YASIR: A Low-Latency, HighIntegrity Security Retrofit for Legacy SCADA Systems Patrick P. Tsang and Sean W. Smith Department of Computer Science Dartmouth College NH 03755 USA Dartmouth Computer Science Technical Report TR2007-603 Presented by Jeremy Lewis

Research Problem ●

●

●

●

Legacy SCADA systems need to be secured against attackers but rely on insecure protocols Replacing the systems is not cost efficient as most systems are intended to last at least 20 years Bump-in-the-wire(BITW) retrofits for SCADA systems are one method of achieving a higher level of security Current BITW retrofits are not adequate for time critical systems, or do not provide adequate security

Hypothesis By using the native error detection in protocols like MODBUS and DNP3, in conjunction with encryption, authentication, and sequencing, we can build a BITW retrofit that provides a high level of security, confidentiality, and authenticity, while keeping any added latency to a minimum

Assumptions ●

The underlying SCADA protocol must contain error checking that is enforced, and is one of two types –

Type 1: The protocol appends a CRC to every frame, and checks this against what it receives and drops the frame if the CRC is incorrect

–

Type 2: The frame has a header that gives the length of the frame, if the header length and the frame length do not match up, the frame is discarded

Related Works ●

●

●

The SEL-3021 Serial Encrypting Transceiver, Schweitzer Engineering laboratories

The American Gas Association's SCADA Cryptographic module

Pacific Northwest National Laboratory's Secure SCADA Communications Protocol

Related Works

Design ●

YASIR – Yet Another Security Retrofit

Confidentiality ●

The encryption method chosen for YASIR is AES-CTR using 128 bit shared keys between transmitter and receiver

●

The keys are to be changed on a regular basis

●

A nonce is needed for this mode of AES

Authentication ●

●

●

The HMAC-SHA-1-80 is calculated using a 160 bit shared key Rather than operate directly on the frame, the HMAC is computed from the SHA-1 hash of the encrypted frame To avoid replay attacks, a 4 byte sequence number is added towards the end of the frame

Transmission On input of an incoming frame F = S || H || P || E, the YASIR Transmitter T does the following:

1. Output the corresponding transformed frame ~F = S||CTXT||E||mac||seq||E, where –

CTXT = EncryptSK(SEQT, H||P),

–

mac = HMACHK(Hash(CTXT||SEQT), and

–

seq = SEQT

2. Increment SEQT by 1.

Reception On input a transformed frame ˜F' = S||CTXT'||E||mac'||seq'||E, the YASIR Receiver R does the following: 1. Compute H'||P' = EncryptSK(SEQR,CTXT'), and mac'' = HMACHK(Hash(CTXT')||SEQR) 2. (Case I.) If mac' = mac'', output the corresponding original frame F' = S||H'||P'||E, and increment SEQR by 1 3. (Case II.) Otherwise, (a) Output a malformed frame F'' = S||H'||P'||err||E , where err is any octet-string such that, in the case of Type-I protocols, CRC(F00) is invalid, or, in the case of Type-II protocols, the length of F00 is different from what is indicated in H0.

(b) If seq0 > SEQR and mac0 = HMACHK(Hash(CTXT0)||seq0), assign seq0 + 1 to SEQR.

Validation

Result ●

●

●

Latency incurred is 10+2te byte-times, with te typically less than 4 Confidentiality is guaranteed as long as the keys are kept secret Integrity is guaranteed as long as AES-CTR and SHA1-80 are secure

Future Works ●

●

●

A micro-controller based prototype was in development Predictive YASIR extends this concept to lower latency even more Would like to see an implementation

Conclusion ●

●

●

Presents a clear, well thought out solution for adding protection to legacy SCADA Does not defend against direct compromise of a node Some of the reasoning is not explained and must be inferred