Practical Encryption Gateways to Integrate Legacy Industrial Machinery

Future industrial networks will consist of a mixture of old and new components, due to the very long life-cycles of industrial machines on the one hand and the need to change in the face of trends like Industry 4.0 or the industrial Internet of things on the other. These networks will be very heterogeneous and will serve legacy as well as new use cases in parallel. This will result in an increased demand for network security and precisely within this domain, this thesis tries to answer one specific question: how to make it possible for legacy industrial machines to run securely in those future heterogeneous industrial networks. The need for such a solution arises from the fact, that legacy machines are very outdated and hence vulnerable systems, when assessing them from an IT security standpoint. For various reasons, they cannot be easily replaced or upgraded and with the opening up of industrial networks to the Internet, they become prime attack targets. The only way to provide security for them, is by protecting their network traffic. The concept of encryption gateways forms the basis of our solution. These are special network devices, that are put between the legacy machine and the network. The gateways encrypt data traffic from the machine before it is put on the network and decrypt traffic coming from the network accordingly. This results in a separation of the machine from the network by virtue of only decrypting and passing through traffic from other authenticated gateways. In effect, they protect communication data in transit and shield the legacy machines from potential attackers within the rest of the network, while at the same time retaining their functionality. Additionally, through the specific placement of gateways inside the network, fine-grained security policies become possible. This approach can reduce the attack surface of the industrial network as a whole considerably. As a concept, this idea is straight forward and not new. Yet, the devil is in the details and no solution specifically tailored to the needs of the industrial environment and its legacy components existed prior to this work. Therefore, we present in this thesis concrete building blocks in the direction of a generally applicable encryption gateway solution that allows to securely integrate legacy industrial machinery and respects industrial requirements. This not only entails works in the direction of network security, but also includes works in the direction of guaranteeing the availability of the communication links that are protected by the gateways, works to simplify the usability of the gateways as well as the management of industrial data flows by the gateways

Розробка та реалізація мережних протоколів. Навчальний посібник

Розробка та реалізація мережних протоколів важлива частина сучасної галузі знань, що необхідна для актуального забезпечення взаємозв’язку рівнів та різних технологій будь-якої локальної і глобальної мереж. Мережеві протоколи базуються на міжнародних стандартах, що забезпечують якісну взаємодію різних інноваційних технологій та різних елементів мережі. Вони складають семирівневу структуру, яка здійснює забезпечення вирішення інженерно-технічних питань та потребує постійно оновлювати, вдосконалювати та розробки нових протоколів, як правила взаємодії всіх складових глобальної мережі. Розробка та реалізація мережних протоколів потребує постійного розвитку та вдосконалення для надання абонентам високонадійних видів послуг з високошвидкісною передачею даних.The development and implementation of network protocols is an important part of the modern field of knowledge that is necessary for the actual interconnection of levels and different technologies of any local and global networks. Network protocols are based on international standards that ensure high-quality interaction of various innovative technologies and various network elements. They form a seven-tier structure that provides solutions to engineering and technical issues and requires constant updating, improvement and development of new protocols, as rules of interaction of all components of the global network. The development and implementation of network protocols requires constant development and improvement to provide subscribers with highly reliable types of services with high-speed data transmission.Разработка и реализация сетевых протоколов важная часть современной отрасли знаний, которая необходима для актуального обеспечения взаимосвязи уровней и различных технологий любой локальной и глобальной сетей. Сетевые протоколы базируются на международных стандартах, обеспечивающих качественное взаимодействие различных инновационных технологий и различных элементов сети. Они составляют семиступенчатая структуру, которая осуществляет обеспечение решения инженерно-технических вопросов и требует постоянно обновлять, совершенствовать и разрабатывать новые протоколы, как правила взаимодействия всех составляющих глобальной сети. Разработка и реализация сетевых протоколов требует постоянного развития и совершенствования для предоставления абонентам высоконадежных видов услуг по высокоскоростной передачей данных

A survey of network virtualization

a b s t r a c t Due to the existence of multiple stakeholders with conflicting goals and policies, alterations to the existing Internet architecture are now limited to simple incremental updates; deployment of any new, radically different technology is next to impossible. To fend off this ossification, network virtualization has been propounded as a diversifying attribute of the future inter-networking paradigm. By introducing a plurality of heterogeneous network architectures cohabiting on a shared physical substrate, network virtualization promotes innovations and diversified applications. In this paper, we survey the existing technologies and a wide array of past and state-of-the-art projects on network virtualization followed by a discussion of major challenges in this area

The InfoSec Handbook

Computer scienc

The InfoSec Handbook

Computer scienc

Optimization and Performance Analysis of High Speed Mobile Access Networks

The end-to-end performance evaluation of high speed broadband mobile access networks is the main focus of this work. Novel transport network adaptive flow control and enhanced congestion control algorithms are proposed, implemented, tested and validated using a comprehensive High speed packet Access (HSPA) system simulator. The simulation analysis confirms that the aforementioned algorithms are able to provide reliable and guaranteed services for both network operators and end users cost-effectively. Further, two novel analytical models one for congestion control and the other for the combined flow control and congestion control which are based on Markov chains are designed and developed to perform the aforementioned analysis efficiently compared to time consuming detailed system simulations. In addition, the effects of the Long Term Evolution (LTE) transport network (S1and X2 interfaces) on the end user performance are investigated and analysed by introducing a novel comprehensive MAC scheduling scheme and a novel transport service differentiation model

Cyber-Security Solutions for Ensuring Smart Grid Distribution Automation Functions

The future generation of the electrical network is known as the smart grid. The distribution domain of the smart grid intelligently supplies electricity to the end-users with the aid of the decentralized Distribution Automation (DA) in which intelligent control functions are distributed and accomplished via real-time communication between the DA components. Internet-based communication via the open protocols is the latest trend for decentralized DA communication. Internet communication has many benefits, but it exposes the critical infrastructure’s data to cyber-security threats. Security attacks may not only make DA services unreachable but may also result in undesirable physical consequences and serious damage to the distribution network environment. Therefore, it is compulsory to protect DA communication against such attacks. There is no single model for securing DA communication. In fact, the security level depends on several factors such as application requirements, communication media, and, of course, the cost.There are several smart grid security frameworks and standards, which are under development by different organizations. However, smart grid cyber-security field has not yet reached full maturity and, it is still in the early phase of its progress. Security protocols in IT and computer networks can be utilized to secure DA communication because industrial ICT standards have been designed in accordance with Open Systems Interconnection model. Furthermore, state-of-the-art DA concepts such as Active distribution network tend to integrate processing data into IT systems.This dissertation addresses cyber-security issues in the following DA functions: substation automation, feeder automation, Logic Selectivity, customer automation and Smart Metering. Real-time simulation of the distribution network along with actual automation and data networking devices are used to create hardware-in-the-loop simulation, and experiment the mentioned DA functions with the Internet communication. This communication is secured by proposing the following cyber-security solutions.This dissertation proposes security solutions for substation automation by developing IEC61850-TLS proxy and adding OPen Connectivity Unified Architecture (OPC UA) Wrapper to Station Gateway. Secured messages by Transport Layer Security (TLS) and OPC UA security are created for protecting substation local and remote communications. Data availability is main concern that is solved by designing redundant networks.The dissertation also proposes cyber-security solutions for feeder automation and Logic Selectivity. In feeder automation, Centralized Protection System (CPS) is proposed as the place for making Decentralized feeder automation decisions. In addition, applying IP security (IPsec) in Tunnel mode is proposed to establish a secure communication path for feeder automation messages. In Logic Selectivity, Generic Object Oriented Substation Events (GOOSE) are exchanged between the substations. First, Logic Selectivity functional characteristics are analyzed. Then, Layer 2 Tunneling over IPsec in Transport mode is proposed to create a secure communication path for exchanging GOOSE over the Internet. Next, communication impact on Logic Selectivity performance is investigated by measuring the jitter and latency in the GOOSE communication. Lastly, reliability improvement by Logic Selectivity is evaluated by calculating reliability indices.Customer automation is the additional extension to the smart grid DA. This dissertation proposes an integration solution for the heterogeneous communication parties (TCP/IP and Controller Area Network) in Home Area Network. The developed solution applies Secure Socket Layer in order to create secured messages.The dissertation also proposes Secondary Substation Automation Unit (SSAU) for realtime communication of low voltage data to metering database. Point-to-Point Tunneling Protocol is proposed to create a secure communication path for Smart Metering data.The security analysis shows that the proposed security solutions provide the security requirements (Confidentiality, Integrity and Availability) for DA communication. Thus, communication is protected against security attacks and DA functions are ensured. In addition, CPS and SSAU are proposed to distribute intelligence over the substations level

AS Domain Tunnelling for User-Selectable Loose Source Routing

The use of the Internet as a ubiquitous means of e-commerce, social interaction and entertainment is well established. However, despite service diversity, all traffic is treated the same. Although this clearly “works” and is considered “fair” in terms of net neutrality, there are times when it would be particularly beneficial, if the end-user could have some control over the path his or her traffic takes, either avoiding geographic regions or exploiting lower latency options, should they exist. In this research work, we propose to design and evaluate a scheme that allows end-users to selectively exploit a sequence of tunnels along a path from the source to a chosen destination. The availability of such tunnels is advertised centrally through a broker, with the cooperation of the Autonomous System (AS) domains, allowing end-users to use them if so desired. The closest analogy this scheme is that of a driver choosing to use one or more toll roads along a route to avoid potential congestion or less desirable geographic locations. It thus takes the form of a type of loose source routing. Furthermore, the approach avoids the need for inter-operator cooperation, although such cooperation provides a means of extending tunnels across AS peers. In particular, we aim to ascertain the benefit in terms of delay and reliability for a given degree of tunnel presence within a portion of the Internet. The expectation is that a relatively small number of tunnels may be sufficient to provide worthwhile improvements in performance, at least for some users. Based on this premise, we first design and implement a simulation tool that uses Dijkstra’s Algorithm to calculate the least cost path(s) for differing percentages of randomly placed intra- AS tunnels. We consider end-to-end delay as the cost metric associated with each route and a number of experiments have been performed to confirm the improvement in delays using the tunnels. We then consider the inclusion of a small financial cost that the user would be expected to pay in order to use selected tunnels. Details of the payment mechanism is outside the scope of this thesis, however, the financial burden is taken into account when choosing a route. There is thus a trade-off between delay reduction and a financial penalty. First we explore a heuristic approach using a Genetic Algorithm (GA) we create whereby these conflicting goals are combined into a weighted fitness score associated with the alternative routes, allow a near-optimal compromise to be found, based on the weighting. The downside of this approach is that there is typically a single solution for a given selected weighting. It may be that the user wishes to see the spectrum of alternatives and decide a suitable “sweet spot” based on their current preferences. As such, we then design, implement and evaluate an end-user path selection tool using Multi-Objective Evolutionary Algorithm (MOEA). Unlike the GA, this approach presents a set of optimal solutions for different compromises between the performance objectives, which form a Pareto front. This scheme currently takes into account cost and delay but provides an extensible mechanism for other fitness factors to be considered