Application of NTRU Cryptographic Algorithm for securing SCADA communication

Supervisory Control and Data Acquisition (SCADA) system is a control system which is widely used in Critical Infrastructure System to monitor and control industrial processes autonomously. Most of the SCADA communication protocols are vulnerable to various types of cyber-related attacks. The currently used security standards for SCADA communication specify the use of asymmetric cryptographic algorithms like RSA or ECC for securing SCADA communications. There are certain performance issues with cryptographic solutions of these specifications when applied to SCADA system with real-time constraints and hardware limitations. To overcome this issue, in this thesis we propose the use of a faster and light-weighted NTRU cryptographic algorithm for authentication and data integrity in securing SCADA communication. Experimental research conducted on ARMv6 based Raspberry Pi and Intel Core machine shows that cryptographic operations of NTRU is two to thirty five times faster than the corresponding RSA or ECC. Usage of NTRU algorithm reduces computation and memory overhead significantly making it suitable for SCADA systems with real-time constraints and hardware limitations

Enhanced cryptographic approaches for SCADA network security.

Due to the overwhelming increase in open source code, off-the-shelf software packages, third party and vendor codes, along with the ease of getting information about hacking network security systems and attacking the well known holes in security systems, the problem of having a secure network system is much more difficult than before this boom in technology and information broadcast. What makes the problem even worse is trying to secure a network for real time control, such as a network using supervisory control and data acquisition (SCADA) systems, because now the problem has two faces: securing the real time control system and at the same time keeping the response time of the system in the acceptable range for the transactions\u27 level of service. There is a strong trend to chose security frameworks that have been popular in the e-commerce sites of the web, particularly because they proven to be very mature and secure for more than one and half decades. Examples include the transport level security (TLS) and its predecessor secured socket layer (SSL) framework that is based on the very popular public key cryptography and key distribution algorithms, such as Rivest, Shamir and Adleman (RSA), elliptic curve cryptography (ECC), and Diffie-Hellman. Despite the fact that these algorithms proved to be very powerful against most types of attacks, they are not tailored to secure SCADA networks, and consequently cause a significant degradation in the performance time of real time transactions. This dissertation offers two novel encryption algorithms for securing a SCADA network, the N-Secrecy and the Security Spectrum algorithms. N-Secrecy gave very good results when compared with the SSL; with N-Secrecy performance time in the range of one thousandth of the SSL. The Security Spectrum approach moved the encryption methodology from using numerical representations into using a physical representation based on modeling the conditions of the two communicating parties with a system of non-linear polynomials and then using computer algebra techniques. Both approaches have the potential to significantly enhance the security of commercial SCADA installations

Cyber Security of Critical Infrastructures

Critical infrastructures are vital assets for public safety, economic welfare, and the national security of countries. The vulnerabilities of critical infrastructures have increased with the widespread use of information technologies. As Critical National Infrastructures are becoming more vulnerable to cyber-attacks, their protection becomes a significant issue for organizations as well as nations. The risks to continued operations, from failing to upgrade aging infrastructure or not meeting mandated regulatory regimes, are considered highly significant, given the demonstrable impact of such circumstances. Due to the rapid increase of sophisticated cyber threats targeting critical infrastructures with significant destructive effects, the cybersecurity of critical infrastructures has become an agenda item for academics, practitioners, and policy makers. A holistic view which covers technical, policy, human, and behavioural aspects is essential to handle cyber security of critical infrastructures effectively. Moreover, the ability to attribute crimes to criminals is a vital element of avoiding impunity in cyberspace. In this book, both research and practical aspects of cyber security considerations in critical infrastructures are presented. Aligned with the interdisciplinary nature of cyber security, authors from academia, government, and industry have contributed 13 chapters. The issues that are discussed and analysed include cybersecurity training, maturity assessment frameworks, malware analysis techniques, ransomware attacks, security solutions for industrial control systems, and privacy preservation methods

CKMI: Comprehensive Key Management Infrastructure Design for Industrial Automation and Control Systems

Industrial Automation and Control Systems (IACS) are broadly utilized in critical infrastructures for monitoring and controlling the industrial processes remotely. The real-time transmissions in such systems provoke security breaches. Many security breaches have been reported impacting society severely. Hence, it is essential to achieve secure communication between the devices for creating a secure environment. For this to be effective, the keys used for secure communication must be protected against unauthorized disclosure, misuse, alteration or loss, which can be taken care of by a Key Management Infrastructure. In this paper, by considering the generic industrial automation network, a comprehensive key management infrastructure (CKMI) is designed for IACS. To design such an infrastructure, the proposed scheme employs ECDH, matrix method, and polynomial crypto mechanisms. The proposed design handles all the standard key management operations, viz. key generation, device registration, key establishment, key storage, device addition, key revocation, key update, key recovery, key archival, and key de-registration and destruction. The design supports secure communication between the same and different levels of IACS devices. The proposed design can be applied for major industrial automation networks to handle the key management operations. The performance analysis and implementation results highlight the benefits of the proposed design

Quantum Resistant Authenticated Key Exchange for OPC UA using Hybrid X.509 Certificates

While the current progress in quantum computing opens new opportunities in a wide range of scientific fields, it poses a serious threat to today?s asymmetric cryptography. New quantum resistant primitives are already available but under active investigation. To avoid the risk of deploying immature schemes we combine them with well-established classical primitives to hybrid schemes, thus hedging our bets. Because quantum resistant primitives have higher resource requirements, the transition to them will affect resource constrained IoT devices in particular. We propose two modifications for the authenticated key establishment process of the industrial machine-to-machine communication protocol OPC UA to make it quantum resistant. Our first variant is based on Kyber for the establishment of shared secrets and uses either Falcon or Dilithium for digital signatures in combination with classical RSA. The second variant is solely based on Kyber in combination with classical RSA. We modify existing opensource software (open62541, mbedTLS) to integrate our two proposed variants and perform various performance measurement

TD2SecIoT: Temporal, Data-Driven and Dynamic Network Layer Based Security Architecture for Industrial IoT

The Internet of Things (IoT) is an emerging technology, which comprises wireless smart sensors and actuators. Nowadays, IoT is implemented in different areas such as Smart Homes, Smart Cities, Smart Industries, Military, eHealth, and several real-world applications by connecting domain-specific sensors. Designing a security model for these applications is challenging for researchers since attacks (for example, zero-day) are increasing tremendously. Several security methods have been developed to ensure the CIA (Confidentiality, Integrity, and Availability) for Industrial IoT (IIoT). Though these methods have shown promising results, there are still some security issues that are open. Thus, the security and authentication of IoT based applications become quite significant. In this paper, we propose TD2SecIoT (Temporal, Data-Driven and Dynamic Network Layer Based Security Architecture for Industrial IoT), which incorporates Elliptic Curve Cryptography (ECC) and Nth-degree Truncated Polynomial Ring Units (NTRU) methods to ensure confidentiality and integrity. The proposed method has been evaluated against different attacks and performance measures (quantitative and qualitative) using the Cooja network simulator with Contiki-OS. The TD2SecIoT has shown a higher security level with reduced computational cost and time

Security and Privacy in Smart Grid

Smart grid utilizes different communication technologies to enhance the reliability and efficiency of the power grid; it allows bi-directional flow of electricity and information, about grid status and customers requirements, among different parties in the grid, i.e., connect generation, distribution, transmission, and consumption subsystems together. Thus, smart grid reduces the power losses and increases the efficiency of electricity generation and distribution. Although smart grid improves the quality of grid's services, it exposes the grid to the cyber security threats that communication networks suffer from in addition to other novel threats because of power grid's nature. For instance, the electricity consumption messages sent from consumers to the utility company via wireless network may be captured, modified, or replayed by adversaries. As a consequent, security and privacy concerns are significant challenges in smart grid. Smart grid upgrade creates three main communication architectures: The first one is the communication between electricity customers and utility companies via various networks; i.e., home area networks (HANs), building area networks (BANs), and neighbour area networks (NANs), we refer to these networks as customer-side networks in our thesis. The second architecture is the communication between EVs and grid to charge/discharge their batteries via vehicle-to-grid (V2G) connection. The last network is the grid's connection with measurements units that spread all over the grid to monitor its status and send periodic reports to the main control center (CC) for state estimation and bad data detection purposes. This thesis addresses the security concerns for the three communication architectures. For customer-side networks, the privacy of consumers is the central concern for these networks; also, the transmitted messages integrity and confidentiality should be guaranteed. While the main security concerns for V2G networks are the privacy of vehicle's owners besides the authenticity of participated parties. In the grid's connection with measurements units, integrity attacks, such as false data injection (FDI) attacks, target the measurements' integrity and consequently mislead the main CC to make the wrong decisions for the grid. The thesis presents two solutions for the security problems in the first architecture; i.e., the customer-side networks. The first proposed solution is security and privacy-preserving scheme in BAN, which is a cluster of HANs. The proposed scheme is based on forecasting the future electricity demand for the whole BAN cluster. Thus, BAN connects to the electricity provider only if the total demand of the cluster is changed. The proposed scheme employs the lattice-based public key NTRU crypto-system to guarantee the confidentiality and authenticity of the exchanged messages and to further reduce the computation and communication load. The security analysis shows that our proposed scheme can achieve the privacy and security requirements. In addition, it efficiently reduces the communication and computation overhead. According to the second solution, it is lightweight privacy-preserving aggregation scheme that permits the smart household appliances to aggregate their readings without involving the connected smart meter. The scheme deploys a lightweight lattice-based homomorphic crypto-system that depends on simple addition and multiplication operations. Therefore, the proposed scheme guarantees the customers' privacy and message integrity with lightweight overhead. In addition, the thesis proposes lightweight secure and privacy-preserving V2G connection scheme, in which the power grid assures the confidentiality and integrity of exchanged information during (dis)charging electricity sessions and overcomes EVs' authentication problem. The proposed scheme guarantees the financial profits of the grid and prevents EVs from acting maliciously. Meanwhile, EVs preserve their private information by generating their own pseudonym identities. In addition, the scheme keeps the accountability for the electricity-exchange trade. Furthermore, the proposed scheme provides these security requirements by lightweight overhead; as it diminishes the number of exchanged messages during (dis)charging sessions. Simulation results demonstrate that the proposed scheme significantly reduces the total communication and computation load for V2G connection especially for EVs. FDI attack, which is one of the severe attacks that threatens the smart grid's efficiency and reliability, inserts fake measurements among the correct ones to mislead CC to make wrong decisions and consequently impact on the grid's performance. In the thesis, we have proposed an FDI attack prevention technique that protects the integrity and availability of the measurements at measurement units and during their transmission to the CC, even with the existence of compromised units. The proposed scheme alleviates the negative impacts of FDI attack on grid's performance. Security analysis and performance evaluation show that our scheme guarantees the integrity and availability of the measurements with lightweight overhead, especially on the restricted-capabilities measurement units. The proposed schemes are promising solutions for the security and privacy problems of the three main communication networks in smart grid. The novelty of these proposed schemes does not only because they are robust and efficient security solutions, but also due to their lightweight communication and computation overhead, which qualify them to be applicable on limited-capability devices in the grid. So, this work is considered important progress toward more reliable and authentic smart grid

Lightweight cryptographic protocols for mobile devices

Title from PDF of title page viewed June 30, 2020Dissertation advisor: Lein HarnIncludes bibliographical references (pages 146-163)Thesis (Ph.D.)--School of Computing and Engineering. University of Missouri--Kansas City. 2020In recent years, a wide range of resource-constrained devices have been built and integrated into many networked systems. These devices collect and transfer data over the Internet in order for users to access the data or to control these devices remotely. However, the data also may contain sensitive information such as medical records or credit card numbers. This underscores the importance of protecting potentially sensitive data before it is transferred over the network. To provide security services such as data confidentiality and authentication, these devices must be provided with cryptographic keys to encrypt the data. Designing security schemes for resource-limited devices is a challenging task due to the inherit characteristics of these devices which are limited memory, processing power and battery life. In this dissertation, we propose lightweight polynomial-based cryptographic protocols in three environments that encompass resource-constrained devices which are Wireless Sensor Network (WSN), Fog Computing, and Blockchain Network. With polynomial-based schemes, we guarantee high network connectivity due to the existence of a shared pairwise key between every pair of nodes in the network. More importantly, the proposed schemes are lightweight which means they exhibit low memory, processing and communication overheads for resource-constrained devices compared with other schemes. The only problem with polynomial-based schemes is that they suffer from node-captured attacks. That is, when an attacker captured a specific number of nodes, the attacker could compromise the security of the whole network. In this dissertation, we propose, for the first time, polynomial-based schemes with probabilistic security in WSNs. That is, when the attacker captured a specific number of sensor nodes, there is a low probability the attacker could compromised the security of the whole network. We show how we can modify system’s parameters to lower such attacks.Introduction -- Overview of cryptographical key distribution schemes -- Related work -- Wireless Sensor Networks (WSNS) -- Fog computing -- Blockchain Networks -- Conclusion and future wor