息安全与技术,2014,5(1):36-38.

认证协议	消息交互数/次
SMCP-EOV协议	2
SSL/TLS	7
文献[18]的工业控制协议	2

协议	消息完整性校验	设备完整性校验	加密	身份认证	抗重放
SMCP-EOV	有	有	有	有	有
Modbus TCP	无	无	无	无	无
OPC	有	无	有	有	无
DNP3	有	无	有	无	无
Ethernet IP	无	无	视情况定	无	无