- Email: [email protected]
SECURITY SERVICES IN FIELDBUSES: AT WHAT COST?
SECURITY SERVICES IN FIELDBUSES: AT WHAT COST? Miguel León Chávez1, and Francisco Rodríguez Henríquez2 1
Benemérita Universidad Autónoma de Puebla Facultad de Ciencias de la Computación 14 Sur y Av. San Claudio, CP 72570, Puebla, México Tel. (52) 222 229 55 00 ext. 7213 Fax (52) 222 229 56 72 E-mail: [email protected] 2 CINVESTAV-IPN Sección de Computación Av. Instituto Politécnico Nacional No. 2508, Col. San Pedro Zacatenco México, D.F. 07300 Tel: (52) 52 55 5747 3800 ext. 6570 Fax: (52) 555 747-7002 E-mail: [email protected]
Abstract: This paper discusses the security in the fieldbuses. The discussion takes into account, on one hand, the security services defined by the ISO Security Architecture, and on the other hand, the security mechanisms defined by some fieldbuses. From our analysis, it is shown that there are two critical points for attacking these networks: the bus and, in the case of centralized networks, the master node. This paper presents then the possible solutions to protect the fieldbuses and discusses their associated computing cost. Copyright © 2005 IFAC Keywords: Fieldbus, Security.
1. INTRODUCTION Fieldbuses are special purpose Local Area Networks (LAN) used to connect all kinds of devices in a factory, such as sensors, actuators, transmitters, programmable controllers, (C)NC machines, processors, and so on (Thomesse, 2002). These networks usually define the services of three OSI layers, namely the physical, the data link and the application layers. Although some services of the missing layers are still present in some fieldbuses. Typically, the fieldbuses are used by the distributed manufacturing applications in order to monitor and control the processes taking place in the factory. Examples of such applications are: factory automation, automotive industry, textile machinery, electronics manufacturing, food and beverage, chemical processing, and so on.
Up to now, the security in the fieldbuses, such as the IEC 61158, has only been considered for access protection on some objects. This is not for protection against intentional misuse of the communication facilities of a field device but in order to protect a system of accidental erroneous use of the objects. However, there exist at least two possible security attacks that fieldbuses can suffer: Non-authorized users gaining access to the communication channel and non-authorized human operators accessing the master node, if it exists. Clearly, there exists always the possibility for nonauthorized users to gain access to the communication channel. If that happens, then the intruders can launch a passive attack by eavesdropping all or part of the information exchanged among the network’s entities. Even worse than that, active attacks are also possible as hackers can maliciously insert or modify
the data traveling through the communication channel at will. On the other hand, usually the master node stores the entire network configuration as well as other important system global information, such as the presence variables in WorldFIP, i.e. variables containing summarized information on the node’s global operating state. Hence, mechanisms of user identification should be put in place in order to avoid leakage of valuable data to non-authorized human operators. As fieldbuses become more and more diverse, complex and integrated into other kind of networks (Gordeev, 1999; Decotignie et al., 2001), potential attacks to the security of a fieldbus network increase in the same rate. Hence, it is of the utmost importance to incorporate security mechanisms on fieldbus communication protocols so that such kind of security attacks can be avoided, prevented and/or thwarted (Gordeev, 1999; Morris and Koopman, 2003; León and Rodríguez, 2004a) However, most of the fieldbuses were designed to meet real-time constraints, such as bounded end-toend delay, periodicity, jitter, and coherence (León and Thomesse, 2000). No matter what security mechanism is instrumented, it will require valuable processor time for its execution, and therefore some real-time constraints might be missed. This paper discusses the security in the fieldbuses, according to the classes of security service defined by ISO. The discussion is focused on TS 61158, WorldFIP, and CAN because they are typical example of centralized and distributed fieldbuses. The paper analyses then the proposed security mechanisms for fieldbuses and discusses the associated computing cost of such solutions. The remaining of this paper is organized as follows: section 2 presents the ISO security services; security mechanisms defined by TS 61158, WorldFIP and CAN are presented in section 3; section 4 presents some proposed security services; section 5 discuses their computing cost; finally some future work directions and conclusions are given in section 6. 2. ISO SECURITY SERVICES The Security Architecture of the OSI Reference Model (ISO 7498-2) considers five main classes of security services: authentication, access control, confidentiality, integrity and non-repudiation. These services are defined as follows: The authentication service verifies the supposed identity of a user or a system. The access control service protects the system resources against non-authorized users. The confidentiality service protects the data against nonauthorized revelations. The integrity service protects the data against non-authorized modifications, insertions or deletions. The non-repudiation service prevents an entity from denying previous commitments or actions. All the security services defined by ISO can be achieved in a centralized fieldbus by using public key cryptography. That can be accomplished by assigning to each slave node in the network a unique private key and a master node’s public key. During
communication, slave and master nodes may mutually authenticate each other with these keys using well known protocols. To provide confidentiality, nodes may encrypt their contents using a random session key and a symmetric cryptoalgorithm specially tailored for constrained environments. Integrity and non-repudiation can be obtained by signing/verifying all the messages transmitted between a particular slave node and the master node. The integrity service can be achieved also by using a one-way hash function optimized for heavily constrained environments, as those typically found in fieldbuses. The hash functions accept a variable-size message as input and produce a fixed-size code, called the hash code or message digest. The verification of the hash code is designed to detect intentional and unauthorized modifications of the data, as well as accidental modifications. Whereas the verification of a checksum value or an error detecting code, as those produced by the CRC algorithms or the frame check sequence (FCS), is designed to detect only accidental modifications of the data. However, strong public key cryptography is in general an expensive fancy solution for fieldbuses because, on one hand, most of the field devices have limited capacities, such as processor speed and memory. And on the other hand, public key cryptography requires complex algorithms, large key-sizes, and management of the public keys. Moreover, some of the security services defined by ISO are probably not very likely to be useful on the context of some fieldbuses. Particularly, nonrepudiation seems to be not suitable for the centralized fieldbuses since the master node “gives permission to speak” to each slave node. If for a given fieldbus public key cryptography solutions are too expensive, we can still design limited security schemes for fieldbuses at a cheaper price, i.e. fast security algorithms requiring a small amount of memory. For instance, data confidentiality can be achieved by using some lightweight cryptographic stream cipher, such as RC4 or A5/1 GSM, or even a reduced version of traditional symmetric algorithms such as DES or AES, which can be obtained by reducing the size of the encryption key or by limiting the standard number of rounds used during the encryption/decryption processes (16 in the case of DES and 10 for AES). Although the previous limited security schemes have a cheaper price, some fieldbuses may not be able to afford them. 3. FIELDBUS SECURITY MECHANISMS This section presents the security mechanisms defined by TS 61158, WorldFIP, and CAN standards jointly with suggested security improvements. 3.1 Security in TS 61158 TS 61158 (IEC 61158) provides users with the authentication and access control services for some objects. These services are implemented at the
application layer, at this level, the application process objects (APOs) are defined, which are components of the application process and are visible across the network. An APO is identified by one or more key attributes, such as access privilege. This attribute specifies the access controls defined by APO, and is composed of the following fields: - Password, it contains the password for the access rights. Its value is null if it is not used. - Access Groups, it identifies which of the user defined access groups are defined for the object. - Access Rights, it defines the type of access attributes authorized for the object. Legal examples of such attributes are as follows: right to read/write for access groups, for the registered password, and for all communication partners. The access privilege attribute is defined for the following APOs: variables, events, and load regions. Nevertheless, TS 61158 specifies that an authorized human operator must invoke the management system in order to configure the initial schedule in LAS (Link Active Scheduler). Therefore, this fieldbus must provide a user authentication service in order to put in place some mechanisms of user identification in LAS, such as logging and password, to avoid access from non-authorized human operators. On the other hand, the TS 61158 does not provide the following ISO security services: nodeauthentication, integrity, confidentiality, and nonrepudiation (León and Rodríguez, 2004a). According to standard’s specification, the LAS node uses the notion of Delegated Token (DeT) to transfer the right to transmit to another node for a specified duration time. Usually, the token has two fields for addressing the source and destination nodes. With the purpose of thwarting a masquerade attack, the TS 61158 should provide a node-authentication service. The integrity service can be achieved by using the CRC field of the MAC frame to store the hash code produced by a one-way hash function. In order to avoid passive and active attacks from intruders that have managed to gain access to the communication channel, the TS 61158 should instrument a data-confidentiality service via feasible encryption/decryption schemes. Regarding the non-repudiation service, it seems to be not very useful for this kind of networks due to the centralized nature of the protocol where the LAS node “gives permission to speak” to each node. 3.2 Security in WorldFIP WorldFIP provides some security mechanisms implemented in its protocol or in its components. The mechanisms considered by the protocol are (EN 50170-3): medium redundancy, errors in the physical layer, data link layer status machines, frame check sequence (FCS), bus arbitrator redundancy and variable validation. Clearly, WorldFIP security mechanisms do not provide the ISO security services, even though FCS allows to detect accidental modifications of the data (Erdner et al., 2001), i.e. FCS is calculated when the frame is transmitted and when it is received. If the
code received matches the code calculated there is a very high probability that the frame is correct. It is worth to mention that once again some of the ISO security services are not likely to be useful on the context of WorldFIP. Particularly, in the case of non-repudiation service it seems that since there exists a Bus Arbitrator (BA) node “gives permission to speak” to each producer node, it would not be useful at all. According to standard’s specification, in WorldFIP an authorized human operator configures the BA, which stores the network configuration into a table and several queues. Therefore, WorldFIP (León and Rodríguez, 2004) should provide some sort of authentication service in order to put in place user identification mechanisms in the BA, such as logging and password, with the purpose of avoiding access from non-authorized human operators. Access-rights can also be added to the authentication mechanism so that authorized human operators can have access rights to configure, read and modify the network configuration. Furthermore, in order to avoid passive and active attacks from intruders that have managed to gain access to the communication channel, WorldFIP should instrument a data-confidentiality service via feasible encryption/decryption schemes. 3.3 Security in CAN Not all ISO security services are useful in the context of CAN (León and Rodríguez, 2005) due to the following considerations. Both, node and message authentication together with non-repudiation services are not needed in CAN due to the fact that CAN nodes do not make use of any information about the network configuration, e.g. node addresses. Instead, in CAN, all the messages have been assigned a unique identifier which is used as a static priority for bus access. The identifier does not indicate the destination of the message, but describes the meaning of the data, so that all the nodes in the network are able to decide by message filtering whether the data is intended for them or not and to be acted upon by them or not. As a consequence of the concept of message filtering any number of nodes can receive and simultaneously act upon the same message. Message filtering is based upon the whole identifier, although optional mask registers may be used to select groups of identifiers to be mapped into the attached receive buffers. The access control service may be implemented at the higher layers protocols (e.g. application). At network configuration time, all the messages have been assigned a unique identifier. Therefore, the higher layer protocols based on CAN should provide this service by using some mechanisms of user identification, such as logging and password, so that access of non-authorized human operators to the CAN based system configuration would be restricted. CAN (Bosch, 1992) provides users with a special kind of service for data transfer, namely safety service, which includes the following procedures: error detection, error signaling, and self-checking.
For error detecting the following measures have been taken into account: Monitoring (transmitters compare the bit levels to be transmitted with the bit levels detected on the bus), Cyclic Redundancy Check (CRC), Bit stuffing, and Message Frame Check. Nevertheless, these procedures do not provide the integrity security service, which can be achieved by using cryptographic mechanisms such as one-way hash functions. Finally, CAN does not provide the confidentiality service. All data transfers are made in plaintext. Therefore, in order to thwart possible passive and active attacks from intruders that have managed to gain access to the bus, CAN should instrument a data-confidentiality service via feasible encryption/decryption schemes. 4. SECURITY SERVICE FOR FIELDBUSES This section presents the proposed security mechanisms and discusses their computing cost. 4.1 Security goals As it was mentioned in section 2, all customary security services for fieldbus protocols can be achieved by using public key cryptography schemes. However, public key cryptography requires a processing power that is typically well beyond the reach of many field devices. Fortunately we can still design limited security schemes for a fieldbus at a cheaper price by using alternative cryptographic options. Data confidentiality can be achieved by using some lightweight cryptographic stream cipher such as RC4 or A5/1 GSM, or even a reduced version of traditional symmetric algorithms such as DES or AES. Due to the fact that password-based security mechanisms are needed only for data protection at the master node (i.e., LAS or BA), where typically processing power is not a concern, we can use any of the traditional schemes based on symmetric ciphers. Summarizing, papers published in (León and Rodríguez, 2004, 2004a, 2005) have proposed to achieve the above stated security features by incorporating the following security mechanisms into the Fieldbus protocols: - A lightweight stream cipher in order to guarantee data confidentiality by encrypting all the relevant data to be transferred by the network’s entities. - A password-based security mechanism to prevent non-authorized users to gain control in the master node. - One-way hash function in order to provide the integrity security service. 4.2 Computing Cost of the Security Services Offering security services for resource-constrained platforms does not have a long history in the cryptographic community. Most research work has targeted the design of efficient symmetric stream
ciphers under the assumption that this type of ciphers is much more economical than their relatives, symmetric block ciphers (Kumar et al., 2004). Among the few examples of lightweight block ciphers available in the open literature, one can mention the Tiny Encryption Algorithm TEA (Wheeler, Needham, 1994), which is already an old proposal, and more recently the SEA algorithm proposed by (Staandert et al., 2005). Present block ciphers, such as the Advanced Encryption Standard (FIPS 197; Daemen and Rijmen, 2001) are generally considered too costly for constrained platforms. Using well-known stream cipher algorithms, the confidentiality security service for CAN was achieved in (León and Rodríguez, 2005) by means of RC4 and A5/1 stream ciphers, with RC4 showing the best performance. In that work the platform targeted was the Intel MCS®96 microcontroller running at a clock frequency of 16 MHz. This microcontroller can be considered typical of CAN applications. However obtained timing performances were not quite promising. The encryption time, using the full RC4 algorithm (i.e., including the initialization phase), goes from 7.5 ms to 7.8 ms for 1 byte to 8 bytes in the CAN frame, respectively, and the encryption time using the A5/1 algorithm (also considering its full version) goes from 64.1 ms to 80.1 ms for 1 byte to 8 bytes, respectively. Clearly, those times are very high regarding the CAN transmission time, which operates in the range that goes from 5 Kbits/s to 1 Mbit/s, and therefore there are some doubts about the feasibility of offering security services without affecting the real-time constraints. It should be noticed, however, that the overwhelming majority of clock cycles for ciphering the data field of the CAN frames were spent during the initialization phase. For example, RC4 takes in this phase from 99.28% to 95.49% for 1 byte to 8 bytes, respectively. For the A5/1 algorithm, this phase takes from 99.61% for 1 byte to 97.56% for 8 bytes. The initialization phase is required by RC4 in each encryption because it is strongly recommended that no two messages should be encrypted using the same key. Otherwise the message can usually be broken. Indeed, if the two encrypted messages are XOR-ed together, the result is the XOR of the original messages (Dawson, and Nielsen, 1996). Due to the fact that the overhead introduced by the initialization phase is too large for both algorithms, it was proposed in (León and Rodríguez, 2005) to include the concept of a session key. That would imply to open a new session (and thus to generate a new key) each time that the CAN protocol is initialized by the application. As long as the session is still active that same session key will be used to encrypt all CAN frames. According to results presented in (León and Rodríguez, 2005), RC4 can be implemented at a cost of some 6245 clock cycles, which would be attractive compared with block cipher proposals such as SEA that needs no less than 17745 clock cycles (Standaert et al., 2005). However, a session-key feature will require a specific protocol among the parties involved in order to
resolve issues related to key generation and management. Such issues include: key generation and renovation; opening and closing sessions, etc. It is still an open question how these amendments could be introduced in fieldbus protocols such as CAN without loosing compatibility with former versions. 5. CONCLUSION In this contribution we have discussed the security in fieldbus protocols, such as TS 61158, WorldFIP, and CAN. Our analysis has shown that these fieldbuses provide only limited security, namely the ISO integrity security service. WorldFIP implements that service, until certain extent, by using a frame check sequence (FCS), CAN uses CRC and message frame check. However, these fieldbuses are vulnerable to at least two possible security attacks: Non-authorized users gaining access to the communication channel and non-authorized human operators accessing the master node. Both types of security attacks can be avoided using public key cryptography schemes. However, public key cryptography requires a processing power that is typically well beyond the reach of many field devices. To overcome this difficulty, previous works have proposed security mechanisms that provide the authentication, confidentiality, and integrity services at a cheaper price by using alternative cryptographic options. Naturally, implementing those security services introduces an extra overhead that must be quantified and measured in order to verify that the timing constraints on the messages are met. Experimental times of two stream ciphers algorithms, such as RC4 and A5/1, on the Intel MCS®96 microcontroller have shown that the confidentiality service is still an expensive fancy solution for fieldbuses. Therefore, new cipher algorithms are required for small data sizes and realtime constraints. We believe much work can still be done in this area. ACKNOWLEDGMENTS Authors would like to acknowledge support from CONACyT through project number 45306. REFERENCES Bosch, R. GmbH (1992). CAN Protocol Specification V2.0 (A,B). Daemen, J., and V. Rijmen (2001). The Design of Rijndael. Springer-Verlag. Dawson, E., and L. Nielsen (1996). Automated Cryptanalysis of XOR Plaintext Strings. Criptologia, vol. XX, No. 2. Decotignie, J.D., P. Dallemagne, and A. El-Hoiydi (2001). Architectures for the Interconnection of Wireless and Wireline Fieldbusses. In 4th IFAC International Conference on Fieldbus Systems and their Applications (FeT’2001), Nancy, France, Nov. 15-16, pp. 285-290.
EN 50170-3 (1995). WorldFIP, General Purpose Field Communication System, CENELEC EN 50170-3. Erdner, T., W.A. Halang, K.C. Chan, and J.K. Ng (2001). Secure Data Communication over Fieldbus Systems. In 4th IFAC International Conference on Fieldbus Systems and their Applications (FeT’2001), Nancy, France, Nov. 15-16, pp. 37-44. FIPS 197 (2001). Advanced Encryption Standard. Federal Information Processing Standard, NIST, U.S. Dept. of Commerce. Gordeev, M. (1999). Security Architecture for Field Area Networks Connected to Internet. In 3th International Conference on Fieldbus Systems and their Applications (FeT’99), Magdeburg, Germany, Sep. 23-24, pp. 69-75. IEC 61158 (1999). International Electrotechnical Commission. Digital Data Communications for Measurement and Control – Fieldbuses for use in Industrial Control Systems. IEC 61158 Type 1. ISO 7498-2 (1989). International Organization for Standardization. Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. Kumar, S., K. Lemke, and C. Paar (2004). Some Thoughts about Implementation Properties of Stream Ciphers. In SASC - State of the Art of Stream Ciphers Workshop, Brugge, Belgium, October 14-15. León, M. and J.P. Thomesse (1999). Fieldbuses and Real-Time MAC Protocols. In 4th IFAC International Symposium on Intelligent Components and Instruments (SICICA’2000), Buenos Aires, Argentina, pp 51-56. León, M. and F. Rodríguez (2004). SDL Specification of a Security Architecture for WorldFIP. In IEEE XIV International Conference on Electronics, Communications, and Computers (CONIELECOMP’2004), Veracruz, México, February, 2004, pp. 149-154. León, M. and F. Rodríguez (2004a). SDL Specification of a Security Architecture for the IEC 61158. In 11th IFAC Symposium on Information Control Problems in Manufacturing (INCOM’2004), Salvador da Bahia, Brazil, April 5-7. León, M. and F. Rodríguez (2005). Performance Analysis of the Confidentiality Security Service in CAN. In XVI IFAC World Congress, Praha, Czech Republic, July, 2005. Morris, J. and P. Koopman (2003). Critical Message Integrity over Shared Network”, in 5th IFAC Conference on Fieldbus Systems and their Applications (FeT’2003), Aveiro, Portugal, July 7-8, pp 145-151. Standaert, F.-X., G. Piret, N. Gershenfeld, and J.-J. Quisquater (2005). SEA - a Scalable Encryption Algorithm for Small Embedded Applications. In Workshop on RFID and Lightweight Crypto, Graz, Austria. Thomesse, J.P. (2002). A Review of the FieldBuses. Annual Reviews in Control, vol. 22, pp. 35-45.
Wheeler, D.J., R. Needham (1994). TEA, a Tiny Encryption Algorithm. In Proceedings of FSE 1994, Lecture Notes in Computer Science, vol. 1008, pp. 363-366, Leuven, Belgium, SpringerVerlag.
Benemérita Universidad Autónoma de Puebla Facultad de Ciencias de la Computación 14 Sur y Av. San Claudio, CP 72570, Puebla, México Tel. (52) 222 229 55 00 ext. 7213 Fax (52) 222 229 56 72 E-mail: [email protected] 2 CINVESTAV-IPN Sección de Computación Av. Instituto Politécnico Nacional No. 2508, Col. San Pedro Zacatenco México, D.F. 07300 Tel: (52) 52 55 5747 3800 ext. 6570 Fax: (52) 555 747-7002 E-mail: [email protected]
Abstract: This paper discusses the security in the fieldbuses. The discussion takes into account, on one hand, the security services defined by the ISO Security Architecture, and on the other hand, the security mechanisms defined by some fieldbuses. From our analysis, it is shown that there are two critical points for attacking these networks: the bus and, in the case of centralized networks, the master node. This paper presents then the possible solutions to protect the fieldbuses and discusses their associated computing cost. Copyright © 2005 IFAC Keywords: Fieldbus, Security.
1. INTRODUCTION Fieldbuses are special purpose Local Area Networks (LAN) used to connect all kinds of devices in a factory, such as sensors, actuators, transmitters, programmable controllers, (C)NC machines, processors, and so on (Thomesse, 2002). These networks usually define the services of three OSI layers, namely the physical, the data link and the application layers. Although some services of the missing layers are still present in some fieldbuses. Typically, the fieldbuses are used by the distributed manufacturing applications in order to monitor and control the processes taking place in the factory. Examples of such applications are: factory automation, automotive industry, textile machinery, electronics manufacturing, food and beverage, chemical processing, and so on.
Up to now, the security in the fieldbuses, such as the IEC 61158, has only been considered for access protection on some objects. This is not for protection against intentional misuse of the communication facilities of a field device but in order to protect a system of accidental erroneous use of the objects. However, there exist at least two possible security attacks that fieldbuses can suffer: Non-authorized users gaining access to the communication channel and non-authorized human operators accessing the master node, if it exists. Clearly, there exists always the possibility for nonauthorized users to gain access to the communication channel. If that happens, then the intruders can launch a passive attack by eavesdropping all or part of the information exchanged among the network’s entities. Even worse than that, active attacks are also possible as hackers can maliciously insert or modify
the data traveling through the communication channel at will. On the other hand, usually the master node stores the entire network configuration as well as other important system global information, such as the presence variables in WorldFIP, i.e. variables containing summarized information on the node’s global operating state. Hence, mechanisms of user identification should be put in place in order to avoid leakage of valuable data to non-authorized human operators. As fieldbuses become more and more diverse, complex and integrated into other kind of networks (Gordeev, 1999; Decotignie et al., 2001), potential attacks to the security of a fieldbus network increase in the same rate. Hence, it is of the utmost importance to incorporate security mechanisms on fieldbus communication protocols so that such kind of security attacks can be avoided, prevented and/or thwarted (Gordeev, 1999; Morris and Koopman, 2003; León and Rodríguez, 2004a) However, most of the fieldbuses were designed to meet real-time constraints, such as bounded end-toend delay, periodicity, jitter, and coherence (León and Thomesse, 2000). No matter what security mechanism is instrumented, it will require valuable processor time for its execution, and therefore some real-time constraints might be missed. This paper discusses the security in the fieldbuses, according to the classes of security service defined by ISO. The discussion is focused on TS 61158, WorldFIP, and CAN because they are typical example of centralized and distributed fieldbuses. The paper analyses then the proposed security mechanisms for fieldbuses and discusses the associated computing cost of such solutions. The remaining of this paper is organized as follows: section 2 presents the ISO security services; security mechanisms defined by TS 61158, WorldFIP and CAN are presented in section 3; section 4 presents some proposed security services; section 5 discuses their computing cost; finally some future work directions and conclusions are given in section 6. 2. ISO SECURITY SERVICES The Security Architecture of the OSI Reference Model (ISO 7498-2) considers five main classes of security services: authentication, access control, confidentiality, integrity and non-repudiation. These services are defined as follows: The authentication service verifies the supposed identity of a user or a system. The access control service protects the system resources against non-authorized users. The confidentiality service protects the data against nonauthorized revelations. The integrity service protects the data against non-authorized modifications, insertions or deletions. The non-repudiation service prevents an entity from denying previous commitments or actions. All the security services defined by ISO can be achieved in a centralized fieldbus by using public key cryptography. That can be accomplished by assigning to each slave node in the network a unique private key and a master node’s public key. During
communication, slave and master nodes may mutually authenticate each other with these keys using well known protocols. To provide confidentiality, nodes may encrypt their contents using a random session key and a symmetric cryptoalgorithm specially tailored for constrained environments. Integrity and non-repudiation can be obtained by signing/verifying all the messages transmitted between a particular slave node and the master node. The integrity service can be achieved also by using a one-way hash function optimized for heavily constrained environments, as those typically found in fieldbuses. The hash functions accept a variable-size message as input and produce a fixed-size code, called the hash code or message digest. The verification of the hash code is designed to detect intentional and unauthorized modifications of the data, as well as accidental modifications. Whereas the verification of a checksum value or an error detecting code, as those produced by the CRC algorithms or the frame check sequence (FCS), is designed to detect only accidental modifications of the data. However, strong public key cryptography is in general an expensive fancy solution for fieldbuses because, on one hand, most of the field devices have limited capacities, such as processor speed and memory. And on the other hand, public key cryptography requires complex algorithms, large key-sizes, and management of the public keys. Moreover, some of the security services defined by ISO are probably not very likely to be useful on the context of some fieldbuses. Particularly, nonrepudiation seems to be not suitable for the centralized fieldbuses since the master node “gives permission to speak” to each slave node. If for a given fieldbus public key cryptography solutions are too expensive, we can still design limited security schemes for fieldbuses at a cheaper price, i.e. fast security algorithms requiring a small amount of memory. For instance, data confidentiality can be achieved by using some lightweight cryptographic stream cipher, such as RC4 or A5/1 GSM, or even a reduced version of traditional symmetric algorithms such as DES or AES, which can be obtained by reducing the size of the encryption key or by limiting the standard number of rounds used during the encryption/decryption processes (16 in the case of DES and 10 for AES). Although the previous limited security schemes have a cheaper price, some fieldbuses may not be able to afford them. 3. FIELDBUS SECURITY MECHANISMS This section presents the security mechanisms defined by TS 61158, WorldFIP, and CAN standards jointly with suggested security improvements. 3.1 Security in TS 61158 TS 61158 (IEC 61158) provides users with the authentication and access control services for some objects. These services are implemented at the
application layer, at this level, the application process objects (APOs) are defined, which are components of the application process and are visible across the network. An APO is identified by one or more key attributes, such as access privilege. This attribute specifies the access controls defined by APO, and is composed of the following fields: - Password, it contains the password for the access rights. Its value is null if it is not used. - Access Groups, it identifies which of the user defined access groups are defined for the object. - Access Rights, it defines the type of access attributes authorized for the object. Legal examples of such attributes are as follows: right to read/write for access groups, for the registered password, and for all communication partners. The access privilege attribute is defined for the following APOs: variables, events, and load regions. Nevertheless, TS 61158 specifies that an authorized human operator must invoke the management system in order to configure the initial schedule in LAS (Link Active Scheduler). Therefore, this fieldbus must provide a user authentication service in order to put in place some mechanisms of user identification in LAS, such as logging and password, to avoid access from non-authorized human operators. On the other hand, the TS 61158 does not provide the following ISO security services: nodeauthentication, integrity, confidentiality, and nonrepudiation (León and Rodríguez, 2004a). According to standard’s specification, the LAS node uses the notion of Delegated Token (DeT) to transfer the right to transmit to another node for a specified duration time. Usually, the token has two fields for addressing the source and destination nodes. With the purpose of thwarting a masquerade attack, the TS 61158 should provide a node-authentication service. The integrity service can be achieved by using the CRC field of the MAC frame to store the hash code produced by a one-way hash function. In order to avoid passive and active attacks from intruders that have managed to gain access to the communication channel, the TS 61158 should instrument a data-confidentiality service via feasible encryption/decryption schemes. Regarding the non-repudiation service, it seems to be not very useful for this kind of networks due to the centralized nature of the protocol where the LAS node “gives permission to speak” to each node. 3.2 Security in WorldFIP WorldFIP provides some security mechanisms implemented in its protocol or in its components. The mechanisms considered by the protocol are (EN 50170-3): medium redundancy, errors in the physical layer, data link layer status machines, frame check sequence (FCS), bus arbitrator redundancy and variable validation. Clearly, WorldFIP security mechanisms do not provide the ISO security services, even though FCS allows to detect accidental modifications of the data (Erdner et al., 2001), i.e. FCS is calculated when the frame is transmitted and when it is received. If the
code received matches the code calculated there is a very high probability that the frame is correct. It is worth to mention that once again some of the ISO security services are not likely to be useful on the context of WorldFIP. Particularly, in the case of non-repudiation service it seems that since there exists a Bus Arbitrator (BA) node “gives permission to speak” to each producer node, it would not be useful at all. According to standard’s specification, in WorldFIP an authorized human operator configures the BA, which stores the network configuration into a table and several queues. Therefore, WorldFIP (León and Rodríguez, 2004) should provide some sort of authentication service in order to put in place user identification mechanisms in the BA, such as logging and password, with the purpose of avoiding access from non-authorized human operators. Access-rights can also be added to the authentication mechanism so that authorized human operators can have access rights to configure, read and modify the network configuration. Furthermore, in order to avoid passive and active attacks from intruders that have managed to gain access to the communication channel, WorldFIP should instrument a data-confidentiality service via feasible encryption/decryption schemes. 3.3 Security in CAN Not all ISO security services are useful in the context of CAN (León and Rodríguez, 2005) due to the following considerations. Both, node and message authentication together with non-repudiation services are not needed in CAN due to the fact that CAN nodes do not make use of any information about the network configuration, e.g. node addresses. Instead, in CAN, all the messages have been assigned a unique identifier which is used as a static priority for bus access. The identifier does not indicate the destination of the message, but describes the meaning of the data, so that all the nodes in the network are able to decide by message filtering whether the data is intended for them or not and to be acted upon by them or not. As a consequence of the concept of message filtering any number of nodes can receive and simultaneously act upon the same message. Message filtering is based upon the whole identifier, although optional mask registers may be used to select groups of identifiers to be mapped into the attached receive buffers. The access control service may be implemented at the higher layers protocols (e.g. application). At network configuration time, all the messages have been assigned a unique identifier. Therefore, the higher layer protocols based on CAN should provide this service by using some mechanisms of user identification, such as logging and password, so that access of non-authorized human operators to the CAN based system configuration would be restricted. CAN (Bosch, 1992) provides users with a special kind of service for data transfer, namely safety service, which includes the following procedures: error detection, error signaling, and self-checking.
For error detecting the following measures have been taken into account: Monitoring (transmitters compare the bit levels to be transmitted with the bit levels detected on the bus), Cyclic Redundancy Check (CRC), Bit stuffing, and Message Frame Check. Nevertheless, these procedures do not provide the integrity security service, which can be achieved by using cryptographic mechanisms such as one-way hash functions. Finally, CAN does not provide the confidentiality service. All data transfers are made in plaintext. Therefore, in order to thwart possible passive and active attacks from intruders that have managed to gain access to the bus, CAN should instrument a data-confidentiality service via feasible encryption/decryption schemes. 4. SECURITY SERVICE FOR FIELDBUSES This section presents the proposed security mechanisms and discusses their computing cost. 4.1 Security goals As it was mentioned in section 2, all customary security services for fieldbus protocols can be achieved by using public key cryptography schemes. However, public key cryptography requires a processing power that is typically well beyond the reach of many field devices. Fortunately we can still design limited security schemes for a fieldbus at a cheaper price by using alternative cryptographic options. Data confidentiality can be achieved by using some lightweight cryptographic stream cipher such as RC4 or A5/1 GSM, or even a reduced version of traditional symmetric algorithms such as DES or AES. Due to the fact that password-based security mechanisms are needed only for data protection at the master node (i.e., LAS or BA), where typically processing power is not a concern, we can use any of the traditional schemes based on symmetric ciphers. Summarizing, papers published in (León and Rodríguez, 2004, 2004a, 2005) have proposed to achieve the above stated security features by incorporating the following security mechanisms into the Fieldbus protocols: - A lightweight stream cipher in order to guarantee data confidentiality by encrypting all the relevant data to be transferred by the network’s entities. - A password-based security mechanism to prevent non-authorized users to gain control in the master node. - One-way hash function in order to provide the integrity security service. 4.2 Computing Cost of the Security Services Offering security services for resource-constrained platforms does not have a long history in the cryptographic community. Most research work has targeted the design of efficient symmetric stream
ciphers under the assumption that this type of ciphers is much more economical than their relatives, symmetric block ciphers (Kumar et al., 2004). Among the few examples of lightweight block ciphers available in the open literature, one can mention the Tiny Encryption Algorithm TEA (Wheeler, Needham, 1994), which is already an old proposal, and more recently the SEA algorithm proposed by (Staandert et al., 2005). Present block ciphers, such as the Advanced Encryption Standard (FIPS 197; Daemen and Rijmen, 2001) are generally considered too costly for constrained platforms. Using well-known stream cipher algorithms, the confidentiality security service for CAN was achieved in (León and Rodríguez, 2005) by means of RC4 and A5/1 stream ciphers, with RC4 showing the best performance. In that work the platform targeted was the Intel MCS®96 microcontroller running at a clock frequency of 16 MHz. This microcontroller can be considered typical of CAN applications. However obtained timing performances were not quite promising. The encryption time, using the full RC4 algorithm (i.e., including the initialization phase), goes from 7.5 ms to 7.8 ms for 1 byte to 8 bytes in the CAN frame, respectively, and the encryption time using the A5/1 algorithm (also considering its full version) goes from 64.1 ms to 80.1 ms for 1 byte to 8 bytes, respectively. Clearly, those times are very high regarding the CAN transmission time, which operates in the range that goes from 5 Kbits/s to 1 Mbit/s, and therefore there are some doubts about the feasibility of offering security services without affecting the real-time constraints. It should be noticed, however, that the overwhelming majority of clock cycles for ciphering the data field of the CAN frames were spent during the initialization phase. For example, RC4 takes in this phase from 99.28% to 95.49% for 1 byte to 8 bytes, respectively. For the A5/1 algorithm, this phase takes from 99.61% for 1 byte to 97.56% for 8 bytes. The initialization phase is required by RC4 in each encryption because it is strongly recommended that no two messages should be encrypted using the same key. Otherwise the message can usually be broken. Indeed, if the two encrypted messages are XOR-ed together, the result is the XOR of the original messages (Dawson, and Nielsen, 1996). Due to the fact that the overhead introduced by the initialization phase is too large for both algorithms, it was proposed in (León and Rodríguez, 2005) to include the concept of a session key. That would imply to open a new session (and thus to generate a new key) each time that the CAN protocol is initialized by the application. As long as the session is still active that same session key will be used to encrypt all CAN frames. According to results presented in (León and Rodríguez, 2005), RC4 can be implemented at a cost of some 6245 clock cycles, which would be attractive compared with block cipher proposals such as SEA that needs no less than 17745 clock cycles (Standaert et al., 2005). However, a session-key feature will require a specific protocol among the parties involved in order to
resolve issues related to key generation and management. Such issues include: key generation and renovation; opening and closing sessions, etc. It is still an open question how these amendments could be introduced in fieldbus protocols such as CAN without loosing compatibility with former versions. 5. CONCLUSION In this contribution we have discussed the security in fieldbus protocols, such as TS 61158, WorldFIP, and CAN. Our analysis has shown that these fieldbuses provide only limited security, namely the ISO integrity security service. WorldFIP implements that service, until certain extent, by using a frame check sequence (FCS), CAN uses CRC and message frame check. However, these fieldbuses are vulnerable to at least two possible security attacks: Non-authorized users gaining access to the communication channel and non-authorized human operators accessing the master node. Both types of security attacks can be avoided using public key cryptography schemes. However, public key cryptography requires a processing power that is typically well beyond the reach of many field devices. To overcome this difficulty, previous works have proposed security mechanisms that provide the authentication, confidentiality, and integrity services at a cheaper price by using alternative cryptographic options. Naturally, implementing those security services introduces an extra overhead that must be quantified and measured in order to verify that the timing constraints on the messages are met. Experimental times of two stream ciphers algorithms, such as RC4 and A5/1, on the Intel MCS®96 microcontroller have shown that the confidentiality service is still an expensive fancy solution for fieldbuses. Therefore, new cipher algorithms are required for small data sizes and realtime constraints. We believe much work can still be done in this area. ACKNOWLEDGMENTS Authors would like to acknowledge support from CONACyT through project number 45306. REFERENCES Bosch, R. GmbH (1992). CAN Protocol Specification V2.0 (A,B). Daemen, J., and V. Rijmen (2001). The Design of Rijndael. Springer-Verlag. Dawson, E., and L. Nielsen (1996). Automated Cryptanalysis of XOR Plaintext Strings. Criptologia, vol. XX, No. 2. Decotignie, J.D., P. Dallemagne, and A. El-Hoiydi (2001). Architectures for the Interconnection of Wireless and Wireline Fieldbusses. In 4th IFAC International Conference on Fieldbus Systems and their Applications (FeT’2001), Nancy, France, Nov. 15-16, pp. 285-290.
EN 50170-3 (1995). WorldFIP, General Purpose Field Communication System, CENELEC EN 50170-3. Erdner, T., W.A. Halang, K.C. Chan, and J.K. Ng (2001). Secure Data Communication over Fieldbus Systems. In 4th IFAC International Conference on Fieldbus Systems and their Applications (FeT’2001), Nancy, France, Nov. 15-16, pp. 37-44. FIPS 197 (2001). Advanced Encryption Standard. Federal Information Processing Standard, NIST, U.S. Dept. of Commerce. Gordeev, M. (1999). Security Architecture for Field Area Networks Connected to Internet. In 3th International Conference on Fieldbus Systems and their Applications (FeT’99), Magdeburg, Germany, Sep. 23-24, pp. 69-75. IEC 61158 (1999). International Electrotechnical Commission. Digital Data Communications for Measurement and Control – Fieldbuses for use in Industrial Control Systems. IEC 61158 Type 1. ISO 7498-2 (1989). International Organization for Standardization. Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. Kumar, S., K. Lemke, and C. Paar (2004). Some Thoughts about Implementation Properties of Stream Ciphers. In SASC - State of the Art of Stream Ciphers Workshop, Brugge, Belgium, October 14-15. León, M. and J.P. Thomesse (1999). Fieldbuses and Real-Time MAC Protocols. In 4th IFAC International Symposium on Intelligent Components and Instruments (SICICA’2000), Buenos Aires, Argentina, pp 51-56. León, M. and F. Rodríguez (2004). SDL Specification of a Security Architecture for WorldFIP. In IEEE XIV International Conference on Electronics, Communications, and Computers (CONIELECOMP’2004), Veracruz, México, February, 2004, pp. 149-154. León, M. and F. Rodríguez (2004a). SDL Specification of a Security Architecture for the IEC 61158. In 11th IFAC Symposium on Information Control Problems in Manufacturing (INCOM’2004), Salvador da Bahia, Brazil, April 5-7. León, M. and F. Rodríguez (2005). Performance Analysis of the Confidentiality Security Service in CAN. In XVI IFAC World Congress, Praha, Czech Republic, July, 2005. Morris, J. and P. Koopman (2003). Critical Message Integrity over Shared Network”, in 5th IFAC Conference on Fieldbus Systems and their Applications (FeT’2003), Aveiro, Portugal, July 7-8, pp 145-151. Standaert, F.-X., G. Piret, N. Gershenfeld, and J.-J. Quisquater (2005). SEA - a Scalable Encryption Algorithm for Small Embedded Applications. In Workshop on RFID and Lightweight Crypto, Graz, Austria. Thomesse, J.P. (2002). A Review of the FieldBuses. Annual Reviews in Control, vol. 22, pp. 35-45.
Wheeler, D.J., R. Needham (1994). TEA, a Tiny Encryption Algorithm. In Proceedings of FSE 1994, Lecture Notes in Computer Science, vol. 1008, pp. 363-366, Leuven, Belgium, SpringerVerlag.